Hot Take [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Comparison between browser extensions

Test 29/12
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings


Test 24/11
Q&A - [Updated 24/11/2018] Browser extension comparison: Malwares and Phishings


Test 12/11
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings


Test 7/11
Q&A - [Updated 7/11/2018] Browser extension comparison: Malwares and Phishings


Test 6/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 3/9
Q&A - [Updated 3/9/2018] Browser extension comparison: Malwares and Phishings


Test 2/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Test, quick 1/9
Q&A - [Updated 25/7/2018] Browser extension comparison: Malwares and Phishings


Fun test 25/7/2018
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 24/7/2018 (most comprehensive, as possible)
Q&A - [Updated 24/7/2018] Browser extension comparison: Malwares and Phishings


Updated 19/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 18/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 10/7/2018
Q&A - [Updated 10/7/2018] Browser extension comparison: Malwares and Phishings


Updated 7/6/2018
Q&A - [Updated 7/6/2018] Browser extension comparison: Malwares and Phishings


Updated 3/6/2018
Q&A - [Updated 3/6/18] Browser extension comparison: Malwares and Phishings


Updated 25/4/2018
Poll - [Updated 25/4/18] Browser extension comparison: Malwares and Phishings


Update: 23/3/2018
Poll - [Updated 23/3/18] Browser extension comparison: Malwares and Phishings



Browser: Google Chrome 65 x64
Malware and phishing links: 10 malc0de, 10 vxvault, 10 openphish, 10 verified phishtank, 10 unverified phishtank
Total: 50 links
Extensions: recently downloaded from Chrome Web Store
- Google Safe Browsing (built-in chrome's protection)
- AdGuard AdBlocker: default settings, uses Google Safe Browsing (delayed) and their own database
- Avira browser safety: default settings
- Norton Safe Web: default settings
- Bitdefender Trafficlight: default settings, it rarely blocks any malware links, just old ones
- Avast Online Security: default settings, only has phishing protection, expected to score 0 against malwares
- Netcraft Extension: default settings, only has phishing protection, expected to score 0 against malwares
- uBlock Origin with some additional filters

NOTE: the result can vary from day-to-day. Tomorrow with different links, the result can be very different. All are live links but they can be dead a few minutes after the test. No duplication

Results:
result.png


Winner: Google Safe Browsing
 
Last edited:
5

509322

I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only

The fact is, unless you have children and reckless happy-clicker adults using the PC, then most security configurations are sufficient to avoid the most of the bad stuff.

For people that really don't know what they're doing and insist on using WIndows, a pre-configured Guest\LUA\SUA account and restoring the system to a known clean state after each use is the best option on Windows. Of course, they are locked out of downloading and running most stuff.
 

given

Level 2
Verified
Apr 2, 2017
69
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only
Hello @Evjl's Rain...how you doing buddy :) i heard that Malwarebytes extension and Windows defender browser (extension) they both are good but which one is a better one ( for Chrome )? thanks bro :)
 
  • Like
Reactions: Weebarra

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I made a test that surprised me very much. I took the list of 128 phishing links from Openphish and Phishtank dated 6.09.2018. Next, I checked all those links on Virus Total to see how many of them are still detected as malicious by Openphish or Phishtank after 9 days. The result was impressing 15/128. Furthermore, there was not any single link detected as malicious by both Openphish and Phishtank (0/128) ?????

Post Edited.
So what happened????
I found the Openphish website and looked at the original phishing entries. Many of those entries had the form:
hxxp://xxxxxx-az.today/FinalStep.php
hxxp://yyyyyyy.naghashim.ir/images/png/online.php?session=afdafef29a1f53a39
hxxp://zzzz.aa.bc/bace/?login=&.verify?service=mail&data:text/hxxl
etc.
So, I understood my fault. On my anti-phishing list were many partial links, for example: hxxp://xxxxxx-az.today instead of hxxp://xxxxxx-az.today/abc/def/FinalStep.php.
When I entered the partial links to Virus Total, they were shown for Openphish as clean.

So I must wait some days to perform the correct test for the 9 days detection, because the free list from the Openphish website has actually the entries from 11.09.2018 to 15.09.2018 .
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I realized that most anti-phishing tests of WD Exploit Guard 'Network Protection' (including mine) was probably invalid. If the testers do not use the original Openphish or Phishtank links, then the non-original lists include many partial links which will not be correctly detected by 'Network Protection'.
For example, the below link is blacklisted by Phishtank:
hxxp://yyyyyy.torbath.ac.ir/wp-content/themes/vend/vendlogs/bofa/mail.pxp
If we will open the partial link hxxp://yyyyyy.torbath.ac.ir, then the web browser will not try to download the mail.pxp file, so 'Network Protection' will not detect the link. But, if we will press the mail icon on the website hxxp://yyyyyy.torbath.ac.ir , then the browser will try to load the mail.pxp file, and this action can be detected by 'Network Protection'.
If the blacklisted link was hxxp://yyyyyy.torbath.ac.ir/mail.pxp, then probably the partial link would be detected, because the web browser usually would try to open the mail.pxp file.
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I realized that most anti-phishing tests of WD Exploit Guard 'Network Protection' (including mine) was probably invalid. If the testers do not use the original Openphish or Phishtank links, then the non-original lists include many partial links which will not be correctly detected by 'Network Protection'.
For example, the below link is blacklisted by Phishtank:
hxxp://yyyyyy.torbath.ac.ir/wp-content/themes/vend/vendlogs/bofa/mail.pxp
If we will open the partial link hxxp://yyyyyy.torbath.ac.ir, then the web browser will not try to download the mail.pxp file, so 'Network Protection' will not detect the link. But, if we will press the mail icon on the website hxxp://yyyyyy.torbath.ac.ir , then the browser will try to load the mail.pxp file, and this action can be detected by 'Network Protection'.
If the blacklisted link was hxxp://yyyyyy.torbath.ac.ir/mail.pxp, then probably the partial link would be detected, because the web browser usually would try to open the mail.pxp file.
I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions

