Q&A [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,991
9,964
a quick test with vxvault latest 101 links to check how these extensions are doing. Lower is better. Many of them are dead links. No time to test AVs

chrome 1
malwarebytes 0
avira 9
ublock (+squidblacklist) 25
blocksi (children) 44
blocksi (unrated = block/default-deny) 0
WDBP 9, or block 75/101
comodo 5
Edge/IE 0
Norton 30
Still somehow impressive microsoft > google

Blocksi is new thing to me, their free chrome extension seems to be very easy to use and even have decent configuration. Wow this extension is really good, one of the best adult filters probs

Thanks
 
Last edited:

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Still somehow impressive microsoft > google

Blocksi is new thing to me, their free chrome extension seems to be very easy to use and even have decent configuration

Thanks
smartscreen always has an advantage over chrome due to their windows defender cloud signatures and smartscreen reputation service
however, when we deal with true zero-day links, they will all struggle a bit and will perform similarly

blocksi (tweaked) seems to be a great default deny solution for download files but because of that, it causes high FP rate for unpopular softwares downloaded from the developer's websites
itself in default settings is useless though
p/s: it slows down my browsing speed a lot because it has to wait for the result from the cloud before the webpage can display
 
Last edited:

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
VirusTotal

Forticlient still probably most effective, noone seesm to block above at all. And those fresh links are up on viewbotted scam streams...they make alot profit of them
it's the matter of probability
trust me, I have seen netcraft blocking almost all phishing links I threw at it and forti missed some
missing 1 link doesn't mean netcraft is worse than forti. Moreover, that link was classified as spam, perhaps that was why netcraft didn't block it
edit: now netcraft blocked it
 

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,991
9,964
it's the matter of probability
trust me, I have seen netcraft blocking almost all phishing links I threw at it and forti missed some
missing 1 link doesn't mean netcraft is worse than forti. Moreover, that link was classified as spam, perhaps that was why netcraft didn't block it
edit: now netcraft blocked it
Yep and netcraft aswell moved it as malicious. I know its very unlikely to get on phishing sites, expecially very fresh ones but netcraft + forticlient or some other combo will stack together to have better overall protection indeed
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Heimdal result: missed 27 files
tested with 2 methods: opened everything as a whole and opened each link 1 by 1, exact same result

