Partha

Emsisoft's Surf Protection did not detect any of the malicious sites that I visited

Recommended Posts

I am very disappointed with Emsisoft's Surf Protection component. I tested the component today and to my surprise, it did miserably. I've heard from other sources about the ineffectiveness of the Surf Protection module but I never expected it to perform like this.

 

There is this website called http://www.wicar.org/test-malware.html/ designed to test the effectiveness of anti-malware. I ran the tests but none of the malicious sites were blocked by Surf Protection

 

The malicious files were allowed to be downloaded from the sites that hosted those files and they were then later detected by the File Guard. I was not even sure if all the files were detected or not and therefore had to run another scan with Hitman Pro just to make sure

 

I am actually amazed that none of the sites were blocked by Surf Protection. Just to let you know, I ran the same tests with some other anti-malware software like K7 Ultimate Security and Kaspersky Internet Security and both their web protection modules were able to block the sites

 

K7's Safe Search component in particular denied access to all those sites where as Kaspersky's web protection was able to block most of the sites.

 

This is not the kind of protection that I expect from a brand like Emsisoft. The Surf Protection component needs some serious work and improvement.

Share this post


Link to post
Share on other sites

Thanks, Siketa. I will do that but I am sure you would agree that just blacklisting these handful of sites won't help.

 

There are thousands of sites like this which host malicious files. Emsisoft's Surf Protection should be capable of identifying those sites or at least most of them and this can only happen if they rework their Surf Protection component.

Share this post


Link to post
Share on other sites

Yep....I agree.....it is hard to keep up with all those malicious sites....often they are active for a short period of time....

Then they have to remove them manually from database.....it would be great if they could somehow automate the procedure or empower some AI to deal with it....

Share this post


Link to post
Share on other sites

The only test we block is EICAR, and only because it is in BitDefender's database.

Also, our Surf Protection does not filter HTTP traffic or analyze the contents of web pages. It only blocks known malicious websites by filtering DNS requests. For instance, if GT500.org was in the Host Rules to be blocked, then when you try to navigate to www.gt500.org your web browser will attempt to resolve the IP address of the server that hosts GT500.org by checking with DNS, and our Surf Protection will intercept that DNS lookup and block it so that your web browser can't figure out what IP address GT500.org is at, and thus your web browser won't know what server to contact in order to navigate to GT500.org. Please note that GT500.org is completely safe, and I was just using it as an example.

The File Guard is capable of detecting malicious HTML and JavaScript when it is saved in your browser's cache while loading a webpage, however in the case of these tests we don't detect their test code (it's not actually malicious), so that is why you don't see any alerts or notifications when you try those tests.

Share this post


Link to post
Share on other sites

I understand that the File Guard is capable of detecting malicious HTML and JavaScript when it is saved in the browser's cache while loading a webpage and I am glad that it works that way but, the concern is not with File Guard in any way

 

Look, I am well aware that Emsisoft maintains a built in list or a database of known malicious hosts and the Surf protection either blocks or doesn't block hosts based on the rule that's defined there

 

It basically means that it's NOT supposed to let the browser load hosts that are set to blocked. My concern is that the Surf Protection component let the browser load those malicious html pages in my test

 

If this database of known malicious hosts had been updated properly, then these hosts would have been blocked and that is exactly what is expected from Surf Protection

Share this post


Link to post
Share on other sites

The only host that would need to be blocked to defeat this battery of Metasploit-derived exploit payloads (which again, aren't actually malicious - they load calc.exe) is "malware.wicar.org", which isn't itself a malicious site. Additionally, if your system isn't actually vulnerable to the exploits used in the test files, I don't think it would even give the behavior blocker a chance to detect anything, as the exploits would just fail to execute.

 

Personally, I worry more about a product's efficacy vs actual malware and bad hosts (which, coincidentally, Emsisoft's products perform very well against in third party testing), and not exploits derived from Metasploit Framework. 

