Lockdown

Level 54
Verified
To be honest even adblocker blocking the pesky ads from google, lefting only ' trusted ' searches left are alone saving lifes. And when phishing/ malware protection extension is added its huge extra layer of security there
No. It adds very little to overall security. It is well-known that phishing sites are taken down within hours of first going up. So there is a large likelihood that a user will end up on a phishing page that will never be reported so that it can be detected. Same applies to malware-serving URLs.

Ad blocker is a whole lot more relevant than malicious URL blocking.
 

Lockdown

Level 54
Verified
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only
The fact is, unless you have children and reckless happy-clicker adults using the PC, then most security configurations are sufficient to avoid the most of the bad stuff.

For people that really don't know what they're doing and insist on using WIndows, a pre-configured Guest\LUA\SUA account and restoring the system to a known clean state after each use is the best option on Windows. Of course, they are locked out of downloading and running most stuff.
 

given

Level 2
Verified
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only
Hello @Evjl's Rain...how you doing buddy :) i heard that Malwarebytes extension and Windows defender browser (extension) they both are good but which one is a better one ( for Chrome )? thanks bro :)
 
Reactions: Weebarra

Andy Ful

Level 36
Content Creator
Trusted
Verified
I made a test that surprised me very much. I took the list of 128 phishing links from Openphish and Phishtank dated 6.09.2018. Next, I checked all those links on Virus Total to see how many of them are still detected as malicious by Openphish or Phishtank after 9 days. The result was impressing 15/128. Furthermore, there was not any single link detected as malicious by both Openphish and Phishtank (0/128) ?????

Post Edited.
So what happened????
I found the Openphish website and looked at the original phishing entries. Many of those entries had the form:
hxxp://xxxxxx-az.today/FinalStep.php
hxxp://yyyyyyy.naghashim.ir/images/png/online.php?session=afdafef29a1f53a39
hxxp://zzzz.aa.bc/bace/?login=&.verify?service=mail&data:text/hxxl
etc.
So, I understood my fault. On my anti-phishing list were many partial links, for example: hxxp://xxxxxx-az.today instead of hxxp://xxxxxx-az.today/abc/def/FinalStep.php.
When I entered the partial links to Virus Total, they were shown for Openphish as clean.

So I must wait some days to perform the correct test for the 9 days detection, because the free list from the Openphish website has actually the entries from 11.09.2018 to 15.09.2018 .
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
I realized that most anti-phishing tests of WD Exploit Guard 'Network Protection' (including mine) was probably invalid. If the testers do not use the original Openphish or Phishtank links, then the non-original lists include many partial links which will not be correctly detected by 'Network Protection'.
For example, the below link is blacklisted by Phishtank:
hxxp://yyyyyy.torbath.ac.ir/wp-content/themes/vend/vendlogs/bofa/mail.pxp
If we will open the partial link hxxp://yyyyyy.torbath.ac.ir, then the web browser will not try to download the mail.pxp file, so 'Network Protection' will not detect the link. But, if we will press the mail icon on the website hxxp://yyyyyy.torbath.ac.ir , then the browser will try to load the mail.pxp file, and this action can be detected by 'Network Protection'.
If the blacklisted link was hxxp://yyyyyy.torbath.ac.ir/mail.pxp, then probably the partial link would be detected, because the web browser usually would try to open the mail.pxp file.
 
Last edited:

Evjl's Rain

Level 40
Content Creator
Trusted
Malware Hunter
Verified
I realized that most anti-phishing tests of WD Exploit Guard 'Network Protection' (including mine) was probably invalid. If the testers do not use the original Openphish or Phishtank links, then the non-original lists include many partial links which will not be correctly detected by 'Network Protection'.
For example, the below link is blacklisted by Phishtank:
hxxp://yyyyyy.torbath.ac.ir/wp-content/themes/vend/vendlogs/bofa/mail.pxp
If we will open the partial link hxxp://yyyyyy.torbath.ac.ir, then the web browser will not try to download the mail.pxp file, so 'Network Protection' will not detect the link. But, if we will press the mail icon on the website hxxp://yyyyyy.torbath.ac.ir , then the browser will try to load the mail.pxp file, and this action can be detected by 'Network Protection'.
If the blacklisted link was hxxp://yyyyyy.torbath.ac.ir/mail.pxp, then probably the partial link would be detected, because the web browser usually would try to open the mail.pxp file.
I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions
No. It is not the miss or the flaw. The full url to the malicious content can be blocked and the user can be protected.
This is the same behavior as for on-access file scanning performed by many AVs (WD for example). If you have the malware hidden in the 'c:\Users\Me\Appdata\Local\Temp\malware.exe' it will not be automatically detected by WD, when opening 'c:\Users folder'. You probably do not call this a flaw.
When the user opens the link hxxps://malwaretips.com then the possible malware attachments in hxxps://malwaretips.com/threads/14-09-2018-18.86745/ will not be loaded (even if they would not be forbidden), so the user cannot be infected. When the user will open the malware attachment, then 'Network Protection' can stop it by the blacklisted full link. I think that some other malicious link blockers can work similarly.
 
