Benefits of web shield (https scanning)?

RichardEb · 2017-11-08T13:53:08.000Z

Hi,

what are the benefits of the avast web shield (https scanning)? When I disable the web shield an infected file can be downloaded…ok. But before the file is executed avast scans the file anyway. So there is the benefit of https interception?

Thank you

bob3160 · 2017-11-08T14:42:32.000Z

There are also infected websites, scripts etc.
80% of all infections come via the internet.
Webshield is your most important protection if you do anything on the internet.

DavidR · 2017-11-08T14:46:36.000Z

Not all files are scanned by the file system shield by default, that are scanned by the web shield.

By disabling https nothing is scanned by the web shield, so you are relying on whatever the file content is being in the default setting of the file system shield.

By disabling https the web shield won’t detect URL:MAL if there is a malicious url or redirect in that https page.

The real question is, what are you hoping to gain by disabling https scanning ?

RichardEb · 2017-11-08T17:17:17.000Z

I still don’t know what the web shield should achieve.

I can think only about two infection ways:

1.)by executing a downloaded “bad” file by myself. The file system shield will protect me in this case

2.)If the Website(html, Javascript,…) uses a vulnerability in my Browser to attack me. But in this case avast can’t protect me. If avast knows about the attack vector the browser vendor has also fixed the issue. If the vendor doesn’t know about it avast won’t also.

3.) did I’missed an attack vector?

Asyn · 2017-11-09T04:04:07.000Z

See: https://support.avast.com/article/190/

igor0 · 2017-11-09T08:05:24.000Z

RichardEb post:4:

2.)If the Website(html, Javascript,…) uses a vulnerability in my Browser to attack me. But in this case avast can’t protect me. If avast knows about the attack vector the browser vendor has also fixed the issue. If the vendor doesn’t know about it avast won’t also.

I don’t think this is how it works - even if we assume that you update your browser and all related 3rd party “plugins” as soon as an update is released.
While the virus definitions can target a specific code exploiting a particular vulnerability, the detections are often more “simple” - e.g. they can detect the subsequent downloading phase (either the downloader script, or just the sites known to distribute malware). While this may non be the ultimate protection against the vulnerability (say against a targeted attack), it can be quite efficient - we see ongoing campaigns on our user base and we can just block the specific sites/scripts (and since this doesn’t require a full dissecting of the specific vulnerability, it can be done faster than the vendor fixes the issue - if there’s a 0-day phase during which the malware already spreads).

Furthermore, you shouldn’t assume that the File Shield blocks every known malware… now of course we try our best, but nothing is perfect in reality, right
So it can happen that the File Shield misses a specific sample - yet it gets (or would get) blocked by the Web Shield during download - because it’s downloaded from a known malware distribution site. So the layered approach brings some value.

system · 2017-11-09T09:51:09.000Z

“So it can happen that the File Shield misses a specific sample - yet it gets (or would get) blocked by the Web Shield during download - because it’s downloaded from a known malware distribution site”

If the site is on the list of “known malware distribution” , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list???)
So, if the malware is known, should be detected by the file shield.

At least this seems to be a logical chain of events…

Pondus · 2017-11-09T09:56:36.000Z

If the site is on the list of "known malware distribution" , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list????) So, if the malware is known, should be detected by the file shield.
At least this seems to be a logical chain of events…

Today they may distribute a known malware tomorrow they may distribute a complete new not known yet … also when loaction URL/IP is blocked by many or taken down they start up at new not blocked location and the arms race continue

https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-spring-2017

igor0 · 2017-11-09T12:43:01.000Z

John712 post:7:

If the site is on the list of “known malware distribution” , seems to be logical that Avast! knows which malware is being distributed. (other wise why put the site on the list???)
So, if the malware is known, should be detected by the file shield.

First, if a site distributes a thousand different (and I mean really different) pieces of malware - do you really want your antivirus to get thousand different definitions (which - in the long term - grows the size of the product on disk, in memory, and possibly slows down the scanning), or rather get one detection which blocks the site - i.e. everything, past and future?

Second (and more importantly), whoever downloads a file from that site, may simply get different content (either based on country, browser, etc. - or simply a unique generated file for each touch). So there’s no way we can reliably get all the samples it serves…

Announcements