Share this post


Link to post
Share on other sites

All those sites are now also blocked by Microsoft Smartscreen because they were reported as unsafe but the Surf protection doesn't block any of those sites yet. It will continue to allow those sites unless their database is properly updated.

 

I do not understand what more evidence does Emsisoft require about the unsafe behavior of those sites. Microsoft knows about this too.

Share this post


Link to post
Share on other sites

malware.wicar.org is now blocked.

Yeah, I just saw that it's added to the built in list and the sites are now being blocked but for some unknown reason, if I try accessing those sites from Edge, they are still not blocked by Surf Protection.

 

I therefore thought of creating a rule where bing.com would be blocked. I created the rule and as expected, it wouldn't let Firefox and Chrome load the site. Interestingly, the site was allowed to load on Edge

Share this post


Link to post
Share on other sites

Someone reported the same issue (Surf Protection not kicking in Microsoft Edge).

 

https://support.emsisoft.com/topic/18877-surf-protection-not-work-on-microsoft-edge/

 

Seems to be since October only however, so I wouldn't be surprised if a Cumulative Update release by Microsoft and that addresses stuff in Microsoft Edge broke the Surf Protection component. 

Share this post


Link to post
Share on other sites

It basically means that it's NOT supposed to let the browser load hosts that are set to blocked. My concern is that the Surf Protection component let the browser load those malicious html pages in my test

 

If this database of known malicious hosts had been updated properly, then these hosts would have been blocked and that is exactly what is expected from Surf Protection

You want us to block their entire website just so Emsisoft Internet Security "passes" their tests?

  • Upvote 1

Share this post


Link to post
Share on other sites

I never asked you to block their entire website and the objective was not to pass the tests. The objective was to make sure that the URLs which are reported unsafe by the other vendors and by Microsoft, are blocked by Surf Protection.

 

The malicious host malware.wicar.org is now added to the built in list and because of that, those URLs are blocked. That's what was expected in the first place.

By the way, the problem with Edge that I was talking about does not occur if the beta updates are installed.

Share this post


Link to post
Share on other sites

The technology can only block domains and subdomains. We can't block specific files or folders on their website without filtering HTTP traffic. This means that to add those tests to be blocked, we would have to block their entire website, or at least anything at malware.wicar.org.

Share this post


Link to post
Share on other sites

I believe I am achieving what is being sought, by using a custom Hosts file in Surf Protection to block 2.55 million "bad" URLs.

 

I use a manual process to convert a custom Hosts file into the "a2user.dat" file that Surf Protection employs.

 

I have described this Hosts file compilation & conversion process in this discussion thread.

 

Good luck!

Share this post


Link to post
Share on other sites

The technology can only block domains and subdomains. We can't block specific files or folders on their website without filtering HTTP traffic. This means that to add those tests to be blocked, we would have to block their entire website, or at least anything at malware.wicar.org.

I know it can only block domains and subdomains and that is exactly what I meant, Arthur and by the way, malware.wicar.org is already blocked. I never spoke about any specific files that could be blocked by Surf Protection because I know Surf Protection is not meant to block files.

 

If you check my first post, I clearly stated that the files that were allowed to be downloaded, were later detected by File Guard and so I never said that Surf Protection could detect or block malicious files.

 

Let's not make this complicated please. I would appreciate if you check properly what I have specified . The reason the other thread turned out to be a disaster was that someone did not check my posts properly

 

It's very simple. The reason those URLs are now blocked is that the subdomain malware.wicar.org is in the built in list of known malicious hosts, where it is set to blocked.

 

If you click on Surf Protection from the main user interface and unhide the built in list, you will see this subdomain there and that it is set to blocked. This is exactly what I wanted in the first place when I started this topic.

 

Since all those URLs are part of this subdomain malware.wicar.org, they are now being blocked by Surf Protection. So basically I've got what I wanted.