Last edited:

Lockdown

Level 54
Verified
I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions
No it doesn't work that way and goes straight to my point that web content filtering is a weak and flawed protection layer.

The most effective detection model is link popularity (reputation) detection.

It's just like with general Ai\ML... it promises to out-do what has existed before it, but never delivers on the promises. Heuristics, examining lexical features of a URL, and other methods... just aren't as effective as the good old, reliable blacklist.
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
When using Google for finding the websites + Google Safebrowsing, the user have a mix of popularity and detection factors. So, in my personal opinion, this is not a bad solution for most average users.
Furthermore, the first factor can be even more important for the users' security.(y)
I think, that both Google Safebrowsing and WDEG 'Network Protection' are based on URL blacklists. Simply, Google Safebrowsing (also Edge SmartScreen) uses often the shortened URLs and WDEG 'Network Protection' uses the full URLs.
I could see that behavior when testing the same links in Edge + SmartScreen and with Firefox + WDEG 'Network Protection". The first mostly showed the red-block-webpage, when the second showed the normal webpage with WD alerts. In some cases WDEG 'Network Protection" blocked also the webpge, especially for links like: hxxp://abc.def/favicon.ico.
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
I spent a few hours to make a test slightly probably different than tests of @Evjl's Rain.
The test included only samples that fulfilled the below requirements:
  1. 5 days old on Phishtank.
  2. Validated as 100% phishing.
  3. Were available online.
All the above points can be approximately fulfilled by the appropriate filtering settings on Phishtank.
Anyway, for several reasons the point 2. gave 19 links which did not open the phishing page and point 3 gave three samples that were 75% phishing and 25% not phishing. So, 22 from 50 links were removed from the final scoring.

The results for the 28 live samples:
BitDefender 25
Eset 28
Fortinet 24
G-Data 28
Google SB 21
Kaspersky 24
Sophos AV 25
WDEG NP 19

All vendors except WDEG NP (WDEG Network Protection) were checked on Virus Total. Rarely, I found the bugs on Virus Total - for example, Fortinet did not detect the full link:
hxxp://abc.support/logins/dGdFdCPKPFZNdJcBcbEKTUUbagYVYZQLCKLDBQINMUWOJSUZPVR/
but detected the shortened link: hxxp://abc.support/logins/.
In one case Google SB did not detect the initial phishing link, but that link redirected the browser to another website, which was detected. I counted this as a detection.
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
how about the latest phishing links or vxvault? can you test them also?
could you also verify the different between WD using default settings and high settings in ConfigureDefender? Do they affect the web filter? for me, they didn't
I would like to pass for now, because I have to finish my work with the new Hard_Configurator version.
I am pretty sure that WD settings do not affect the web filtering (either SmartScreen in Edge or WDEG Network Protection), except the requirement that WD real-time protection and cloud-delivered protection must be enabled(y)
 
Last edited:

HarborFront

Level 44
Content Creator
Verified
Hi

Anyway to temporary disable K9 without uninstalling it? I think it's slowing down one of the sites I always frequent. I need to verify this.

Thanks
 
Reactions: oldschool

Moonhorse

Level 23
Content Creator
Verified
Hi all.

Avira vs Avast on Chrome? Google Safe Browsing is enabled, also using Nano Adblocker as installed, with Netcraft.

Thanks :)
You dont need them. Netcraft + nano adblocker is enough, and it seems you have avast antivirus installed so it will carry rest.

If you really want to go with either avast or avira, i would vote for avira, because stronger signatures, web filtering since their extension is their only web filter on their free antivirus

But if you decide to go with avira, just disable adblocking because nano is already working with that
 

Windows_Security

Level 21
Content Creator
Trusted
Verified
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only
I have a default deny setup and only change add-ons on Firefox (on Windows 7 desktop) occasionally. I use MBAM add-on for Firefox based on your tests. When MBAM had quirks (not relaseing two Firefox processes when running as another LUA user), I changed to Comodo based on your tests. So keep up the good work :emoji_ok_hand: