Q&A [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
So what are the strengths of K9 over uBO and Malwarebytes and vice versa?

Thanks
k9 has a huge database, more than most vendors, I assume, besides fortinet, kaspersky, eset,...
K9 and malwarebytes have heuristics engine, which can detect and block unknown malicious websites, in exchange of high rate of False positive. Not many vendors have it
ublock only block blacklisted websites by third-party filter lists. It fully relies on filters => not as good as a dedicated webfilter. Ublock itself doesn't have any malware filter engine

ublock is designed to be an adblocker, not a malware/phishing blocker
the advantage is you can whatever filter you want (hundreds, millions) so it can sometimes be better than many webfilter such as heimdal/Thor as I demonstrated in some of my tests
I doubt heimdal uses hphosts and their own engine for webfilter because most of the time, heimdal misses very similar links compared to hphosts

k9 is a system-wise webfilter, we all know system-wise webfilter usually can cause problem for people
ublock is an extension, it doesn't cause as many problems
 
Last edited:

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,099
k9 has a huge database, more than most vendors, I assume, besides fortinet, kaspersky, eset,...
K9 and malwarebytes have heuristics engine, which can detect and block unknown malicious websites, in exchange of high rate of False positive. Not many vendors have it
ublock only block blacklisted websites by third-party filter lists. It fully relies on filters => not as good as a dedicated webfilter. Ublock itself doesn't have any malware filter engine

ublock is designed to be an adblocker, not a malware/phishing blocker
the advantage is you can whatever filter you want (hundreds, millions) so it can sometimes be better than many webfilter such as heimdal/Thor as I demonstrated in some of my tests
I doubt heimdal uses hphosts and their own engine for webfilter because most of the time, heimdal misses very similar links compared to hphosts
But uBO can block analytics, spams, social etc. Can K9 do it?

I suppose I can remove Malwarebytes if I have K9? Does it supports ALL browsers?

BTW, do you know what happens to this filter in uBO? Seems not updating for sometime now.

https://1hosts.cf/1hosts

Thanks
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
But uBO can block analytics, spams, social etc. Can K9 do it?

I suppose I can remove Malwarebytes if I have K9? Does it supports ALL browsers?

BTW, do you know what happens to this filter in uBO? Seems not updating for sometime now.

https://1hosts.cf/1hosts

Thanks
K9 is a webfilter/parental control app, you can't expect it to block ads/analytics similarly to an adblocker
K9 is similar to your AV's webfilter. They don't block ads. They are designed to block malwares and phishing and some more categories users specify
these are all categories K9 can block
MWSBpRr.jpg

ad/tracker/analytic: ublock >>>>>>>>>>> K9 ~ 0
malware: K9 >>>>>>>>>>> ublock

you have to use them together because they have their own job. You can't compare a webfilter to an adblocker and the opposite
you can remove malwarebytes if you have K9

an example of a program which is both an adblocker and malware blocker: Adguard for desktop. It is a good adblocker but a (really) bad malware blocker

https://1hosts.cf/
here is the link. If it's good enough, there is no need for updating. It's still much better than stevenblack's list. I use them both
1hosts is an combined hosts from other sources so if other sources don't update, 1hosts can't update
update can being more filters but they might not be useful for you
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
@Andy Ful I just tested it with 100 openphish links (not as new as phishtank)
it blocked only 1 link o_O
Impressive.
I tested 'Network Protection' on the mixed list (1/2 phishtank + 1/2 openfish). Links were dated 4-6.09.2018.
From 115 links about 2/3 were dead, and 20 were blocked (5 openpfish, 15 phishtank).
In other words (approximately):
2/3 dead links + 1/3 live links (1/6 blocked + 1/6 missed).
Detection score: about 50% of the live links blocked (for 10 days old links).
That would be consistent with your first test.
Also, the score for the openphish samples is lower than for the phishtank.

Edit.
The real detection score is probably slightly higher, because some hacked legal websites could remove the malicious components.
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Impressive.
I tested 'Network Protection' on the mixed list (1/2 phishtank + 1/2 openfish). Links were dated 4-6.09.2018.
From 115 links about 2/3 were dead, and 20 were blocked (5 openpfish, 15 phishtank).
In other words (approximately):
2/3 dead links + 1/3 live links (1/6 blocked + 1/6 missed).
Detection score: about 50% of the live links blocked (for 10 days old links).
That would be consistent with your first test.

