Q&A [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
@Evjl's Rain

What filters can you recommend for uBlock Origin? I'm currently using your setup from your post July 12, 2018. I prefer uBlock as light and effective as possible.
I haven't changed much since then
you can use the current filters + : for better malware protection
http://vxvault.net/URL_List.php

I have experimented some more filters but I found them not helpful or they caused a lot of problems, not recommended

if you want maximum, but stable, compatible tracking protection, add:
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
enable: hpHosts’ Ad and tracking servers

optional: AdZ hosts -> despite being big, I found it wasn't as good as stevenblack and 1hosts (my favourite), not even close. I don't like it personally. Too many filters will cause lag
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
So, heimdal make use of dns level filtration or does it also use heuristic?
I heard Heimdal created a loopback DNS localhost and start filtering internet traffic
it works similarly to our AV's web filter but it continuously modifies the DNS server to 127.7.7.3 to prevent malwares from hijacking our DNS
I'm not sure if it filters in DNS level or changing DNS is just how it works

I do think it has heuristics but not as strong as other well-known AVs: kaspersky, forticlient, sophos, (bitdefender, avast?)
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
I found web filtering at DNS level is useless if you use google chrome cuz chrome bypass your DNS.
Disable Async DNS resolver in Google Chrome
but it's disabled by default. It takes some steps to enable that feature to prevent DNS hijacking within the browser
mots users don't need it
Google have removed the flag for it. We can't enable/disable it in about:flags anymore
 

yitworths

Level 10
Verified
May 31, 2015
475
1,458
loopback DNS

so it does use 127.0.0.1 to port its dns. or something else?

it works similarly to our AV's web filter but it continuously modifies the DNS server to 127.7.7.3 to prevent malwares from hijacking our DNS
How did you come to notice that, in your router or network adapter settings or through some 3rd party such as website? If your rour network adapter doesn't show any sign of that dns, then probably it's using much better method to handle dns protection. Anyway, I still have a feeling that it relies mostly upon dns level blocking. Not that much on heuristic... dns level blocking ain't that much strong,btw & it's applicable to all not just to heimdal
I do think it has heuristics but not as strong as other well-known AVs: kaspersky, forticlient, sophos, (bitdefender, avast?)

Kaspersky & Sophos- strong heuristic for sure. Sophos even has great database also. Forticlient has potential, not sure about how strong their heuristic though. BD & avast, mostly rely upon database.For web security database provides backbone for sure but without strong heuristic it useless against emerging threats. Every now & then, new domain is being spawned (registered or unregistered), it's unlikely that only database will provide immunity against newly appeared domain which is actually a mal-domain.

Anyway, great work mate(y):emoji_beer:
 

Burrito

Level 24
May 16, 2018
1,363
9,227
norton: 2/20 (n)

malwarebytes: 18/20 :emoji_ok_hand:

Forticlient (web filter only): 20/20 :emoji_ok_hand:

Heimdal Pro (stable): 12/20 -> only a web filter test, please, don't argue Heimdal has A, B, C features or this is not the correct way of testing it.

Evjl's Rain, another excellent test.

-Norton Safe Web -- what the heck is going on with Norton?! From a top finisher to a bottom finisher.

-Malwarebytes continues to impress.

-It appears that Sly Guy is right about Forticlient. I guess I need to look at that.

-Heimdal Pro's poor finish does not surprise me at all. People who buy Heimdal Pro are just hoping it's a decent product -- as little in the way of testing has been done. Hopes & Prayers -- not a good protection strategy.

Heimdal has three components.
1. Web filtering. This test demonstrates how lame it is at that.
2. Software Updating. Using their own numbers, PatchmyPC and SuMO are much better than Heimdal Pro in that regard.
3. Outbound connection blocking. Not sure how to measure that, but many of us already have that covered with other products.

There is a reason that Heimdal does not get its product tested by professional test organizations... and it offers regular deep discounts. It's because it's not that good.
 
Last edited:

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
How did you come to notice that, in your router or network adapter settings or through some 3rd party such as website? If your rour network adapter doesn't show any sign of that dns, then probably it's using much better method to handle dns protection. Anyway, I still have a feeling that it relies mostly upon dns level blocking. Not that much on heuristic... dns level blocking ain't that much strong,btw & it's applicable to all not just to heimdal
it changes my DNS to 127.7.7.3, visible in network setting/adapter in windows
I think heimdal works this way
website is loaded and sends to the loopback host 127.7.7.3 -> heimdal gets link from that host and starts analyzing -> the link is then sent to our true DNS (google, openDNS, ...) -> browser
 

