Blogs
>
Security Research
Comparison Of Malware Protections: Google Safe Browsing, Microsoft SmartScreen, Etc.
Published on:
Comparison Of Malware Protections: Google Safe Browsing, Microsoft SmartScreen, Etc.
All modern web browsers now include protections for malware. They include a list of known malicious URLs, and compare each address visited by the user against this list. If the URL is recognized as malicious, a warning message is displayed in place of the HTML page. They also protect against Phishing sites, but I won't dive into this feature during this post.
SmartScreen Filter warning in Internet Explorer
Chrome, Safari and Firefox 3.x use Google SafeBrowsing, while Internet Explorer 8 has SmartScreen Filters and Opera includes lists from Netcraft and TRUSTe. Note that it took Safari more than 20 minutes for SafeBrowsing to start working after I upgraded from Safari 4. It did not show any warning, informing that malware protection was disabled while it was retrieving the database.
Safari waning message
I was wondering how well these protections work against current threats. Since antivirus doesn't perform well against viruses spread through fake AV pages, fake videos, or against malicious jar files, I wondered if these browser block lists would keep users safe against current spam SEO attacks.
I've tried a few domains for each type of attack, using each browser. All the malicious domains were directly identified from within Google search results, using popular search terms.
Protection against fake AV pages
I first tried various new fake AV domains as well as subdomains for xorg.pl (hostguard-31p.xorg.pl, hostguard-47p.xorg.pl, ubersaving26.xorg.pl, etc.), a domain that has hosted fake AV pages for months.
| Browser | New domains blocked | Xorg.pl subdomains blocked |
|---|---|---|
| Firefox 3.6 | 7/7 | 5/5 |
| Internet Explorer 8 | 2/7 | 0/5 |
| Opera 10.5 | 0/7 | 0/5 |
Google Safe Browsing is very good at blocking fake AV pages. We report to Google on fake AV domains we identify, which they don't block, but we're noticing that there are fewer and fewer which they don't already block.
Protection against fake video codecs
This type of malicious pages seem to have staged a come back and we're seeing them more and more frequently since last week-end. In this scenario, the user is tricked into downloading an executable disguised as a video codec or new flash version.
| Browser | Urls blocked |
|---|---|
| Firefox 3.6 | 2/6 |
| Internet Explorer 8 | 5/6 |
| Opera 10.5 | 0/6 |
Internet Explorer did a great job at flagging the fake video sites. Google Safe browsing, surprisingly had a very low rate of success.
Protection against Java/PDF/Flash exploits
The number of Java exploits has also increased dramatically over the past few weeks.
| Browser | Urls blocked |
|---|---|
| Firefox 3.6 | 2/4 |
| Internet Explorer 8 | 1/4 |
| Opera 10.5 | 0/4 |
Opera did not flag any of the malicious sites. Their security blacklists may be targeting phishing only. To make sure the security notification worked, I attempted to visit a phishing site and Opera did warn me.
Opera phishing warning
-- Julien
