Spyware Sucks

"There is no magic fairy dust protecting Macs" - Dai Zovi, security researcher and co-author of The Mac Hacker's Handbook.

"The Biblical wisdom “pride comes before a fall” needs to be foremost in the minds of security professionals. There are several aspects to this truth, but it starts with believing it is true. For one, the bad guys are always getting better and trying to get in. They are working harder than ever to defeat whatever you are doing to protect your enterprise. This knowledge alone will change your perspective on your job and when you are “done". What worked today may not work tomorrow. In this light, be careful about the promises you make to others regarding security and the protections you are deploying." - Dan Lohrmann

Competition for SiteAdvisor - LinkScanner

McAfee's Site Advisor has competition, strong competition, from LinkScanner, a new (free) offering by security startup Exploit Prevention Labs. LinkScanner claims to be a real time exploit scanner, unlike McAfee's Site Advisor which it describes as "not immediate and not empirical".
cite: http://www.itnews.com.au/newsstory.aspx?CIaNID=35171

LinkScanner is the brainchild of Bob Bales, Greg Mosher, Chris Weltzien and Roger Thompson, three of whom have former ties with Pest Patrol, which was sold to Computer Associates in 2004.

LinkScanner will "visit the URL in a controlled environment on our servers. LinkScanner will inspect it in real-time for whether it is hiding any exploit code and, if so, what exploit."
cite: http://www.explabs.com/linkscanner/

Point one in LinkScanner's favour - its not owned by McAfee

Point two in LinkScanner's favour - it seems to do the job

Point three in LinkScanner's favour - its scans in real time and can report on any accessible URL, unlike SiteAdvisor which does not offer 100% coverage.

The fact that LinkScanner is real time gives it a major advantage over SiteAdvisor (assuming that those behind LinkScanner stay up to date with the latest exploits in use, and add detection of same).

IMPORTANT: Please do not visit the malware sites mentioned below - www.ie-vista .com and inetexplorer.mvps.org are, of course, safe to visit.

SiteAdvisor and LinkScanner sometimes give conflicting advice. For example, SiteAdvisor's report on errorsafe.com states:

To me this says that the site is only dangerous insofar as it "links" to winfixer.com. It does not make me believe that it is a site that should be avoided completely. LinkScanner, on the other hand, reported the existence of malicious code:

I then tested a known site that uses exploits to try and infect PCs with malware. Site Advisor reported:

LinkScanner, on the other hand, reported:

Just to be sure, I also tested some known "friendly" sites Wink

Published Mon, Jul 24 2006 11:15 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Comments

# you are wrong

Monday, July 31, 2006 11:14 AM by Anon

First of all, if you could read simple directions, you would know that siteadvisor works on the domain level. Try looking at http://www.siteadvisor.com/sites/vogservice.com

Sandi says: Site Advisor working on "domain level" has got nothing to do with real time scans versus non real time scans.

BTW, I checked out the Site Advisor report on vogservice.com:

http://msmvps.com/photos/spyware_sucks/images/106374/original.aspx

and then went to the site itself; the entirety of the code for that site, as displayed in IE7, at time of writing was:

<HTML>
<HEAD>
<TITLE>PlaceHolder for vogservice.com</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Cache-Control" content="no-cache">
</HEAD>

<BODY bgcolor=white>

<div align=center>
<font face="Arial, Helvetica">
This is the placeholder for domain <b>vogservice.com</b>.
If you see this page after uploading site content you
probably have not replaced the index.html file.
</font>
<BR><BR>
<font size=-1>
This page has been automatically generated by Plesk.
</font>
</div>

</BODY>
</HTML>

Second of all, you fail to acknowledge the negatives of link scanner - namely, that it takes a long time to scan a site in their virtual machine "real time", long enough that nobody would endure the wait before browsing to their usual sites.

Sandi says: Ok, so you're saying that somebody who is using that site because they want to be safe would not be willing to endure a wait.... ummm, nope, can't see that being a problem. If they want to be safe, they wait.

That being said, I've seen a series of failures by Link Scanner to detect a problem with known hostile sites; a failure that I am going to have to address with those behind the product. As it stands, I can't recommend the service as a cure-all or accurate when reporting sites are safe.

So, to summarise, Site Advisor has deficiencies in that it doesn't cover all the sites that are out there (malware sites appear, and disappear, quickly), and looking at the results for vogservice.com I just saw, Site Advisor may not always be up-to-date with current status of a page.

Imagine if the owners of a new site request a scan, then as soon as they are reported as clean, changing their site code to start using exploits. Site Advisor will continue to report the site as clean until it is retested.

Link Scanner will have the advantage over Site Advisor, being a real time scanner, if and when the results it generates are reliable, which isn't the case now.

Spyware Sucks

This Blog

Syndication

Search

Tags

Community

Archives

News

Competition for SiteAdvisor - LinkScanner

Comments

# you are wrong