Edit.
The detection score is probably slightly higher, because some hacked legal websites could remove the malicious components.
so network protection can block something but not new links :unsure:
it can only block 50-60% of 10-day old links
I don't know why WD in general has poor signatures but when we turn on the advanced cloud feature, it detects a lot more and with detection names. Do they publish these signatures to business products but not to home users?
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
My main concerns about the tests with 2/3 dead links are as follows:
  1. Is it true that most of those dead links were malicious?
  2. Is it true that if 2/3 links are dead then most of the live links are hacked legal websites?
I have the bad feeling that the answers to both questions may be positive. If so, then we do not know the real detection score for most malicious websites. Such tests can be easily questioned.
On the other side, the tests with 0-day links are not so useful, because the chance to follow such link by the user is negligible.
I do not know which test procedure could be optimal. Maybe few-day-old links with maximum 1/3 dead links?
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
My main concerns about the tests with 2/3 dead links are as follows:
  1. Is it true that most of those dead links were malicious?
  2. Is it true that if 2/3 links are dead then most of the live links are hacked legal websites?
I have the bad feeling that the answers to both questions may be positive. If so, then we do not know the real detection score for most malicious websites. Such tests can be easily questioned.
On the other side, the tests with 0-day links are not so useful, because the chance to follow such link by the user is negligible.
I do not know which test procedure could be optimal. Maybe few-day links with maximum 1/3 dead links?
according to my observation, almost all of the dead links are due to out-of-bandwidth. Some were taken down by the host providers because they are malicious or were reported

I just tested WDNP with the links of my test on 6/9, many were alive. WDNP missed a lot, almost all especially .doc malwares
2/26
I tested each link 1 by 1
 
Last edited:

Moonhorse

Level 33
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,208
according to my observation, almost all of the dead links are due to out-of-bandwidth. Some were taken down by the host providers because they are malicious or were reported

I just tested WDNP with the links of my test on 6/9, many were alive. WDNP missed a lot, almost all especially .doc malwares
Btw hphosts have that all in one filter wich contains 500k+, do you recommend using it at all or are the most links just dead? I use it on my phone on firefox nightly, but i could live without on desktop is it any worthy to add?
 
  • Like
Reactions: given and oldschool

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,099
k9 has a huge database, more than most vendors, I assume, besides fortinet, kaspersky, eset,...
K9 and malwarebytes have heuristics engine, which can detect and block unknown malicious websites, in exchange of high rate of False positive. Not many vendors have it
ublock only block blacklisted websites by third-party filter lists. It fully relies on filters => not as good as a dedicated webfilter. Ublock itself doesn't have any malware filter engine

ublock is designed to be an adblocker, not a malware/phishing blocker
the advantage is you can whatever filter you want (hundreds, millions) so it can sometimes be better than many webfilter such as heimdal/Thor as I demonstrated in some of my tests
I doubt heimdal uses hphosts and their own engine for webfilter because most of the time, heimdal misses very similar links compared to hphosts

k9 is a system-wise webfilter, we all know system-wise webfilter usually can cause problem for people
ublock is an extension, it doesn't cause as many problems
Does it works with ALL browsers or only the standard FF/Chrome/Edge/IE browsers? Not all system-wide software works with ALL browsers

Thanks
 
  • Like
Reactions: given and oldschool

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Btw hphosts have that all in one filter wich contains 500k+, do you recommend using it at all or are the most links just dead? I use it on my phone on firefox nightly, but i could live without on desktop is it any worthy to add?
if you want to use hphosts, you must use hphosts + hphosts partial
hphosts partial is the daily update for hphosts (updated long ago). The last update of hphosts is in march :emoji_grimacing:
Capture.PNG

I prefer using hphosts EMD (malware) only: ~300k, updated daily

I don't recommend using hphosts for phone because it's not necessary. Use adblocking filter only like adguard english filter or stevenblack hosts. Less is better because it will reduce the load for phone's CPU and RAM
 
Last edited:

HarborFront

Level 61
Verified
Top poster
Content Creator
Oct 9, 2016
5,099
I don't know, I'm not an expert of K9
I think it should work but I can't confirm
OK, found the answer

One difference between K9 and many other filtering solutions is that K9 is Internet-provider-independent and browser-independent. It will run on any Windows or Mac computer, no matter what Internet Service Provider delivers your Internet connection. It also works with any Internet browser.

FAQ | K9 Web Protection - Free Internet Filter and Parental Control Software
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
according to my observation, almost all of the dead links are due to out-of-bandwidth. Some were taken down by the host providers because they are malicious or were reported

I just tested WDNP with the links of my test on 6/9, many were alive. WDNP missed a lot, almost all especially .doc malwares
2/26
I tested each link 1 by 1
So it is comparable to WDBP ~ 1/15 and not comparable to Edge SmartScreen ~ 1/3 .
I am curious how many dead links were blocked by the most aggressive browser extensions?
It may be that they have the similar rate of false positives on live links detection.
Anyway, for the average users, the best choice will be the aggressive extension over the low-false-positive one.
 
