Question Which Ubo filters 2023 do you use ?

Please provide comments and solutions that are helpful to the author of this topic.

floalma

Level 4
Thread author
Verified
Apr 5, 2015
182
Hi friends,

filter list1.PNG


filter list2.PNG
This is an update to a previous thread here about Ubo filters lists.
These are my UBO filter lists.
Any comments or recommendations are welcome.
Thanks you for your contribution. (y)
 

Jan Willy

Level 12
Verified
Top Poster
Well-known
Jul 5, 2019
573
@Jan Willy

I had read you globally blocked eval with *##+js(noeval). I liked the idea, but tested it on the link you provided, but it does not block the new Function () which more or less does the same (so it is a half baked solution). I think youare probabl better of disabling JIT or using Netcraft. When you use Edge and have enabled super duper mode, you also disable JIT . This also reduces memory not writeable area and prevents most of the EVAL string attacks. Your post was also the reason I was playing with the new Netcraft extension (because it blocks some client side XSS vulnerabilities).

I also noticed that some websites like Megekko.nl use eval command. I guess they use server side strings to make some parts of their website dynamic (which is okay because everything get compiled when page loads, also when JIT is enabled).
Yes, the rule has a limited effect, what I've already said in my post Need Advice - What are your Site Permission settings for daily browsing?
I agree with your observation about disabling JIT. I haven't still studied all possibilities of Netcraft, but it sounds interesting.
BTW, talking about extensions, this one could also be interesting:
I tipped it earlier in my before mentioned post.
 

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,182
Last edited:

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,182
@oldschool, tkanks for the links, I noticed yokoffing is also including LennyFox ubo medium mode.(y)
You're welcome. I also added LennyFox's video list and reinserted Fanboys Enhanced Tracking lists. With my current setup most of the filters in Fanboys list are actually used (vs using it with default lists where many of its filters are superfluous). So now my setup is as follows:
1692383627578.png1692383681846.png
I'm very happy with this setup. It suits my browsing style. :cool:
 

Jan Willy

Level 12
Verified
Top Poster
Well-known
Jul 5, 2019
573
I was playing with the new Netcraft extension (because it blocks some client side XSS vulnerabilities).

Two interesting sites about blocking XSS :




Two relevant quotes:
1. With medium or hard mode in uBO, all third-party XSS, which is often the case to attack behind the scene, are blocked unless the very vulnerable site is somehow 3p-nooped.
First-party XSS is possible, but for this the attacker has to make you to click a crafted link. Even then, a simple practice of isolating browser profile, i.e. don’t browse random sites with the same browser profile you logged into something, protects you from almost all XSS damage – now what the attacker can do will be at most some mischief.

2. AFAIK uBO doesn't have a dedicated XSS protection because blocking third party resources inherently protects you. XSS = Cross-Site-Scripting = Third-Party-Scripting = Loads stuff from unknown third party = well blockable with uBO.
 
F

ForgottenSeer 97327

@Jan Willy

These topics are a bit colored by uBO fans. It is not untrue what they are posting, only also not fully true either.

Firstly there are more ways of getting stuff in or out of a website (websocket, webrtc, xmlhttprequest, fetch and even with plain html), so medium mode is only a half baked feel good protection in regard to XSS-protection.

Only when you block all third-party I agree that uBO offers protection against server side XSS. But be honest how many websites function properly in hardmode? On top of that. I bet that in 99% of the websites you have to noop, provide the website your visiting with content. Nevertheless for third-party exposure applies less is more. I also agree fully with
1692461522388.png
:) See thread : Using two profiles for more privacy and security.

XSS attacks are stil daily reality, but that is more because the website builders mess up their code. The browsers have gotten better protection against client side XSS and web-standards and coding best practices have evolved. I think your (Jan Willy's) rule to allow only third-party of some common Top Level Domains and using two different profiles is a much more pragmatic way of dealing with this hyped risk. Nevertheless I have added NetCraft extension on my wife's laptop (she uses only 1 profile) Better be safe than sorry, Netcraft is s non-intrusive extensions and has a good reputation in phishing protection also.
 