Thor RC: 28 files missed

hphosts: 26 files missed
@Nightwalker

you can test it yourself here if I make some mistakes. Note that links can die later. Heimdal can miss ~10 links in your test
Code:
107.173.219.125/svc/wire.exe
107.173.219.125/svc/imm.exe
107.173.219.125/svc/fb.exe
107.173.219.125/svc/dan.exe
107.173.219.125/svc/chn.exe
107.173.219.125/svc/alba.exe
92.63.197.60/new.exe
92.63.197.60/o.exe
92.63.197.60/t.exe
92.63.197.60/s.exe
77.73.69.220/File.exe
77.73.69.220/wanna.exe
45.77.138.225/Loader.exe
92.63.197.60/r.exe
92.63.197.60/m.exe
92.63.197.60/t.exe
92.63.197.60/s.exe
216.170.126.114/mamez/mamez.exe
a46.bulehero.in/download.exe
botsphere.biz/soft.exe
botsphere.biz/go.exe
botsphere.biz/crsoft.exe
botsphere.biz/finalvr.exe
keyba01se.usa.cc/wayneDP.exe
keyba01se.usa.cc/shankerlito.exe
keyba01se.usa.cc/ktg.exe
keyba01se.usa.cc/henrynonso.exe
keyba01se.usa.cc/emmymalay.exe
a46.bulehero.in/scvsots.exe
a46.bulehero.in/download.exe
a46.bulehero.in/appveif.exe
denmarkheating.net/buttons/obi/OBNIWX.exe
denmarkheating.net/buttons/nedu/NWEDIU.exe
denmarkheating.net/buttons/mobi/MOBIRET.exe
denmarkheating.net/buttons/man/MANER.exe
denmarkheating.net/buttons/dog/DOCBGYUXBH.exe
185.222.202.114/uploads/uploads/v72d8z2.exe
185.222.202.114/uploads/uploads/update_b.exe
185.222.202.114/uploads/uploads/.exe
185.222.202.114/uploads/uploads/amdcontroller.exe
185.222.202.114/uploads/uploads/6b282d34fv2.exe
185.222.202.114/uploads/uploads/update_z.exe
92.63.197.60/p.exe
92.63.197.60/m.exe
92.63.197.60/t.exe
92.63.197.60/o.exe
92.63.197.60/s.exe
185.127.25.165/intel.exe
185.127.25.165/build.exe
printngo.fr/putty.exe
panicpc.fr/p.exe
[URL='http://www.panicpc.fr/p.exe']www.panicpc.fr/p.exe[/URL]
[URL='http://www.panicpc.fr/client.php']www.panicpc.fr/client.php[/URL]
checkandswitch.com/afile/7.exe
ioa993u.space/vnc.exe
ioa993u.website/ppan.exe
doloresabernathy.icu/task.txt
apl.com.pk/apl_hr/putty.exe
ereds6969.co/keygen.exe
freshnlaundry.com/xmGWxpN/
azaleasacademy.com/q/
unimaxhungaria.hu/k/
freshnlaundry.com/xmGWxpN/
mirarredo.it/9HARHM/
edemotdihat.ru/zpF0/
a46.bulehero.in/scvsots.exe
hunter13.beget.tech/free1/svchost.exe
hunter13.beget.tech/roma/svchost.exe
hunter13.beget.tech/vik/svchost.exe
hunter13.beget.tech/bar/svchost.exe
hunter13.beget.tech/diz/svchost.exe
78.142.19.172/~winvps/1_com/vip/vbshost.exe
78.142.19.172/~winvps/1_com/signed/scvhost.exe
78.142.19.172/~winvps/1_com/pjay/first.exe
78.142.19.172/~winvps/1_com/papie/papy.exe
78.142.19.172/~winvps/1_com/oniee/winhost.exe
78.142.19.172/~winvps/1_com/nna/scvhost.exe
78.142.19.172/~winvps/1_com/new/text.exe
78.142.19.172/~winvps/1_com/larx/YZFVXE.exe
78.142.19.172/~winvps/1_com/graciaz/scvhost.exe
78.142.19.172/~winvps/1_com/gracias/scvhost.exe
78.142.19.172/~winvps/1_com/gracia/svchost.exe
78.142.19.172/~winvps/1_com/gerd/scvhost.exe
92.63.197.60/o.exe
92.63.197.60/s.exe
essem.com.tr/Baba/Panel/babs.exe
essem.com.tr/Oko/Panel/cvc.exe
databig.akamaihub.stream/pushBatch
yeniyildirimkargo.com.tr/maz/Panel/Mazi.exe
fatimainstruments.com/image/c.exe
adobeupdater.mcdir.ru/dmclient.exe
1794431577.rsc.cdn77.org/favicon.ico
poislgam.fr/9.exe
poislgam.fr/8.exe
poislgam.fr/7.exe
poislgam.fr/6.exe
poislgam.fr/5.exe
poislgam.fr/4.exe
poislgam.fr/3.exe
poislgam.fr/2.exe
poislgam.fr/1.exe
 
Last edited by a moderator:

ZeroDay

Level 29
Verified
Aug 17, 2013
1,856
6,486
Avira blocks all the links on Malcode, Netcraft blocks all the links on Phishtank, but not the other way around. They nicely supplement each other.


They provide an additional protection, especially against 0day, since they prevent the user from landing on the infected webpage in the first place.


Unfortunately, there are also too many attack vectors and not a single extension can handle all, like IDN, XSS, popups (cryptomining), etc.
I'm sorry but that's still too many extensions that have overlapping features it's ridiculous.

Edit: Sorry I didn't mean to sound rude.
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Hi @Evjl's Rain thanks again for your tests, it is very much appreciated.