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,996
9,995
My current build thanks to these results is:
Google chrome : google safe browsing
Malwarebytes = pups
Kaspersky free = malware
Neustar dns business protection= Blocking adult sites, its important since these sites arent containing malware, but can contain malicious links to malicious sites thats why i promote dns so much
 

yitworths

Level 10
Verified
May 31, 2015
475
1,458
it changes my DNS to 127.7.7.3, visible in network setting/adapter in windows
I think heimdal works this way
website is loaded and sends to the loopback host 127.7.7.3 -> heimdal gets link from that host and starts analyzing -> the link is then sent to our true DNS (google, openDNS, ...) -> browser

So, it does not use any heimdal dns whatsoever, at first I thought through that loopback it ports its own dns. Ahh.. now I got it. If it uses that loopback to scan dns query then it actually checks domain/url against its own database. In other word it doesn't use heuristic. It only relies upon database if it's web filtering component is solely dependent upon that loopback technique.
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
Fun test 25/7/2018
all vxvault links: 101 -> these links are not zero-day. If the extensions/browsers/AVs do well, it's just for reference but if they do crap (missed >10), shame!
Pass mark: =<5, less is better, downloaded files within a folder


Chrome: 3 :emoji_v:
ublock custom (2.8 million, without vxvault list): 11
MB: 2 :emoji_ok_hand:
norton: 26 (n)
avira: 3 :emoji_v:
WDBP: 12
Comodo: 3 :emoji_v:
yandex: 7
Adguard: 32 (n)
Edge/IE: 2 :emoji_ok_hand:

K9: 2 :emoji_ok_hand:
Forticlient: 5 :unsure:
kaspersky: 3 :emoji_v:
avast: 3 :emoji_v:
Thor RC: 19 (n)

Quad9: 34
AdguardDNS: 34
Neustar: 16 :emoji_pray:
Greenteam: 35
Norton: 32
Cleanbrowsing: 21
comodo: 35
strongarm: 17 :emoji_pray:
Yandex: 24
OpenDNS: 35
 
Last edited by a moderator:

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
don't you think avast is good enough to use / test?

thank you for your work. excellent tests. (y)
yes, I forgot to write avast's result although I did test it
avast: 3 => very good

you can see my tests of avast+syshardener here. So far, there has been no bypass yet. syshardener completely eliminates avast's weakness
I also add some domains to hosts file to block avast's telemetry

https://malwaretips.com/threads/avast-free-syshardener-report-july-2018.84998/

A litte disappointed in WDBP. I hoped it would give the same results as Edge/IE...
At te moment I'm using Kaspersky Free with Comodo Firewall and AdGuard and WDBP as extensions in Google Chrome.
I want to keep the amount of extensions installed down to a minimum.
Maybe it's time to uninstall WDBP?
I think WDBP is fine. It can compensate other extensions although it's not the best
the only reason I recommend it is its extremely low resource consumption. after hours of browsing, CPU time of WDBP is <10 seconds (translation: it only uses 10s of CPU during hours) while malwarebytes, avira use several minutes of CPU
 
Last edited:

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,996
9,995
A litte disappointed in WDBP. I hoped it would give the same results as Edge/IE...
At te moment I'm using Kaspersky Free with Comodo Firewall and AdGuard and WDBP as extensions in Google Chrome.
I want to keep the amount of extensions installed down to a minimum.
Maybe it's time to uninstall WDBP?
Is the adguard client or extension? Wich dns are you using?

I think im gonna remove voodooshield, and go with comodo firewall instead ( cs)
I would have same setup as you.
Then it would be like:
- Kaspersky free ( web filter)
- Comodo firewall ( web filter)
- neustar dns ( business protection)
- comodo dragon ( virtualized 24/7) Why? Because its using as much ram as without + wont break ublock filter updates) bit overkill tho
- comodo dragon extensions;
- comodo online security ( can be removed)
- malwarebytes ( disable adblocking)
- tunnelbear = ( disable adblocking, let fingerprint, flash, script , malware blocking on.)
- nanoblocker ( default + annoyance+ defender filter ( no defender extension needed))
- privacy possum


On topic: Sad to see k9 + norton have so different results, since both products are owned by symantec

I have chrome as main browser right now, but i'd like to have secondary browser where i can do big tweaks and maybe mess up a bit . Most of alternative chromiums are also 32bit, wich is like 100mb less than 64 bit chrome.

Hard to decide between these:
- vivaldi
- opera
- yandex
- comodo dragon

They all have regular updates, thats why i wouldnt trust rest
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,607
28,309
Thnx for the test. Pls, note that Adgaurd extension is not the same as the desktop version.
Adguard desktop uses Chrome and Yandex API
yes, I know, it still means adguard for chrome, firefox browser protection is just a marketing tool. It never scored well
 
Top