Last edited by a moderator:

South Park

Level 9
Verified
Well-known
Jun 23, 2018
434
@oldschool

Is Fanboy's Enhanced Tracking List still maintained? Last update 18 Feb 2021.
It isn't, but Fanboy's "Problematic Sites" (a subset of the latter) still is: https://www.fanboy.co.nz/fanboy-problematic-sites.txt

However, that list seems to be mostly anti-circumvention filters for ABP, so I've dropped it from uBO. I think uBO's built-in privacy list covers what the ETL did, but it uses different techniques like neutering tracking scripts to prevent breakage, so a direct comparison is not feasible.
 
F

ForgottenSeer 97327

I am a uBO user, but I like to share this picture as a mind teaser for all uBO-users.

Some facts (which can't be denied)
1. Adguard filters have advanced functions and unbreak correction included in their filters
2. Adguard filters are well maintained. They also have a feedback mechanism to optimize the rules set (cleaning out stale rules automatically)
3. Easylist filters are in standard ABP-format (uBO's advanced rules are not used in Easylist).
4. Using one source for your filters reduces the need for unbreak rules (using different filters sources causes more overlap and possible website breakage)
5. Number of rules in uBO-assets keep on growing, while (in contrast) EasyList filters have been kept under 70.000 rules since 2020 (due to Brave employing Fanboy to optimize Easylist filters), see pcture 2
6. The practical value of more rules reduces exponentially (it maxes out like, see picture 3)


When you prefer uBO over AG, below numbers are food for thought for dropping uBO's default set and using AG-filters instead
(because uBO processes 90% percent of AdGuard's advanced functionality)

1692519770572.png


To make it a fair comparison I did not use AG's optimized filters also the rule count is not the issue here. The issue is that ABP-standard format is just not that advanced as uBO or AG advanced functionality. uBO's optimizing reduces the overhead to only 30.000 rules compared to using AG-rules.
You can find AG's region specific filters here : AdGuard filters | AdGuard Knowledge Base


Picture 2 - Easylist stopped growing (source Brave - employer of Fanboy)
1692520499758.png


Picture 3 - Only 201 rules of EasyList account for 90% of the blocks (source Brave - warning for stale rules)
1692520742090.png

Both Peter Low (less than 4000 rules) and former MT-member Kees1958 (less than 7000 rules) explain why you don't need 300.000 plus rules
 
Last edited by a moderator:

Jan Willy

Level 12
Verified
Top Poster
Well-known
Jul 5, 2019
573
Quite some time ago I've tested uBO with and without it's own filterlists on several notorious tracking sites, such as cnn.com. My conclusion was that uBO's own lists didn't add something to the results I achieved with my custom lists as shown in Question - Which Ubo filters 2023 do you use ?
This morning I repeated the test (only) on cnn.com. Blocked elements without uBO's own lists 8 (19%) and with uBO's own lists 7 (17%)! In both cases 5 domains were blocked.
Neutering tracking scripts to prevent breakage (as remarked by South Park in post #91) could be the cause of the lack of effectiveness of uBO's own lists.
My testing was rather limited. Maybe someone tested more extensive and achieved better results.

Edit: Connected domains
without uBO's own filters 4 out of 9
with uBO's own filters 3 out of 8
So in both cases 5 blocked.
It's not my intension to start a competition to figure out which filterlists do the best job on cnn.com.
 
Last edited:

nicolaasjan

Level 4
Verified
Well-known
May 29, 2023
176
Considering uBO default update cycle those malware protection lists are pretty useless, I would endorse @oldschool's advice to dump them.
The Online Malicious URL Blocklist has an update frequency of 1 day:
! Title: Online Malicious URL Blocklist ! Updated: 2023-08-20T00:08:16Z ! Expires: 1 day (update frequency) ! Homepage: https://gitlab.com/malware-filter/urlhaus-filter ! License: https://gitlab.com/malware-filter/urlhaus-filter#license ! Source: https://urlhaus.abuse.ch/api
From the uBO Wiki:

Auto-update filter lists​

If you check this option, uBO will automatically update the currently selected filter lists at regular intervals. This option is checked by default (recommended).
Filter lists are automatically updated according to:
  • the Expires directive if present in the filter list header (After 1.47.3b5, uBO supports an update period below 1-day).
  • or the updateAfter attribute if found in the list entry in assets.json
  • or every 5 days by default.
 

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,182
It's a pity that AG's ads filter isn't optimally tuned to uBO. It shows 23 errors. Perhaps not essential, but it could be the impact of the increased complexity of filter rules.
Indeed, I saw that and won't use it for that reason. Your suggestion to use Easy List & Privacy minified instead seems like a good one.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top