5

509322

Except for blocking ads, content filtering extensions practically add very, very little to overall protection. Webpage heuristics, the same. The protections provided are of very little practical merit.

Chasing the ultimate extensions, filters, lists, etc... it is an exercise in futility. All that time and effort can be much more wisely applied elsewhere to get the biggest return-on-effort.
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Except for blocking ads, content filtering extensions practically add very, very little to overall protection. Webpage heuristics, the same. The protections provided are of very little practical merit.

Chasing the ultimate extensions, filters, lists, etc... it is an exercise in futility. All that time and effort can be much more wisely applied elsewhere to get the biggest return-on-effort.
not many people can manage default-deny solutions. That's why I want to want to find additional tools to strengthen default-allow solutions. Extension is a free, easy way to do so

I don't really find another solution which has better return-on-effort as you said because I have been experiencing many other tools with some disappointments and reduction in usability
a tool like Syshardener or OSA and smartscreen rare which can improve general security but doesn't reduce productivity
I truly believe most home users don't expose to zero-day malwares but they are still infected because they don't have sufficient protection in the first place

the programs I setup for my family are all free and light-weight and regardless of what they do, recklessly, they still haven't got any infection, yet
no reduction in productivity, no extra system load, no time required for education because they tend to forget within minutes
 
Last edited:
5

509322

not many people can manage default-deny solutions. That's why I want to want to find additional tools to strengthen default-allow solutions. Extension is a free, easy way to do so

I don't really find another solution which has better return-on-effort as you said because I have been experiencing many other tools with some disappointments and reduction in usability
a tool like Syshardener or OSA is rare which can improve general security but doesn't reduce productivity
I truly believe most home users don't expose to zero-day malwares but they are still infected because they don't have sufficient protection in the first place

the programs I setup for my family are all free and light-weight and regardless of what they do, recklessly, they still haven't got any infection, yet
no reduction in productivity, no extra system load, no time required for education because they tend to forget within minutes

What I posted has nothing to do with default-deny. Default-deny causes no greater loss in productivity than any other security software. In some cases exceptions need to be created. Otherwise default-deny provides the highest security with the lowest resource usage.

When you actually study how people get themselves into trouble, you will see that browser extensions do almost nothing to prevent people from getting themselves infected. It's a well-established and widely-accepted fact. The only thing browser extensions really do is to provide an increased psychological comfort as opposed to any really meaningful protection.
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
What I posted has nothing to do with default-deny. Default-deny causes no greater loss in productivity than any other security software. In some cases exceptions need to be created. Otherwise default-deny provides the highest security with the lowest resource usage.

When you actually study how people get themselves into trouble, you will see that browser extensions do almost nothing to prevent people from getting themselves infected. It's a well-established and widely-accepted fact. The only thing browser extensions really do is to provide an increased psychological comfort as opposed to any really meaningful protection.
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only
 

Moonhorse

Level 33
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,208
What I posted has nothing to do with default-deny. Default-deny causes no greater loss in productivity than any other security software. In some cases exceptions need to be created. Otherwise default-deny provides the highest security with the lowest resource usage.

When you actually study how people get themselves into trouble, you will see that browser extensions do almost nothing to prevent people from getting themselves infected. It's a well-established and widely-accepted fact. The only thing browser extensions really do is to provide an increased psychological comfort as opposed to any really meaningful protection.
And youre talking about infecting. Well, as example my mother doesnt torrent / download anything. But her browsing habits are like:
1. open google
2. type search in
3. click click click

To be honest even adblocker blocking the pesky ads from google, lefting only ' trusted ' searches left are alone saving lifes. And when phishing/ malware protection extension is added its huge extra layer of security there

Youre talking about infecting pc , but theres much as worse things before being infected, you can be affected from

There is people out there who dont have enough knowledge to call with their phone, and after teaching them for an hour or two they still dont get it( or forget day after) . Sooo extensions can be very helpful for some people, maybe you dont have to play with them but theres people who should do
 
5

509322

To be honest even adblocker blocking the pesky ads from google, lefting only ' trusted ' searches left are alone saving lifes. And when phishing/ malware protection extension is added its huge extra layer of security there

No. It adds very little to overall security. It is well-known that phishing sites are taken down within hours of first going up. So there is a large likelihood that a user will end up on a phishing page that will never be reported so that it can be detected. Same applies to malware-serving URLs.

Ad blocker is a whole lot more relevant than malicious URL blocking.