Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain · Mar 17, 2018

Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings

Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings

Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings

Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings

Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings

Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings

Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings

Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings

Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings

Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings

Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links

Dropbox - link test 17-3-2018.txt

Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

http://hosts-file.net/emd.txt
http://hosts-file.net/exp.txt
http://hosts-file.net/pup.txt
http://hosts-file.net/psh.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:

Winner: Google Safe Browsing

Vitali Ortzi · Apr 17, 2025

Marko :) said:
According to his extension's documentation on Github, security vendors will still get your social media profiles for example, along with your IP address. I don't mind having collected my IP address because every single web site collects it. but my social media profiles... Microsoft doesn't need to know that. If malware comes from domain.com; then they certainly don't need anything after .com.

And worth to keep in mind: basic Google Safe Browsing (as the one in pretty much all web browsers) sends Google hashed URL ONLY if malicious site was found. It doesn't send hashed URLs of clean websites. Now... I understand that this isn't possible with this extension; but I'd at least want URL to be hashes or encrypted in someway. Or just not to include anything after TLD in URL. It really isn't necessary.

It least everything is encrypted by https so only the enabled security vendors and your browser DNS have that data
But yeah it's not exactly privacy friendly although it does its best to be and there is no way no matter hashed or not to not forward a malicious url to be checked unless you have an intelligence database locally downloaded Wich will be massive and impossible to get anything close to what Osprey offers in terms of detection
So hmm it's impossible for Osprey to be perfectly privacy friendly and any alternative to try to emulate that will just be heavy and waste a ton of computation power locally to get far inferior results

Foulest · Apr 17, 2025

Marko :) said:
According to his extension's documentation on Github, security vendors will still get your social media profiles for example, along with your IP address. I don't mind having collected my IP address because every single web site collects it. but my social media profiles... Microsoft doesn't need to know that. If malware comes from domain.com; then they certainly don't need anything after .com.

And worth to keep in mind: basic Google Safe Browsing (as the one in pretty much all web browsers) sends Google hashed URL ONLY if malicious site was found. It doesn't send hashed URLs of clean websites. Now... I understand that this isn't possible with this extension; but I'd at least want URL to be hashes or encrypted in someway. Or just not to include anything after TLD in URL. It really isn't necessary.

Checking page URLs is much more secure than just checking hostnames. For example, many phishing attacks occur on the legitimate platform Jotform. If we only checked the hostname, it would completely miss the many phishing forms uploaded to Jotform that are only caught by checking full-page URLs.

BSONE · Apr 18, 2025

Foulest said:
Checking page URLs is much more secure than just checking hostnames. For example, many phishing attacks occur on the legitimate platform Jotform. If we only checked the hostname, it would completely miss the many phishing forms uploaded to Jotform that are only caught by checking full-page URLs.

Good point. I use ControlD DNS with the NGD (newly generated domain) option ticked.which will prevent most Phishing attempts. DNS protection will not prevent Phishing attempts that use a landing page of a compromised site though (This is a less successful for Phishers though as the URL will be exposed for people who pause and look at the URL before clicking.)
The biigest worry I have though is after the initial compromise very little can be done if the malware connects to safe cloud server domains such as Google, Microsoft, Amazon or tons of other whitelisted cloud storage providers.

Foulest · Apr 18, 2025

BSONE said:
Good point. I use ControlD DNS with the NGD (newly generated domain) option ticked.which will prevent most Phishing attempts. DNS protection will not prevent Phishing attempts that use a landing page of a compromised site though (This is a less successful for Phishers though as the URL will be exposed for people who pause and look at the URL before clicking.)
The biigest worry I have though is after the initial compromise very little can be done if the malware connects to safe cloud server domains such as Google, Microsoft, Amazon or tons of other whitelisted cloud storage providers.

That's a problem that Amazon, Microsoft, and Google have to solve on their end. Although some cloud URLs should be present in at least one malicious database if it's part of a well-known malware or phishing campaign. I'd bet that Bitdefender would flag it.

goodjohnjr · Apr 19, 2025

Foulest said:
That's a problem that Amazon, Microsoft, and Google have to solve on their end. Although some cloud URLs should be present in at least one malicious database if it's part of a well-known malware or phishing campaign. I'd bet that Bitdefender would flag it.

Do you have any plans on adding ad blocking to Osprey?

If so, that would be amazing.