Share this post


Link to post
Share on other sites

Yes, that's right. It blocked the URL because that subdomain has been added to their built in list. This is exactly why I had started this topic and I am glad that the host is being blocked now.

  • Upvote 1

Share this post


Link to post
Share on other sites

Phew.  What I relief, I am now protected from a test site. :wacko:

I am not quite sure if this remark of yours was supposed to be sarcastic or not but nevertheless, I just want to say that be it a test site or any other site meant for any other purpose, if the site hosts any malicious content, it should be blocked. 

Share this post


Link to post
Share on other sites

Yes indeed it was intended to be sarcastic.  Trying to keep up with sites that might host malware, is near impossible, what I want is no matter what the site, if it has malware the malware itself is blocked.  And in that EIS/EAM excels.

Share this post


Link to post
Share on other sites

This reply of yours just made my day. If just blocking malware is what you are concerned about, then why even have something like Surf protection. It has a purpose after all and it should fulfil it.

I know that EIS/EAM excels in blocking malware. No complaints there. I was actually pretty sure that if for some reason, some malware was able to make their way in to my PC, Emsisoft would be able to block the malware.

 

The reason I performed this test was to check how effective just the Surf protection component was and I expected Emsisoft to excel in blocking suspicious sites as well but sadly, it didn't

 

Like I said, I ran the same test with K7 and Kaspersky and then later with Bitdefender and some other FREE anti-malware too and their web protection components were pretty effective in blocking the sites

 

I also decided to give a free Firefox add-on called Fox Web Security a try and it was able to block all the sites in the test too 

 

Microsoft's Smartscreen filter which is known to offer the most basic levels of protection against installing any malicious software and that helps detect suspicious websites, was also able to detect that the sites in the test were suspicious

 

Emsisoft's Surf protection on the other hand was not even able to detect a single site in that test, until I made a request here to block the host and so as a customer who has paid for the software, it was not pleasant and it did let me down. I am sure no one would've liked that.

 

I am not so fortunate. I barely make ends meet. Someone like me cannot afford to pay for an anti-malware, let alone a rather expensive anti-malware but I still wanted to use Emsisoft and the reason was that I didn't want to compromise with security

 

If I were you, I wouldn't have made such sarcastic remarks. It only makes matters worse.

 

If there is a software component like Surf Protection that is meant for a specific purpose, it should work well and that was the only reason I started this topic. 

Share this post


Link to post
Share on other sites

I've only used the 'Surf Protection' a few times and i've used EIS for a few years.

 

I use, Adblock Plus to block ads.

 

RequestPolicy to block cross-site requests. 

 

"Cross-site requests are requests that your browser is told to make by a website you are visiting to a completely different website. Though usually legitimate requests, they often result in advertising companies and other websites  knowing your browsing habits"

 

and NoScript to block Javascript from running on pages by default.

 

With the exception of Adblock running seemlessly behind the scenes,

Generally you have to pick and choose what you want to allow, and I think a lot of people

just can't be bothered to click a few extra buttons and discern between what looks suspicious.

 

I think EIS's strength, is that although something has the potential to get past the browser, its generally

good at preventing the malicious software from going any further, and if it does go further, will alert you

to some unordinary activity.

 

The first and fore-most defense against malicious websites/software will always be common sense.

Personally I prefer not to visit any foreign country domains, as much as i'd like to trust all of our

international neighbors.

 

Another thing is to avoid using Flash if at all possible, as it has more security holes than a block of swiss cheese.

I havn't had Flash installed in years, and i can get on without it quite easily with the advent of HTML5.

 

I was going to say I don't think its EIS's job to really police your browser, but it is a part of "internet security"

on the other hand, you have so many browsers out there: Firefox, Safari, Opera, IE, Chrome, Thunderbird etc.

it would be hard for emsisoft to babysit each and every one of them, as they all handle things a little differently.

 

bottom line is... you're going to have to police your own browser.

 

who would have thought you needed so much security just to display some text/pictures/videos on the screen?

