Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
VirusTotal

This phishing link been up for more than 12 hours, why isnt any engine detecting it? I have reported it to multiple vendors without answer
Maybe because the link is broken?

On Chrome, I get:
This page isn’t working
secure.runescape.com-os.cz didn’t send any data.


ERR_EMPTY_RESPONSE

On Firefox, I get:
Secure Connection Failed

An error occurred during a connection to secure.runescape.com-os.cz.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
 

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,596
Anyone tried Check point SandBlast Extension?I just installed on Chrome.According to AvLab it's the only one scored 100% on malicious and phising sites.

Test of web browser extensions for protection against malicious software

You may have missed this part: " Free version of the „Check Point Sandblast Agent for Browser” extension doesn’t have the most important functionality if it isn’t connected to the SandBlast service. ...

... Free version of the extension didn’t meet requirements for scanning downloaded threats, so we tested a commercial version at the request of the developer ... "
 

Nestor

Level 9
Verified
Well-known
Apr 21, 2018
397
You may have missed this part: " Free version of the „Check Point Sandblast Agent for Browser” extension doesn’t have the most important functionality if it isn’t connected to the SandBlast service. ...

... Free version of the extension didn’t meet requirements for scanning downloaded threats, so we tested a commercial version at the request of the developer ... "
Yes i saw that but at settings there are two switches to turn on.One is for phising sites and the other is for malicious downloads.In fact you turn on a sandbox ,which analyse every file downloaded, that seems to be working but i am not sure if i am missing something.:unsure::rolleyes:
 

Threadripper

Level 9
Verified
Well-known
Feb 24, 2019
408
Thought it would be necessary to mention that lots, and I mean lots of these extensions send every URL you visit straight to the company in plain test (they'll say it's "encrypted" because of TLS but to them it's still plain test) so who knows what they collect and what they do with it - and uselessly if you were the victim of an MiTM attack the attacker would see the URLs you visit twice.

The only one I know that doesn't for sure is Emsisoft Browser Security (source):
Instead of sending each full website URL to a cloud server for matching, it only sends a calculated hash value of the domain name of each newly visited site to our servers once and then receives a list of matching patterns that are applied locally on your computer. Those patterns are then kept for successive visits of pages on the same host/domain, which not only speeds up the matching significantly, but also means that Emsisoft doesn’t know any of the details of your browsing activity.

The image below shows Bitdefender TrafficLight sending a URL in plain text straight to Bitdefender (source) to highlight the problem, those using these kinds of extensions should check and see if they use hashes or plain text.
 

Attachments

  • image.png.76a9ac390fdfb87ce4b28a11e4498277.png
    image.png.76a9ac390fdfb87ce4b28a11e4498277.png
    66 KB · Views: 470

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Not behind my home computer, but has anybody tested the link against Windows Defender Browser Protection?
Tried, only eset detects them

VirusTotal
VirusTotal

The second link is that the whole site is about phishing and probably contains file. I often tend to watch livestreams on twitch.tv where runescape is only game wich is gated into real world trading and thats why people host viewbotted streams there. Usually the phishing urls are detected even by google safe browsing or by netcraft in last hand but... now the phish urls arent detected at all, but still leads to fake site

I think trace extension has the bad tld/url protection to block .com-os.cz like urls aswell
Forticlient has the block new sites option/ block unrated
Blocksi has block unrated option

So default block like extensions will block them now and in future, but the actual extensions except ESET doenst currently detect them and the urls are already day old, i have submitted them to netcraft wich rates risk rating @ 10, but still doesnt block them as phishing. From kaspersky i dont have answer yet
 
Last edited:

Nestor

Level 9
Verified
Well-known
Apr 21, 2018
397
Tried, only eset detects them

VirusTotal
VirusTotal

The second link is that the whole site is about phishing and probably contains file. I often tend to watch livestreams on twitch.tv where runescape is only game wich is gated into real world trading and thats why people host viewbotted streams there. Usually the phishing urls are detected even by google safe browsing or by netcraft in last hand but... now the phish urls arent detected at all, but still leads to fake site

I think trace extension has the bad tld/url protection to block .com-os.cz like urls aswell
Forticlient has the block new sites option/ block unrated
Blocksi has block unrated option

So default block like extensions will block them now and in future, but the actual extensions except ESET doenst currently detect them and the urls are already day old, i have submitted them to netcraft wich rates risk rating @ 10, but still doesnt block them as phishing. From kaspersky i dont have answer yet
Checkpoint Sandblast also detect it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top