Q&A [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
Great comparison. I wonder how something like uBlock Origin/Nano Adblocker would fare once you enable all the other anti-phishing lists which most of us do.
it would be very good but can still miss some very very new phishtank links and can be real-world phishing
you know all ublock filters are somehow delayed, not always up-to-date as blocking extensions
 

Windows_Security

Level 24
Verified
Helper
Top poster
Content Creator
Well-known
Mar 13, 2016
1,301
Can you test the XSS protection with FF alone and then with Netcraft and see how they perform?
Testing as well myself. Having Netcraft & Malwarebytes for different tests for each. 21 links each, Netcraft blocked every single one, Malwarebytes let through a couple. Deffo sticking with Netcraft. I'll be doing a further XSS test for this extension going forward.

~LDogg

+1 to harborfront's request: interested to know what added value is of the extra XSS filtering function of Netcraft extension
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
here is some random examples
Code:
http://example.com/index.php?user=<script>alert(123)</script>

http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a");

AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>

Google.com<script>alert%281%29</script>
 

Windows_Security

Level 24
Verified
Helper
Top poster
Content Creator
Well-known
Mar 13, 2016
1,301
Would it be OK to replace Ublock origin , instead with MalwareBytes extension ?

IMO YES, either use MBAM or use Comodo Online Security with uBlock)rigin and disable all malware blokclist bloath in uBlock0rigin. When you use the (community driven) malware filters of uBlock, you miss out on zero hour protection due to delayed update interval of uBlock extension and low update interval of these blocklist themselves (as Evjl has explained). Google and Windows Defender are better because bigger is better (the bigger the heard the lower the risk of being first-victim of new malware URL's) and Commercial party supported cloud blacklist of for instance Comodo and Mbam are always up to date (less update delay is less first victim risk also).
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
for several days, I have noticed my browser startup time has been significantly prolonged
I tried to find the culprit and it was due to Malwarebytes extension
when I opened my chrome browser, immediately, I opened chrome's task manager and saw that MB already used 12 seconds of CPU time => which was a lot for a newly started extension
disabled MB and the startup time improved

MB has a huge database for its adblocking feature so it causes slow startup
 

LDogg

Level 33
Verified
Top poster
Well-known
May 4, 2018
2,195
for several days, I have noticed my browser startup time has been significantly prolonged
I tried to find the culprit and it was due to Malwarebytes extension
when I opened my chrome browser, immediately, I opened chrome's task manager and saw that MB already used 12 seconds of CPU time => which was a lot for a newly started extension
disabled MB and the startup time improved

MB has a huge database for its adblocking feature so it causes slow startup
Would turning off the adblocking feature for MBAM help sold this CPU slow issue?

~LDogg
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
Just did fast check on chrome startup with MBE and theres huge difference indeed

I dont think its affecting browsing speed at all tho
it slightly decreases browsing speed, not noticeable => good
however, it slows down the startup time. If someone can tolerate it, they are welcome to use this extension
 

tsunami

Level 3
Well-known
Jul 10, 2018
132
FYI Norton ConnectSafe DNS is Retiring... Norton ConnectSafe

ConnectSafe is being retired due to shift in Symantec’s business focus and investment. Norton wants us to "consider" Neustar UltraRecursive. *Note: Symantec does not endorse Neustar UltraRecursive or any other DNS web protection solution in the market

On November 15, 2018, Norton ConnectSafe service is being retired or discontinued meaning the service will no longer be available or supported. You may continue to use ConnectSafe until November 15, 2018. However, we do recommend that you take a moment to review important details related to this announcement below. see website for more info Norton ConnectSafe
 

goodjohnjr

Level 2
Jul 11, 2018
74
it slightly decreases browsing speed, not noticeable => good
however, it slows down the startup time. If someone can tolerate it, they are welcome to use this extension

Hello Evjl's Rain,

1. Do you think that the Malwarebytes Browser extension developers know about this problem?

I reported a bug about two versions or so ago where this extension causes the Smart Naming feature / the default name of streaming videos that you try to download to not work (the name will be changed to a combination of characters instead of the name of the video) in the Video DownloadHelper extension, they confirmed that they were able to reproduce the bug, but sadly it still has not been fixed maybe two versions later so I am currently not using this extension until that gets fixed; and the clickbait feature has some bugs, and seems to only activate on websites that I do not think count as clickbait websites while actual clickbait websites that I have visited do not activate this feature.

