Q&A [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
AFAIK does NextDNS use Google Safe Browsing (with some delay in updates). In post #1474 GSB scored very well. Strange.
I forgot to count the actual blocks that GSB truely identified a link as malicious
there are 2 circumstances
- a link is new, not yet verified: GSB will show the buttons "Discard" or "Keep"
- a link is malicious: chrome will show "Remove from list" or "Keep dangerous file" -> NextDNS, may get this type of data. That's why it did poorly


I should have counted the second case, too. I did in previous test but forgot this time
 

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,120
Google Safe Browsing works best with Google Chrome, others using it like Firefox and the DNS providers get a "weaker" list.
And that could be caused by like @Evjl's Rain said:
- a link is new, not yet verified: GSB will show the buttons "Discard" or "Keep"
- a link is malicious: chrome will show "Remove from list" or "Keep dangerous file"
They just don't have that first (non-verified) option.

In my testing AdGuard did absolutely nothing and I thought they also had access to Google Safe Browsing? 🤔

Strange those bad results of Bitdefender TrafficLight.
Maybe somebody with Bitdefender installed as AV can test it?
 

Moonhorse

Level 33
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,208
QUAD9 and Next DNS also did very poorly. Probably because the IP-addresses don't need to be resolved.

'Trend Micro in the router' did very well (by the time I tested, 8 links were dead) Trend-Micro only missed two.
One was caught by Next DNS and the other one was intercepted by Microsoft Defender (the doc download).


PS. I also had to disable one site permission in Edge Chromium otherwise 23 links would NOT have started the download.
View attachment 261077
Isnt this basically same as the ::/flag '' block downloads over insecure connections'' , wich got removed apparently?

edit2: not actually same as its javascript rule, but still effective and i have added it to my browser too, cheers
 
Last edited:
F

ForgottenSeer 92963

true. Most malwares are delivered via http, not https. Blocking http will prevent most malwares
google chrome also warns about this and prevents http downloads to start. Links must be accepted manually and most people won't accept or they don't know how to accept

That is why I have this rule on my wife's laptop. I enabled Edge 'switch automatically to HTTPS', but only for websites which support it (so I can still manually proceed when wanted). It is an extra hurdle for something one does not need anymore (at least in EU, 99,99% of the websites are on HTTPS).
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
That is why I have this rule on my wife's laptop. I enabled Edge 'switch automatically to HTTPS', but only for websites which support it (so I can still manually proceed when wanted). It is an extra hurdle for something one does not need anymore (at least in EU, 99,99% of the websites are on HTTPS).
in chrome, I'm not very sure blocking https is super necessary. I tried the Enhanced protection mode in chrome settings, it blocked all http sites, both safe or unsafe
the standard mode or no protection mode let http sites open

I'm not sure the enhanced mode can block third-party scripts from http sites. I haven't tested this yet
 

pesus

New Member
Dec 4, 2018
3
10 malware link test, only chrome extension tested and its safe browsing

extension; detected samples; results
avira 1 2 3 4 5 6 7 8 9 - <9/10>
avast -- 0!
bitdefender traficlight 2 3 4 <3/10>
blocksi 4 5 6 7 <4/10>
google safe browsing 1 5 6 7 8*(only with enhaced protection) 10 <6/10>
malwarebytes 1 5 6 7 8 9 <6/10>
microsoft crome extension - -- 6 -- <1/10>
norton -- 9 - - <1/10>
trendmicro 0!


samples:
Code:
hxxp://192.3.222.242/007/vbc.exe
hxxps://sensitivasarah.it/quam-quo/documents.zip
hxxps://prophetdanielagyarkoafari.com/quod-qui/documents.zip
hxxps://nata.rs/sed-non/documents.zip
hxxp://192.3.222.133/fresh/fresh.exe
hxxp://192.227.225.173/0088/vbc.exe 
hxxp://3.70.52.8/R1/Z/QTL076213000008.exe
hxxp://5.188.108.40/trehjugdr4et6u.msi
hxxp://54.90.181.45/revshell/EXCEL.exe
hxxps://onedrive.live.com/download?cid=9D54521B2A64B6B2&resid=9D54521B2A64B6B2!1768&authkey=AGrE3UQvF7vaVzA

If you are testing those samples later, results will not be the same!
 
Last edited by a moderator:

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
565
true. Most malwares are delivered via http, not https. Blocking http will prevent most malwares
google chrome also warns about this and prevents http downloads to start. Links must be accepted manually and most people won't accept or they don't know how to accept
Many security sites and companies have reported a huge increase in malware using HTTPS for both delivery and communication.



 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
Many security sites and companies have reported a huge increase in malware using HTTPS for both delivery and communication.



I agree. Last year, almost all of the links I found were http but recently, the number of https links has increased, thanks to browser vendors who actively restricting http websites
 
F

ForgottenSeer 92963

The results of @pesus shows that URL blocking is a numbers game. There are nearly two billion websites in the world (link), so testing with say 100 links just is to low to get a statistical relevant result. Off course repeating tests will show a pattern, but don't be surprised when a hero turns into a zero and reversely.