Foulest · Apr 19, 2025

goodjohnjr said:
Do you have any plans on adding ad blocking to Osprey?

If so, that would be amazing.

No, as that would require downloading block lists. Osprey is cloud-only. Use uBlock Origin or uBlock Lite for ad-blocking.

goodjohnjr · Apr 19, 2025

Foulest said:
No, as that would require downloading block lists. Osprey is cloud-only. Use uBlock Origin or uBlock Lite for ad-blocking.

If only Brave Browser or Ghostery had an API / whatever or something for their Brave Shields et cetera that you could use.

Thank you for answering that.

Foulest · Apr 19, 2025

goodjohnjr said:
If only Brave Browser or Ghostery had an API / whatever or something for their Brave Shields that you could use.

Thank you for answering that.

Yeah, unfortunately, it's an entirely different ball game. It can't be done cloud-only. You'd end up making so many requests. Some DNS servers have ad-blocking, though.

goodjohnjr · Apr 19, 2025

Foulest said:
Yeah, unfortunately, it's an entirely different ball game. It can't be done cloud-only. You'd end up making so many requests. Some DNS servers have ad-blocking, though.

Yeah, thanks for reminding me Foulest, have you thought about swapping your current list of DNS that have ad blocking to the ad blocking addresses / versions?

I am currently using Control D's free public DNS, the one with ad / tracker / malicious & phishing website blocking.

Most of the time I use AdGuard's free public DNS that can do that too, but I am trying Control D's free DNS after seeing how well it has done in some tests.

I am starting to think that AdGuard's malicious / phishing website blocking is not that good in comparison to that & some others.

piquiteco · Apr 19, 2025

Wrecker4923 said:
When I saw the Osprey extension above, my impulse was to install it and try it out. But then I paused and thought about a recent article regarding the 35 unknown extensions that aren't searchable on the Chrome Web Store but have been installed 4 million times. I realized this isn't for the faint of heart; I can wait another year or two.

I had already seen this news on other technology websites. These extensions are totally unknown, I've never seen of them, you can install extensions normally but from reputable and well-known companies, most of the extensions I have are from antivirus software companies such as: Malwarebytes Browser Guard (Malwarebytes), TrafficLight (Bitdefender), Emsisoft Browser Security (Emsisoft). I recommend installing as few extensions as possible and when you do install an extension, don't just install any extension at random without knowing what it is and check its reputation before installing it on your browser. The Osprey: Browser Protection extension I installed because of @Vitali Ortzi because I saw the video and wanted to try it out of curiosity, and now that @Foulest is the developer of the Osprey extension he's participating here on the MT forum. So there's nothing to worry about with the Osprey: Browser Protection extension.

piquiteco · Apr 19, 2025

@Foulest By the way thanks for the good work I liked the Osprey extension. I tested it again and it didn't pass any phishing URLs it blocked all 100% even access to the legitimate phishtank website was blocked. That's the first time I've seen an extension block all phishing urls.

Foulest · Apr 20, 2025

goodjohnjr said:
Yeah, thanks for reminding me Foulest, have you thought about swapping your current list of DNS that have ad blocking to the ad blocking addresses / versions?

I am currently using Control D's free public DNS, the one with ad / tracker / malicious & phishing website blocking.

Most of the time I use AdGuard's free public DNS that can do that too, but I am trying Control D's free DNS after seeing how well it has done in some tests.

I am starting to think that AdGuard's malicious / phishing website blocking is not that good in comparison to that & some others.

It's not. AdGuard scored near the bottom in my recent protection test, as listed on Osprey's GitHub page. It was a bad result, for sure. Additionally, regarding ad-blocking DNS servers, that's not how Osprey works. It makes DNS over HTTPS requests and checks for specific strings that signal the domain has returned NXDOMAIN, or sets the TTS (timeout) to 0 seconds. Both mean that the DNS server's malware filters blocked the page. Osprey doesn't set your DNS to anything, so ad-blocking wouldn't work. I would essentially be reverse-engineering their block list with my own, and at that point, I should just create an ad blocker, but uBlock Origin already exists.

goodjohnjr · Apr 20, 2025

Foulest said:
It's not. AdGuard scored near the bottom in my recent protection test, as listed on Osprey's GitHub page. It was a bad result, for sure. Additionally, regarding ad-blocking DNS servers, that's not how Osprey works. It makes DNS over HTTPS requests and checks for specific strings that signal the domain has returned NXDOMAIN, or sets the TTS (timeout) to 0 seconds. Both mean that the DNS server's malware filters blocked the page. Osprey doesn't set your DNS to anything, so ad-blocking wouldn't work. I would essentially be reverse-engineering their block list with my own, and at that point, I should just create an ad blocker, but uBlock Origin already exists.