What do you think about Malwarebytes web (extension) protection? In my experience it seems to be a beast, especially agains malvertising.
it's the absolute best extension against malwares IMHO because it 1 of a few extensions which have heuristic engines for suspicious links. It has a bit higher resource usage than WDBP and norton safe web (these 2 only have cloud lookup, nothing else, thus extremely light)
netcraft if I'm not mistaken also has heuristics for phishing links

I tagged you in the post above which includes heimdal RC/official and hphosts as you suspected heimdal used hphosts (they denied that)
very similar, huh? :D
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,189
7,899
it's the absolute best extension against malwares IMHO because it 1 of a few extensions which have heuristic engines for suspicious links. It has a bit higher resource usage than WDBP and norton safe web (these 2 only have cloud lookup, nothing else, thus extremely light)
netcraft if I'm not mistaken also has heuristics for phishing links

I tagged you in the post above which includes heimdal RC/official and hphosts as you suspected heimdal used hphosts (they denied that)
very similar, huh? :D

Thanks for almost confirming my suspicion, it is so similar that it cant be a simple coincidence.
Heimdal is never going to admit that their "fancy DarkGuard" is just Hphosts in disguise :sneaky:

About Malwarebytes extension, in my experience it is on the heavy side like you said, I disabled the "advertising/tracker protection" and it is gotta better; I hope the final version will be better optimized in this area.
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Thanks for almost confirming my suspicion, it is so similar that it cant be a simple coincidence.
Heimdal is never going to admit that their "fancy DarkGuard" is just Hphosts in disguise :sneaky:

About Malwarebytes extension, in my experience it is on the heavy side like you said, I disabled the "advertising/tracker protection" and it is gotta better; I hope the final version will be better optimized in this area.
we need a deeper analysis to confirm it, for example, download everything and compare side by side by looking at the downloaded files in 2-3 tests
I forgot to do that in my test

about MB extension, its size is huge by itself so it takes time to load the extension on browser startup
I also notice my CPU usage reduces a bit after I switch off clickbait protection but not so much

I don't know how they will optimize this extension in the future
 

Evjl's Rain

Level 47
Verified
Trusted
Content Creator
Malware Hunter
Apr 18, 2016
3,604
28,273
Test 2/9/2018
20 links collected from virustotal, nothing is from vxvault list. Higher is better


Browsers/extensions
chrome 16
avira 14
malwarebytes 18
ublock+squidblacklist 10
blocksi (default/children preset) 0
blocksi (block unrated): 20
WDBP 13
Comodo 0
Norton 3

Edge/IE 17
hphosts 12
Thor RC 4

AVs/Suits
Kaspersky 20
Forticlient 19
K9 19

DNS-es
Quad9 0
Adguard DNS 10
Neustar 18
Greenteam 0
Yandex 6
Comodo DNS 0
Strongarm 0
SafeDNS 4

it seems like Thor RC doesn't use hphosts in this test @Nightwalker but it proves Thor RC is way overrated
or they do use hphosts but delayed and they also have their own engine. Some files are the same in both sides
Windows 7-2018-09-02-06-56-44.png
 
Last edited by a moderator:

stefanos

Level 28
Verified
Oct 31, 2014
1,727
12,028
Test 2/9/2018
20 links collected from virustotal, nothing is from vxvault list. Higher is better



chrome 16
avira 14
malwarebytes 18
ublock+squidblacklist 10
blocksi (default/children preset) 0
blocksi (block unrated): 20
WDBP 13
Comodo 0
Norton 3

Edge/IE 17
hphosts 12
Thor RC 4

Kaspersky 20
Forticlient 19
K9 19

it seems like Thor RC doesn't use hphosts in this test @Nightwalker but it proves Thor RC is way overrated
or they do use hphosts but delayed and they also have their own engine. Some files are the same in both sides
View attachment 196957
Another good test. A question. with which internet browser do you test? I asked why I tried Foticlient and K9 with Opera and do not block almost anything. Only with chrome I saw good results. Now I'm with Kaspersky free. Kaspersky works perfect and with Opera
 
Last edited by a moderator:
Top