Share this post


Link to post
Share on other sites

That is true and a casual user might probably not even end up visting such sites but there's still a very little chance that he just may or maybe he is just like me who likes to experiment and test things out

 

That said, even if the malware make their way in somehow, the file guard or the behavior blocker would probably block them right away but still, why take a chance

 

I therefore believe that it's always better to prevent the malware from accessing the PC in the first place and that is why it is important that the Surf Protection performs well

Share this post


Link to post
Share on other sites

I have added links to the many block list sources I use with HostsMan here, in case you want to exercise personal initiative and augment Surf Protection's built-in list with your own custom Hosts file.

 

As you can see from my Profile description in the left column, I don't believe it is Emsisoft's responsibility to provide me every protection that's otherwise available in the marketplace, whether free or paid.

 

Good luck!

Share this post


Link to post
Share on other sites

in that HostsMan link there is a hosts file that refers here: http://hostsfile.org/Downloads/hosts.txt

 

perhaps i'm completely reading it wrong, but it appears that it has linked all of those websites to localhost.

it says its supposed to be used as a filter, but if thats the case why does it initially link 127.0.0.1 with localhost?

 

can you fill me in on that one?

  • Upvote 1

Share this post


Link to post
Share on other sites

Almost all of those links listed link all of your "bad urls" to localhost,

which would put your computer at risk for malware.  If i understand it

correctly, if used as-is, you're not blocking those urls, you're allowing them.

 

i've only seen host lists like that from people who have had some major

malware issues.

Share this post


Link to post
Share on other sites

Almost all of those links listed link all of your "bad urls" to localhost,

which would put your computer at risk for malware.  If i understand it

correctly, if used as-is, you're not blocking those urls, you're allowing them.

 

i've only seen host lists like that from people who have had some major

malware issues.

 

it would prevent your system from actually resolving the sites referenced in the file. e.g. if you set badwebsite.com to localhost or 127.0.0.1, when you try to visit badwebsite.com it would resolve to localhost and fail to load (unless you happen to have apache or iis or something running locally with a badwebsite.com vhost configured)

Share this post


Link to post
Share on other sites

Emsisoft's Surf protection on the other hand was not even able to detect a single site in that test, until I made a request here to block the host and so as a customer who has paid for the software, it was not pleasant and it did let me down. I am sure no one would've liked that.

There's a difference between not being able to do something, and not thinking it is necessary to do something. ;)

Share this post


Link to post
Share on other sites

There's a difference between not being able to do something, and not thinking it is necessary to do something. ;)

I am so tired of these cocky one liners by the staff of Emsisoft. It has to stop now. I am seriously tired of these arrogant replies.

 

If you really think Emsisoft considered it unnecessary, then all I can say is that it shouldn't have because after all, that host was blocked right after I made the request and so there has to be a reason for blocking the host

 

The problem is that Emsisoft didn't think what should've been necessary in the first place and that was to block the host

 

I've lost count of the number of times I've stated that those sites were not safe and I have given all the evidence. If you still continue to say that they weren't, I would have to say that you are in denial.

Share this post


Link to post
Share on other sites

I've lost count of the number of times I've stated that those sites were not safe and I have given all the evidence. If you still continue to say that they weren't, I would have to say that you are in denial.

The links you posted are to tests, and are completely safe. ;)

Was your computer compromised when visiting them?

Share this post


Link to post
Share on other sites

Arthur, this is exactly the reason I've been saying that you guys should check properly what I write. It is not that difficult. You just have to read with your eyes. Try it.