There are a few other problems with this extension as well, but if they fix those problems and add the ability to report problems from the extension itself and add element hiding and maybe add web search result ratings then this will be a great extension that can perform several different roles.

2. According to the Chrome Store the Windows Defender Browser Protection extension was updated on August 6, 2018, but I have no idea what changed; hopefully they have fixed a few of the bugs that some of us reported (the recovery time issue, the incognito mode block page issue, et cetera), and hopefully the detection is now at least equal to Microsoft Edge's detection.

3. Recently I noticed that you recommended trying the VX Vault list for Ublock Origin (which is very small surprisingly, only 104 entries), and I was wondering if you have tried testing this list against the default malware lists in Ublock Origin to see if this one small list is really better than the default malware lists combined?

4. If the small VX Vault list does really outperform the default malware lists then would you recommend adding any other small malware lists like Malc0de to Ublock Origin?

5. I noticed that Malc0de has three options: Bind format, Windows format, and IP Blacklist; if you were to recommend the Malc0de list(s) as well, which of these would you add to Ublock Origin, are they the same thing or are the first two domain blacklists while the third is just an IP blacklist?

6. Have you and / or anyone that you know of tried sharing tests / recommendations to the Ublock Origin developer(s) to let him / them know how poorly the default malware lists perform and suggest that he / they remove them and / or add some better lists on default and let him / they know which lists perform the best in malware (also grayware, adware, et cetera) blocking without being too big?

Thank you,
-John Jr
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,626
sorry for my late reply. I was away from my computer for a while and now I can answer your questions. Hope it's not too late

1. Do you think that the Malwarebytes Browser extension developers know about this problem?
I think they are not aware of this or they might ignore it because Malwarebytes extension speed is acceptable for most people, only the cold browser startup speed is slower. After that, the next startup will be instant. Plus many people have SSD => they can hardly notice it

I submitted a thread in MB forum on August 9 but no still reply
MB extension causing slow browser startup

2. According to the Chrome Store the Windows Defender Browser Protection extension was updated on August 6, 2018, but I have no idea what changed; hopefully they have fixed a few of the bugs that some of us reported (the recovery time issue, the incognito mode block page issue, et cetera), and hopefully the detection is now at least equal to Microsoft Edge's detection.
I don't know it too. Most chrome extensions don't have proper changelog. We should wait for the next version so they might publish the changelog for v1.65 as they did for v1.62 and 1.63. I believe they are just some minor changes

3. Recently I noticed that you recommended trying the VX Vault list for Ublock Origin (which is very small surprisingly, only 104 entries), and I was wondering if you have tried testing this list against the default malware lists in Ublock Origin to see if this one small list is really better than the default malware lists combined?
yes I have test the default ublock filters against this list and they failed badly. IMO, those useless lists should be disabled because they are outdated, slowly updated and weak
these 100 vxvault links are the latest 100 links recently found so they should add something to your protection in overall. The best AVs and extensions still miss some links in the list
out of 100, ~60-80 of them are dead links because malware links die very quickly (bandwidth limitation)
it's small but powerful, straight to the point
hphosts EMD, for example, has >300k entries but most of them are dead links. EMD is still the best malware filter your can add to ublock. hphosts > squidblacklist and vxvault because it's unique

