Total web filtering

[Guest]

[Data]

Not a localhost proxy, but able to filter javascript, VBscript, active content from both the current site, and any external links, flash, cookies, referrers and anything else that can be invasive, or slow you down. Preferences would be on a "per site" basis, with a bypass in case of problems.

If you look around, no stand alone product like it exists. If it does, I can't find it.

[wallistadeu]

 (CWY)The technical team of the project comodo/firewall hereafter will evaluate the possibility 
of including a filter web internet, several requests and suggestions were already made for 
users, on this detail of safety. 
We will await!! 
WALLIS

[tetsuo55]

i too am waiting for total web filtering

Currently the only application that can do so (limitedly) is proxomitron, but also breaks a lot of valid sites.

The way to do this according to what i read is:

Web-filtering application parses all the code, while parsing it checks for known and unkown exploits and malware.
The web-filter dynamically adjusts any broken code back to standards. unfixable things like flash get blocked if they are malicious. this ofcourse should be replaced with something like "malware content blocked" which should be the same size as the original malware thing.


Still this sounds easier than it is, basically to make it you need to know everything from W3C off the top of your head.

Also broken sites should be flagged and their admins/hosting should be informed of the fact that the site is broken. This could be taken to the next leven by having spiders crawl the web for broken sites(which comodo probably already does to come up with the malware websites)

Anyway with my limited inside of the box thinking this is the only way to solve the last threat that not a single anti-malware program is protecting us from:

"Malicious scripts using an unknown exploit in a browser or one of its plugins to gain enough rights to influence the system"

Although hips or LUA/SRP will probably prevent the malware from being installed, it cannot prevent it from running in memory and doing all its evil keyloggin stuff for example (which it sends out through the webbrowser right through any layer of protection)

[Data]

i too am waiting for total web filtering

Currently the only application that can do so (limitedly) is proxomitron, but also breaks a lot of valid sites.

Prox works excellent, tetsuo55. Try it with the config by 'Sidki'. Any valid sites should be added to the bypass list.

"Malicious scripts using an unknown exploit in a browser or one of its plugins to gain enough rights to influence the system"

Prox will spoof your browser/OS. It will prevent enquiring sites from obtaining the required info.

Although hips or LUA/SRP will probably prevent the malware from being installed, it cannot prevent it from running in memory and doing all its evil keyloggin stuff for example

It will. If doing it's job properly. Boclean will do this sort of thing without intervention from the user.
 

(which it sends out through the webbrowser right through any layer of protection)

If properly set up, component control should alert you to the fact that a hidden process is trying to use IE to connect to the internet. You deny, no info sent. You also get alerted to the fact there's a subversive app running out of view.

I use Prox all the time regardless, but It's not what the OP is requesting. It's real time control over active content based on the site visited and any sites connected to it via images, counters and such. Offsite javascripts and other items.
My current firewall comes with it as standard.

[tetsuo55]

Prox works excellent, tetsuo55. Try it with the config by 'Sidki'. Any valid sites should be added to the bypass list.Prox will spoof your browser/OS. It will prevent enquiring sites from obtaining the required info.
It will. If doing it's job properly. Boclean will do this sort of thing without intervention from the user.
 If properly set up, component control should alert you to the fact that a hidden process is trying to use IE to connect to the internet. You deny, no info sent. You also get alerted to the fact there's a subversive app running out of view.

I use Prox all the time regardless, but It's not what the OP is requesting. It's real time control over active content based on the site visited and any sites connected to it via images, counters and such. Offsite javascripts and other items.
My current firewall comes with it as standard.

I already use Sidki's list. almost none of my regular sites work properly though

There is a proof-of-concept exploit like the one i described already exists.

It works on any browser/os so prox's masking doesn't help because it will be executed anyway. Also BOclean wont detect it because its not hidden, its a perfectly valid open seeable part of IE or whatever browser is targeted. Its invisable because by all accounts it looks valid to everything and everyone

At least thats what they claim, a real test would be to see what comodo does with the exploit in a honeypot but as far as i know there is tester yet

[Data]

I rarely have problems with Prox, tetsuo55. You use the bypass list?

In my understanding of this, I don't see how this will work on any browser/OS. Maybe as part of an installation, where the payload has a known destination, but as a web attack it's not going to work. If the browser isn't known, or the OS, and scripts have been blocked, how will you determine which bomb to drop and by which method?

Hidden or not, protective apps are a little more clever than that. In any case. If you know about it, so do others. It's been fixed allready.

Who and where are "they"?

[arran777]

there is also Admuncher which works like a Proxy like proxomitron. admuncher is just as good if not better than proxomitron.

there is also the option of using the firefox no script add on.

there is also the option of using the free avast webshileld.

I use all 3 and nothing ever gets thru.

[Data]

there is also Admuncher which works like a Proxy like proxomitron. admuncher is just as good if not better than proxomitron.

Admuncher can't do what Prox does and It costs money. It's not a contender, nor does It meet the requirements i'm looking for.
Alternatives are not what I'm after.

there is also the option of using the firefox no script add on.

there is also the option of using the free avast webshileld.

First needs FF, 
Second needs Avast. I don't use either.

nothing ever gets thru.

Ditto.

[tetsuo55]

I rarely have problems with Prox, tetsuo55. You use the bypass list?