 

This would be like the millionth time I am saying that I know that they are test sites and I intentionally wanted to test the software. Test sites designed to check how effective an anti-malware is, are not supposed to be safe just in case you didn't know

 

If a test site that is designed to test how an anti-malware performs, turns out to be completely safe, then it just defeats the purpose of having a test site

 

I have already specified that the files that were downloaded were detected as threats by the File Guard. THIS MEANS THAT THE SITES THAT HOSTED THOSE FILES WERE NOT SAFE

 

I have also specified that those links have been reported as unsafe by various other trusted vendors and I have verified it. If you want the names, just check my previous posts. AGAIN, JUST READ. I AM NOT ASKING YOU TO BUILD A ROCKET

 

I mean Emsisoft's built in list has been updated with that host after I made the request. Why on earth would you guys blacklist the host then if it had been safe?

 

If the File Guard wouldn't have stopped those threats, my computer would've definitely been compromised BUT, THIS IS NOT ABOUT FILE GUARD AND THIS IS THE LAST TIME I WILL BE SAYING THIS

 

THIS IS ABOUT THE FIRST LAYER OF DEFENCE - SURF PROTECTION AND NOTHING ELSE

 

I have to say that you guys know how to test someone's patience. Please stop this, Arthur.

Share this post


Link to post
Share on other sites

If you are using a hosting type list, where sites have to be added as a first line of defense, you have already lost.   How do you propose anyone immediately can identify all the bad sites out there.

 

Oh and Partha, be careful about asking Arthur to stop this.   He can.

Share this post


Link to post
Share on other sites

Before this thread is locked, let me express my appreciation of the user customization option that Emsisoft Surf Protection provides.

 

I also appreciate that Emsisoft doesn't try to be all-things to all-people, even while I use multiple security products.

 

I grew tired of Norton Internet Security consuming half my CPU with a multitude of features I didn't need, which led me to try nearly every Internet security product.

 

I am a very satisfied Emsisoft customer, patiently waiting for non-beta Version 11 to be released.

 

Good luck!

Share this post


Link to post
Share on other sites

If a test site that is designed to test how an anti-malware performs, turns out to be completely safe, then it just defeats the purpose of having a test site

No, tests are supposed to be completely safe. If you want to test with things that are actually malicious, then look for malware repositories and malicious URL lists rather than test sites.

I have already specified that the files that were downloaded were detected as threats by the File Guard. THIS MEANS THAT THE SITES THAT HOSTED THOSE FILES WERE NOT SAFE

The EICAR test file is detected by the scanner and the File Guard, but it isn't malicious, and doesn't do anything.

I have also specified that those links have been reported as unsafe by various other trusted vendors and I have verified it. If you want the names, just check my previous posts. AGAIN, JUST READ. I AM NOT ASKING YOU TO BUILD A ROCKET

Just because K7 Ultimate Security and Kaspersky Internet Security flag something, doesn't mean it is malicious. Do you know of anywhere that an actual malware analyst or researcher says that these tests are malicious?

I mean Emsisoft's built in list has been updated with that host after I made the request. Why on earth would you guys blacklist the host then if it had been safe?

It's a test and it isn't specifically difficult or burdensome to blacklist it, nor does it add a lot to our database, so it wasn't a big deal to add it.

If the File Guard wouldn't have stopped those threats, my computer would've definitely been compromised BUT, THIS IS NOT ABOUT FILE GUARD AND THIS IS THE LAST TIME I WILL BE SAYING THIS

Your computer would have been fine. I've visited the links several times on an unprotected computer, with no infection. There was nothing to worry about.

THIS IS ABOUT THE FIRST LAYER OF DEFENCE - SURF PROTECTION AND NOTHING ELSE

I understand that, however as I'm trying to explain, aside from the issue on Windows 10 where the Surf Protection was not working with Microsoft Edge (which has been fixed in our version 11 betas), the Surf Protection is working as intended.

I have to say that you guys know how to test someone's patience. Please stop this, Arthur.

I'm just trying to explain things. Please note however that this topic has gone too far, and it's just the same thing over and over (I insist the tests were safe, you insist they weren't). I'd recommend letting this topic drop. ;)

Share this post


Link to post
Share on other sites

This topic has devolved into a rant, and is no longer a constructive conversation.

For that reason I am locking this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.