Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Emsisoft
New in 2018.12: Safe web-browsing with Emsisoft Browser Security
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 788208" data-attributes="member: 24327"><p>That is due to the way both of those components are implemented. Essentially the Surf Protection at the moment watches outgoing traffic. Such traffic is checked against an IP blacklist. We also look at the actual data to figure out whether or not it looks like a HTTP request or alternatively like a TLS handshake. In both cases, we extract hostnames from the data as well and check against the hostname blocklist.</p><p></p><p>The web extension however, injects a tiny bit of JavaScript code into websites your browser displays or websites that are loaded in any kind of frame. The tiny bit of JavaScript code, triggers the extension to check the URL by submitting hashes parts of the URL to the server, which can determine whether any of our blacklist could potentially match the URL you are currently visiting. If it does, then we send back all the potential matches and the extension can check if any of them actually match. If they do, then it redirects to a block page.</p><p></p><p>Based on that, it should be obvious that the EAM Surf Protection will always be first when it comes to checking whether a site contacted is malicious or not. Only after the browser started downloading the HTML and started displaying it, it will actually consult the extension. So it will always be the second.</p><p></p><p>Now, where is the benefit of having the extension? The Surf Protection only matches based on hostnames or IPs. But that isn't enough sometimes. Easiest example: Someone puts online a phishing form on Google Docs. To block this with Surf Protection, we would block everything on docs.google.com, which clearly isn't in the intention of our users. However, since the web extension isn't limited to matching just hostnames or IPs, we can add a much more complex rule that takes into account a lot more than just the hostname. For example:</p><p></p><p>[CODE]Found match for 2A51AEB5ECD8F06694B6A47C622EDFD0:</p><p> Type: malicious</p><p> Matches:</p><p> ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI[\/\\]+edit$</p><p> ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI(?:[\/\\]+|$)</p><p> ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSccu3A6samqkuBxcQ5Su5qR2ivpvc5xKdhUCO2ZeRR1T_J9PA</p><p> ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSfvnNbblsbvuI_8D5384NCSSwE0OFV98Nxn_kKy3alYeUOs_g[\/\\]+viewform\?usp\=pp_url$[/CODE]</p><p></p><p>This is the decoded data that the extension gets back from the server when you visit docs.google.com. The extension can take this information, in this particular case regular expressions to match against the entire URL, and determine if it matches the website being displayed/visited. And only if that website matches, we block it. However, you can go to any of the other documents hosted at Google Docs without us interfering.</p><p></p><p>So that's the real power that the web extension has over the Surf Protection. For malware it's less interesting, and the very first versions that were online, didn't even have the malware block list in the cloud backend, but only phishing related entries, but since the very first thing people did was go to VX Vault and download malware samples, we decided to include all the surf protection data in the cloud and also to make the extension watch downloads. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 788208, member: 24327"] That is due to the way both of those components are implemented. Essentially the Surf Protection at the moment watches outgoing traffic. Such traffic is checked against an IP blacklist. We also look at the actual data to figure out whether or not it looks like a HTTP request or alternatively like a TLS handshake. In both cases, we extract hostnames from the data as well and check against the hostname blocklist. The web extension however, injects a tiny bit of JavaScript code into websites your browser displays or websites that are loaded in any kind of frame. The tiny bit of JavaScript code, triggers the extension to check the URL by submitting hashes parts of the URL to the server, which can determine whether any of our blacklist could potentially match the URL you are currently visiting. If it does, then we send back all the potential matches and the extension can check if any of them actually match. If they do, then it redirects to a block page. Based on that, it should be obvious that the EAM Surf Protection will always be first when it comes to checking whether a site contacted is malicious or not. Only after the browser started downloading the HTML and started displaying it, it will actually consult the extension. So it will always be the second. Now, where is the benefit of having the extension? The Surf Protection only matches based on hostnames or IPs. But that isn't enough sometimes. Easiest example: Someone puts online a phishing form on Google Docs. To block this with Surf Protection, we would block everything on docs.google.com, which clearly isn't in the intention of our users. However, since the web extension isn't limited to matching just hostnames or IPs, we can add a much more complex rule that takes into account a lot more than just the hostname. For example: [CODE]Found match for 2A51AEB5ECD8F06694B6A47C622EDFD0: Type: malicious Matches: ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI[\/\\]+edit$ ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+a[\/\\]+iskl\.edu\.my[\/\\]+document[\/\\]+d[\/\\]+1bMCiWm4xirYGAO0iC\-PQ21HfOVOkGYBqigtJiCPIdeI(?:[\/\\]+|$) ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSccu3A6samqkuBxcQ5Su5qR2ivpvc5xKdhUCO2ZeRR1T_J9PA ^https?\:\/\/[\w\-\.]+(?:\:(?:80|443))?[\/\\]+forms[\/\\]+d[\/\\]+e[\/\\]+1FAIpQLSfvnNbblsbvuI_8D5384NCSSwE0OFV98Nxn_kKy3alYeUOs_g[\/\\]+viewform\?usp\=pp_url$[/CODE] This is the decoded data that the extension gets back from the server when you visit docs.google.com. The extension can take this information, in this particular case regular expressions to match against the entire URL, and determine if it matches the website being displayed/visited. And only if that website matches, we block it. However, you can go to any of the other documents hosted at Google Docs without us interfering. So that's the real power that the web extension has over the Surf Protection. For malware it's less interesting, and the very first versions that were online, didn't even have the malware block list in the cloud backend, but only phishing related entries, but since the very first thing people did was go to VX Vault and download malware samples, we decided to include all the surf protection data in the cloud and also to make the extension watch downloads. :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top