No. It is not the miss or the flaw. The full url to the malicious content can be blocked and the user can be protected.
This is the same behavior as for on-access file scanning performed by many AVs (WD for example). If you have the malware hidden in the 'c:\Users\Me\Appdata\Local\Temp\malware.exe' it will not be automatically detected by WD, when opening 'c:\Users folder'. You probably do not call this a flaw.
When the user opens the link hxxps://malwaretips.com then the possible malware attachments in hxxps://malwaretips.com/threads/14-09-2018-18.86745/ will not be loaded (even if they would not be forbidden), so the user cannot be infected. When the user will open the malware attachment, then 'Network Protection' can stop it by the blacklisted full link. I think that some other malicious link blockers can work similarly.
 
Last edited:
5

509322

I always use the default links provided by openphish or phishtank
but is that important? miss is a miss regardless of the format of the url if it can't protect. That's a flaw
it should protect in any condition unless they document that they don't protection such conditions

No it doesn't work that way and goes straight to my point that web content filtering is a weak and flawed protection layer.

The most effective detection model is link popularity (reputation) detection.

It's just like with general Ai\ML... it promises to out-do what has existed before it, but never delivers on the promises. Heuristics, examining lexical features of a URL, and other methods... just aren't as effective as the good old, reliable blacklist.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
When using Google for finding the websites + Google Safebrowsing, the user have a mix of popularity and detection factors. So, in my personal opinion, this is not a bad solution for most average users.
Furthermore, the first factor can be even more important for the users' security.(y)
I think, that both Google Safebrowsing and WDEG 'Network Protection' are based on URL blacklists. Simply, Google Safebrowsing (also Edge SmartScreen) uses often the shortened URLs and WDEG 'Network Protection' uses the full URLs.
I could see that behavior when testing the same links in Edge + SmartScreen and with Firefox + WDEG 'Network Protection". The first mostly showed the red-block-webpage, when the second showed the normal webpage with WD alerts. In some cases WDEG 'Network Protection" blocked also the webpge, especially for links like: hxxp://abc.def/favicon.ico.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I spent a few hours to make a test slightly probably different than tests of @Evjl's Rain.
The test included only samples that fulfilled the below requirements:
  1. 5 days old on Phishtank.
  2. Validated as 100% phishing.
  3. Were available online.
All the above points can be approximately fulfilled by the appropriate filtering settings on Phishtank.
Anyway, for several reasons the point 2. gave 19 links which did not open the phishing page and point 3 gave three samples that were 75% phishing and 25% not phishing. So, 22 from 50 links were removed from the final scoring.

The results for the 28 live samples:
BitDefender 25
Eset 28
Fortinet 24
G-Data 28
Google SB 21
Kaspersky 24
Sophos AV 25
WDEG NP 19

All vendors except WDEG NP (WDEG Network Protection) were checked on Virus Total. Rarely, I found the bugs on Virus Total - for example, Fortinet did not detect the full link:
hxxp://abc.support/logins/dGdFdCPKPFZNdJcBcbEKTUUbagYVYZQLCKLDBQINMUWOJSUZPVR/
but detected the shortened link: hxxp://abc.support/logins/.
In one case Google SB did not detect the initial phishing link, but that link redirected the browser to another website, which was detected. I counted this as a detection.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
how about the latest phishing links or vxvault? can you test them also?
could you also verify the different between WD using default settings and high settings in ConfigureDefender? Do they affect the web filter? for me, they didn't
I would like to pass for now, because I have to finish my work with the new Hard_Configurator version.
I am pretty sure that WD settings do not affect the web filtering (either SmartScreen in Edge or WDEG Network Protection), except the requirement that WD real-time protection and cloud-delivered protection must be enabled(y)
 
Last edited:

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
Hi all.

Avira vs Avast on Chrome? Google Safe Browsing is enabled, also using Nano Adblocker as installed, with Netcraft.

Thanks :)
You dont need them. Netcraft + nano adblocker is enough, and it seems you have avast antivirus installed so it will carry rest.

If you really want to go with either avast or avira, i would vote for avira, because stronger signatures, web filtering since their extension is their only web filter on their free antivirus

But if you decide to go with avira, just disable adblocking because nano is already working with that
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I know that's a fact but I don't believe in those because people use their computer differently

I also know default-deny can protect upto 100% with ~zero resource usage, a fact too but they are not for average users. Even when we setup a default-deny solution with exclusions for them, they won't satisfy because it blocks their NEW safe programs

I tested these for myself, to setup for other people, and for people who are interested

for very knowledgeable users, my tests are useless, I know that, same for MT hub

extensions can contribute to a default-deny-based setup that users will have to deal with less malwares touching their HDD
for example, if there is only 1 anti-exe on the PC, the users will have to make decision on every single file they just download and it takes time to verify their safety
if there are 1 or 2 default-allow solutions on top of that, they will block 90-95% of those malicious files and the users only have to make decision on 5-10% of the malicious files + safe files
I choose the default-deny + default-allow because I have absolutely no trust on default-deny only

I have a default deny setup and only change add-ons on Firefox (on Windows 7 desktop) occasionally. I use MBAM add-on for Firefox based on your tests. When MBAM had quirks (not relaseing two Firefox processes when running as another LUA user), I changed to Comodo based on your tests. So keep up the good work :emoji_ok_hand:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top