In my understanding of this, I don't see how this will work on any browser/OS. Maybe as part of an installation, where the payload has a known destination, but as a web attack it's not going to work. If the browser isn't known, or the OS, and scripts have been blocked, how will you determine which bomb to drop and by which method?

Hidden or not, protective apps are a little more clever than that. In any case. If you know about it, so do others. It's been fixed allready.

Who and where are "they"?

I am not sure where to find it, but the exploit is called something like" How to impress your girlfreind with vista"

They claim the exploitnworks on every browser/os because its based on a core feature of both browser and os (it's a part of the browser that is always the same and the same goes for the os. The only way to block it is by completely disabling scripts and completely not allowing the browser to load any type of addition to the main executable)

As you probably know every browser allows you to add stuff to it. In the case of IE it already depends on a ****load of dll's.

To completely protect from this exploit one would need a browser that is based on a single.exe without any support files. good luck using the internet with that browser though

Disclaimer: I don't know if any of this is really true, however it is the only remaining attack vector that has not been covered imho (unless you use proxo)

PS. ill take another look at proxo then untill Comodo adds this feature!

[Data]

Ahh, you mean windows. I see what you're saying, but It can't work on linux or Mac.
Since you mentioned Vista.... http://forums.comodo.com/general_discussion_off_topic_anything_and_everything/vista_security_game_over_man-t26138.0.html

[tetsuo55]

it doesn't matter if this does or does not work on other os's besides windows.

There is also an intel exploit that works by sending the right tcp packet to a pc and boom root access regardless of os.

The point is that the only unprotected attack vector is the use of webscripts

[Data]

it doesn't matter if this does or does not work on other os's besides windows.

So even though you stated earlier it could affect any browser/OS, you actually mean windows versions.

There is also an intel exploit that works by sending the right tcp packet to a pc and boom root access regardless of os.

Assuming the firewall/AV doesn't filter it. Windows exploit again?

The point is that the only unprotected attack vector is the use of webscripts

Even basic IE settings will prevent scripts from running.

As usual, it all depends on the technical prowess of the individual being attacked. Or in these cases, the lack thereof.

[tetsuo55]

Well according to the actual documentation of the vista exploit its clear that it could be tailored for any os/browser. Their goal was to break vista, the way they did that revealed a fundamental flaw in the whole browsing experience regardless of platform. Also i read in other threads that attacks based on this flaw already exist but again i have not seen any proof of this.

The intel exploit has 2 attack vectors

1. script, this can already be blocked in many ways, but not transperantly like full web filtering would do
2. tcp packet. this cannot be blocked by av/firewall because the exploit attacks the cpu directly, before reaching the av/firewall the packet has already passed by the cpu on a hardware level.
Packet reaches nic, nic passes data over the pci bus to the cpu, packet reaches cpu, exploit succeded. The attack even passes hardware firewalls if i understood correctly (but the finder is also going to release a patch to make sure hardware router/switches drop the packet)

You keep saying that scripts get disabled easily, i suggest you use noscript to fully block all scripts and no-flash to fully block flash.
then go to the top 50 websites and you will quickly see that no-script and no-flash are useless as you will have to enable scripts and flash on almost all of them to get them to show something.

Thats why we need something like proxo built into comodo firewall. Dangerous code gets transparently patched into safe code. that way you won't have to worry about when to enable scripts and when not too.
End user friendlyness

[Data]

I best get this thread split. It's right off target.

Well according to the actual documentation of the vista exploit its clear that it could be tailored for any os/browser. Their goal was to break vista, the way they did that revealed a fundamental flaw in the whole browsing experience regardless of platform. Also i read in other threads that attacks based on this flaw already exist but again i have not seen any proof of this.

So this has no real foundation. You are just quoting what you heard on other sites?

The intel exploit has 2 attack vectors

2. tcp packet. this cannot be blocked by av/firewall because the exploit attacks the cpu directly, before reaching the av/firewall the packet has already passed by the cpu on a hardware level.
Packet reaches nic, nic passes data over the pci bus to the cpu, packet reaches cpu, exploit succeded. The attack even passes hardware firewalls if i understood correctly (but the finder is also going to release a patch to make sure hardware router/switches drop the packet)

Nah. Proof please.

You keep saying that scripts get disabled easily, i suggest you use noscript to fully block all scripts and no-flash to fully block flash.
then go to the top 50 websites and you will quickly see that no-script and no-flash are useless as you will have to enable scripts and flash on almost all of them to get them to show something.

I said nothing of the sort. I said basic IE settings will disable web scripts. As we know, Microsoft actively invites malware to your system. Even with SP3. Tighter default settings would help greatly in this regard.

You only need to kill bad scripts. You can see pretty much everything a site has to offer and not be concerned

Don't use Firefox. Therefore I can't use no script. I use a browser based on IE.
I do however have active web elements under control, via my firewall, for one. I can visit sites that specifically use java or other scripts to test systems and they are not successful. I posted a link on here some time ago and other guys from here also came up trumps.
There's no secret to having a safe surfing experience. Education is key.

Dangerous code gets transparently patched into safe code.

Safer to carry on as we do and just block it. It's no loss.

[tetsuo55]

Intel hack press-info:
http://www.techworld.com/security/news/index.cfm?newsid=102332

What browser/firewall combo do you use that only filters out bad scripts?

(proxo does not count because it actually fixes broken scripts like i suggested next to blocking bad ones)

[Tags:]