With so many websites the large DNS providers (the telephone books on the back bone of the internet returning the IP-address belonging to a domain name, to find them like you can find a telephone number beloning to someone's name) process enough traffic and are in the best position to block bad URL's.

Next the end user devices with a lot of users (Apple, Windows, Samsung) generate enough traffic to block URL's. Together with the internet services with a lot of users like browsers, search engines and the larger AV-Companies (with over half a million users) are the ones with sufficient traffic to find and track bad URLS's

My take: Use a free DNS with bad URL protection (e.g. Quad9 or Next DNS), use the protection of your browser (Microsoft SmartScreen or Google Safe Browsing) and the extension of your favorite (second opinion) AntiVirus. Adding blocklists to your adblocker with at best 10.000 to 100.000 blocked URL's is silly (the DNS and AV Companies will probably use these public available sources already).

User testing with malware URLs found on public sources has another problem: they don't represent the real life precedence of the links found. When you go to scandinavia on holiday, they have a lot of musquito's in the summer. When you search on the internet for protection against Musquito hazards, you will probably find a lot about malaria. Malaria is a big problem in more tropical countries, but the chance to get malaria from Scandinavian musquito's is near zero (because Malaria became extinct in Scandinavia in the late 19 hundreds, maybe global heating may cause malaria to return in the future: link).

I had a long discussion with my forum friend Peter2150 (he sadly passed away), who was big fan and strong supporter of MalwareBytes URL protection. He argued that MBAM scored best over and over again in his test with malware, At that time MBAM was a small player using public sources and a small team of malware hunters. BitDefender (just as example) with over half a million users collected due to its large user data base much more real life (infection) data than MalwareBytes. So although Bitdefender might score worse than Malware Bytes in the tests of Peter2150, it actually provided better real life protection.

Peter's argumentation: with the zero day samples I use to test URL blocking, MalwareBytes always scores the best by far, from my perspective they are the best, with unmatched protection.
Kees's argumentation: MBAM uses the same public malware sources as you use Peter, so you are just confirming that MBAM uses these sources as soon as they are available.

I will stop ranting and repeating myself.
 
Last edited by a moderator:
F

ForgottenSeer 92963

I guess that my AV will intervene without an extension.
I am not using one either, for same reason (as I surprisingly found out with the https based doc malware provide by @Evjl's Rain which was blocked by M$Defender in Edge even when Smartscreen was disabled for testing).

Thanks for mentioning. I changed the text in my previous post with "... and the extension of your favorite (second opinion) AntiVirus ... " because it can't harm to add the extension of another AV as second opinion (a lot of people like BitDefender Trafficlight for that reason).
 
Last edited by a moderator:

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
new test today. Shocking result for bitdefender
chrome:
- block/identified as malicious: 16/20
- warn: 2/4 (due to http)
- total: 18/20
avira: 16/20
emsisoft: 14/20
malwarebytes: 20/20
Microsoft: 19/20
Norton: 7/20

bitdefender trafficlight:
on chromium-based browsers: nothing, 0/20
on firefox: 20/20
 
Last edited:

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,120
Edge: 19 pages blocked, 1 one warning of a potentially unsafe file (nr. 6)==> 19/20
F-Secure Safe
(Ziggo Safe Online): 19 pages blocked and 1 downloaded file put in quarantine (nr. 9) ==> 20/20
That page (nr. 9) was blocked by HomeCare by Trend Micro on my router after turning that off and tried again the file was quarantined by F-Secure.
 
Last edited:

Andrew3000

Level 10
Verified
Malware Tester
Well-known
Feb 8, 2016
469
new test today. Shocking result for bitdefender
chrome:
- block/identified as malicious: 16/20
- warn: 2/4
- total: 18/20
avira: 16/20
emsisoft: 14/20
malwarebytes: 20/20
Microsoft: 19/20
Norton: 7/20
bitdefender trafficlight: nothing, 0/20
Avast One: 1 miss (pctool.exe - detected by file shield)
Kaspersky: 1 miss (pctool.exe detected by Anti-Virus File)
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
On my PC Bitdefender Trafficlight seems to be detecting all these malware links.
I don't know what happened to my trafficlight
I copied some links to virustotal and the results ftom BD were all safe. When a file was downloaded, BDTL icon was still green but I clicked on it, it said a threat was detected
I don't know how to describe it

Edge: 19 pages blocked, 1 download allowed, but warning that the file can be unsafe ==> 20/20 ?
Will test F-Secure Safe after my dinner...
maybe, we should disqualify the unsafe messages because links were downloaded from http. Only the true blocks should be counted
if the links are https, I don't think we could see the unsafe message and the files will be download thoroughly
 

Evjl's Rain

Level 47
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Apr 18, 2016
3,627
@Evjl's Rain what are your browsers, probably Chrome/Chromium ?

NOTE: I just tried randomly one link (below) this time it was blocked by Bitdefender TrafficLight, but on Firefox only!

Code:
hxxp://squadlegion.crabdance.com/e.exe
I used Google chrome portable. The latest version
last time, I did tests with the exact same browser but don't know if there is any incompatibility issue with this chrome portable and trafficlight

I will try again with my main browser = chromium