URL block poss serious flaw

system · 2006-10-20T07:38:02.000Z

Hi,

I’ve previously used url blocking in the web scanner to great effect, and one of the things I do is block all the urls that MSN uses for placing adverts in Messenger/Live Messenger (ads1.msn.com and so on).

Only two days ago I used transparent proxy for the first time. Up to then I had always pointed IE and Firefox at localhost port 12080.

Suddenly the ads reappeared!

I have realised now that if IE 7 is not configured specifically to connect via 12080, certain msn urls are somehow accessed despite the configuration of Avast url blocking. Yet, other pages are still blocked successfully. I conclude the Microsoft has been sneaky with the MSN advert urls and built-in a bypass of proxy.

In the end I have resorted to modifying my hosts file to spoof the advert urls so I could leave IE not pointed at 12080. This works well.

However, my real point is, if Microsoft can arbitrarily bypass the URL block, is there not then the possibility of the entire AV scan layer being bypassed as well? (And it might not be by Microsoft)

I THINK SO!!

Lisandro · 2006-10-20T14:56:47.000Z

Which port does msn uses to ‘send’ adds…
I mean, is it different from the default 80?

iano39 post:1:

However, my real point is, if Microsoft can arbitrarily bypass the URL block, is there not then the possibility of the entire AV scan layer being bypassed as well? (And it might not be by Microsoft)

I don’t think MS is bypassing anything… just you need to configure correctly (both URL blocking mask and the port scanned by WebShield).

DavidR · 2006-10-20T16:43:02.000Z

Personally the URL Blocking isn’t up to or designed for this job.

There are many browsers, firewalls and browser tools or extensions that do a better job of blocking adverts. Firefox with the AdBlock plus and maxthon with AdHunter and the Hosts file as you mention. My firewall has and ad blocker function (disabled) as the other ad blockers work so well, at least better than the firewalls plug-in.

I would have thought that there would have been some form of ad blocker plug-in that works with IE7.

system · 2006-10-20T21:37:26.000Z

Weeeeeell… everyone’s gonan hate me now as I’m having a moan!! But look, I really think that Alwil should decide whether to make a url blocker and call it solid and purposeful, or just drop it. What’s the pont in a half hearted feature? I’ve got an ad blocker in Firefox, and Firefox is my default browser. Doesn’t matter if stuff is tunneling thru IE, you know! But let’s forget URL block for a moment as I’ve moved my mind more onto the fact that we have unscanned http traffic.

It might be naive to not expect a M$ product to not channel traffic quietly via IE, but if this kind of back door is going to open up I’m tempted to just cripple IE so it can’t network. I already have “ietab” setup for Firefox, but why do I have to get drastic.

Technically, it’s interesting. If I force IE 7 to use 12080 as a proxy, then very clearly the MSN advert traffic called for Messenger is pulled via Avast, via 12080, and blocked. It all relies totally on IE - I used the contents of my IE temp folder to work out the urls to block! ;-0) I guess that in the absence of a specified proxy/port, IE is just using arbitrary ones!! Conversely, I gather that Avast can force ALL traffic via one route when not transparent. Choices choices.

Forget deciding that it either is or is not a flaw in Avast. The fact is that the transparent operation of web scanner is not set by default to catch and scan certain traffic related to (arguably) the most common browser and (arguably) the most common IM client. (I don’t know why Zone Alarm doesn’t care either). Someone somewhere is going to exploit this to sneak some virus disguised as an MSN component past the protection software, right in to the system through IE, and 9 out of 10 users will have been believing they had these bases covered with their AV software. I can’t currently identify the ports being used, but as I said I really cannot see why this is not pre-set in the Alwil product, to be quite honest. I’m sure nobody thinks I have a good point, but there you go…

I’m going for a lie-down!! Ha ha!

system · 2006-10-20T21:44:33.000Z

More of me.

I just read another poster today basically pointing out that things can slip around the webshield and I’ve decided to give up on the issue and just learn from it, as it does seem to be taken as read here that this is just the fact of life.

Fair enough.

If anyone knows the port numbers used by WLM for http fetches I’d be very grateful and I’d recommend folks to add them to the redirected ports list in Avast. Nothing to do with URL blocking and if I could I’d re title my original post to reflect that I’m dissatisfied with the scanning itself (in default settings).

Of course, with the right ports redirected, blocking will work anyway!

For the record, I’m persisting with transparent scanning as I have eliminated all the currently noted advert urls by other means (hosts file included), and have also discovered that running IE via 127.0.0.1:12080 prevents WL Messenger operating correctly in certain other ways (which now seems logical). I guess if I want to use it I need to balance these factors out and live with them! Maybe I’m also being unfair and obsessive in wanting to use WLM fully and yet at the same time deny Microsoft their advertising rights!!

Thanks everyone for replies.

Announcements