5. I noticed that Malc0de has three options: Bind format, Windows format, and IP Blacklist; if you were to recommend the Malc0de list(s) as well, which of these would you add to Ublock Origin, are they the same thing or are the first two domain blacklists while the third is just an IP blacklist?
unfortunately, all of them are not usable for ublock because they need conversion to be useful. ublock doesn't support these format. Luckily, vxvault is almost the same as malc0de as the latest 20-30 links in malc0de are present in vxvault list. vxvault is even more up-to-date than malc0de. Sometimes, malc0de has <5 links which are not in the vxvault list => not noticeable

6. Have you and / or anyone that you know of tried sharing tests / recommendations to the Ublock Origin developer(s) to let him / them know how poorly the default malware lists perform and suggest that he / they remove them and / or add some better lists on default and let him / they know which lists perform the best in malware (also grayware, adware, et cetera) blocking without being too big?
many people have submitted some very useful lists to ublock github and the developer immediately closed the requests. He ignores and rarely considers any new filter to his default list
 
Last edited:

goodjohnjr

Level 2
Jul 11, 2018
74
sorry for my late reply. I was away from my computer for a while and now I can answer your questions. Hope it's not too late


I think they are not aware of this or they might ignore it because Malwarebytes extension speed is acceptable for most people, only the cold browser startup speed is slower. After that, the next startup will be instant. Plus many people have SSD => they can hardly notice it

I submitted a thread in MB forum on August 9 but no still reply
MB extension causing slow browser startup


I don't know it too. Most chrome extensions don't have proper changelog. We should wait for the next version so they might publish the changelog for v1.65 as they did for v1.62 and 1.63. I believe they are just some minor changes


yes I have test the default ublock filters against this list and they failed badly. IMO, those useless lists should be disabled because they are outdated, slowly updated and weak
these 100 vxvault links are the latest 100 links recently found so they should add something to your protection in overall. The best AVs and extensions still miss some links in the list
out of 100, ~60-80 of them are dead links because malware links die very quickly (bandwidth limitation)
it's small but powerful, straight to the point
hphosts EMD, for example, has >300k entries but most of them are dead links. EMD is still the best malware filter your can add to ublock. hphosts > squidblacklist and vxvault because it's unique


unfortunately, all of them are not usable for ublock because they need conversion to be useful. ublock doesn't support these format. Luckily, vxvault is almost the same as malc0de as the latest 20-30 links in malc0de are present in vxvault list. vxvault is even more up-to-date than malc0de. Sometimes, malc0de has <5 links which are not in the vxvault list => not noticeable


many people have submitted some very useful lists to ublock github and the developer immediately closed the requests. He ignores and rarely considers any new filter to his default list

Hello Evjl's Rain,

Thank you very much for taking the time to reply to my questions, your responses and tests are very helpful, and are helping me to improve my security setup while possibly making it lighter in some ways.

1. Thank you for reporting this to them, it is disappointing that no one has replied to your thread there yet, but hopefully they will and will fix this and the issues that me and others have reported.

2. I hope that more extensions and other programs will start having better changelogs, and waiting sounds like a good idea in this situation.

3. Thank you for explaining that and for testing this, I am surprised and amazed by this, this is embarrassing performance for the default lists and it is disappointing that the default lists have not been changed to a better list or lists yet; I hope that more people learn about your thread and other tests so that they will also learn this and will adjust their lists too.

5. Thank you very much, I had no idea, now I feel even better about adding the VX Vault list.

6. That is unfortunate, I guess he has not changed much, but I hope that will change; and I still appreciate some the work he does and the amazing extension he made.

I am glad that there are people out there like yourself who are testing and comparing these lists to help us better choose our lists, and I wish that this community testing could help improve the default lists.

Keep up the good work and thank you very much,
-John Jr
 

Bill K

Level 5
Jul 25, 2018
224
I think they are not aware of this or they might ignore it because Malwarebytes extension speed is acceptable for most people, only the cold browser startup speed is slower. After that, the next startup will be instant. Plus many people have SSD => they can hardly notice it

I submitted a thread in MB forum on August 9 but no still reply
MB extension causing slow browser startup
There is a recent response to your thread on the MB forum comparing its memory usage to some other similar software.