Thank you for sharing that and explaining that Foulest.

So I am not imagining things in regard to AdGuard.

What also made me think this was that whenever I tested links against their online URL scanner, it pretty much always marked things as safe, even some that clearly are not.

Which is sad, you would think that after them being around so long & using several sources, that they would be better than that.

I am glad that I am currently using Control D free DNS instead.

SeriousHoax · Apr 20, 2025

Since the DNS topic was brought into the thread, I should remind anyone who's using the free NextDNS with its 300,000 limits that if you use Osprey in its default settings with all blocklists enabled, then there's is going to be a big increase in DNS queries.

Vitali Ortzi · Apr 20, 2025

goodjohnjr said:
Since the DNS topic was brought into the thread, I should remind anyone who's using the free NextDNS with its 300,000 limits that if you use Osprey in its default settings with all blocklists enabled, then there's is going to be a big increase in DNS queries.

You can set a different DNS for the browser anyway if you're in eu you can just set DNS.eu instead as it's superior else quad9 is great too

Vitali Ortzi · Apr 20, 2025

goodjohnjr said:
Thank you for sharing that and explaining that Foulest.

So I am not imagining things in regard to AdGuard.

What also made me think this was that whenever I tested links against their online URL scanner, it pretty much always marked things as safe, even some that clearly are not.

Which is sad, you would think that after them being around so long & using several sources, that they would be better than that.

I am glad that I am currently using Control D free DNS instead.

Use DNS benchmark to find the fastest between quad9 and DNSEU is they are superior especially DNS eu
For a global security dns

goodjohnjr · Apr 20, 2025

Vitali Ortzi said:
You can set a different DNS for the browser anyway if you're in eu you can just set DNS.eu instead as it's superior else quad9 is great too

Yeah, I have a custom DNS set in my web browsers, at the operating system level, and in one of my router's just in case. Thank you for the suggestion Vitali Ortizi.

goodjohnjr · Apr 20, 2025

Vitali Ortzi said:
Use DNS benchmark to find the fastest between quad9 and DNSEU is they are superior especially DNS eu
For a global security dns

Thank you for the suggestion Vitali Ortizi, if only those two had ad blocking too, until then I usually stick to a DNS that also has ad blocking.

silversurfer · Apr 25, 2025

razorfancy said:
It been over a year since you did this test so could you please do a new test and add Emsisoft Browser Security extension to your list of extensions to test.

New Test, this time only Browser Extensions/Addons - overall 10 links (5x Phishing / 5x Malware.exe)

	Phishing	Malware
Avast Online Security	5/5	0/5
Avira Browser Safety	4/5	5/5
Bitdefender TrafficLight	4/5	4/5
Malwarebytes Browser Guard	0/5	5/5
McAfee WebAdvisor	5/5	5/5
Emsisoft Browser Security	5/5	5/5
Norton Safe Web	5/5	0/5
SafeToOpen Online Security	2/5	3/5
Osprey Browser Protection	5/5	5/5

razorfancy · Apr 25, 2025

silversurfer said:
New Test, this time only Browser Extensions/Addons - overall 10 links (5x Phishing / 5x Malware.exe)

Phishing
Malware
Avast Online Security
5/5
0/5
Avira Browser Safety
4/5
5/5
Bitdefender TrafficLight
4/5
4/5
Malwarebytes Browser Guard
0/5
5/5
McAfee WebAdvisor
5/5
5/5
Emsisoft Browser Security
5/5
5/5
Norton Safe Web
5/5
0/5
SafeToOpen Online Security
2/5
3/5
Osprey Browser Protection
5/5
5/5

Thx for doing this new test, seeing Emsisoft Browser Security getting better results than Bitdefender TraffictLight is surprising also that Malwarebytes Browser Guard phishing result is terrible

Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Level 47

Level 31

Level 2

Level 3

Level 2

Level 5

Level 2

Level 5

Level 2

Level 5

Level 16

Level 16

Level 2

Level 5

Level 51

Level 31

Level 31

Level 5

Level 5

Super Moderator

Level 4

Similar threads