Link Scanners - WOT (Web Of Trust) - Finjan

You cannot delete your own topics in this board.

The idea behind it is great, but in reality it gives users a false sense of security. Just as SiteAdvisor does, and as well as a few others.
They base their ratings on the fact if a site constains or not malware. It won’t prevent exploits, etc.
Also, their ratings comes from a database, and even if MyWOT and alike tools would alert the user for the possibility of exploits, etc, it would still be rating the sites using their database, meaning that if today a site is known not to exploit users, etc, tomorrow it may be and WOT will fail to protect you. And who speaks of WOT, speaks of others as well.

At the moment, the alike tools that provide a better protecting, as they provide real time scanning of the web site are Finjan and LinkScanner Lite/Pro.

Hopefully, Comodo will come up with something even smarter! :wink:

hmm…

Does Finjan do anything more than just scanning the site using an AV either? (same applies to linkscanner?). I couldn’t information about this apart from this:


http://www.finjan.com/objects/brochures/Finjan_Secure_Browsing.pdf

How it works:

Finjan SecureBrowsing performs real-time code analysis
of the current content on each of the rated web pages.
Finjan SecureBrowsing detects potentially malicious
web pages even if they have never been previously
categorized or blacklisted, because it scans each and
every piece of web content in real-time, regardless
of its source. This on-demand and real-time scanning
approach is powered by Finjan’s patented behavior-based
inspection technology.


So what else do they do apart from scanning the content?

Melih

Apart from what the people behind Finjan says, I don’t how it really works, as I do not use it.
I could say something different for LinkScanner Pro, which acts different from its younger brother/sister. The LinkScanner Lite only rates sites on searches made in IE and Firefox. The LinkScanner Pro version works on the background and even if the user it not using IE or Firefox will still be protected, regarless noticing or not the green, yellow, red or gray ratings of sites.

I can tell you what happened with me (which I believe you already do): I received 3 (first were just 2) suspicious links, so I was going to study them on a VM, but by accident (bloody touchpad) I opened the link and it redirected me right away to one of the home pages of the rogue Power Antivirus 2009. I closed the browser right away. After some scannings and findind out that SUPERAntispyware was detecting its own signatures as malware, I came to the conclusion my system was not affected. I also placed a few logs in a forum dedicated to remove malware :wink:

Anyway, just a few days ago when watching at the logs of LinkScanner Pro, I noticed that it blocked the page from affecting my system. I just didn’t know that it did, because I had it set to not alert me, as I am not the only person making use of this computer and other people would possible freak out if an alert(s) were given. Now, I have it set to show alerts, either my relatives freak out or not!! :slight_smile:

So, I guess that LinkScanner Pro works different from all other link scanners, including its little brother/sister, which only analysis links and rates them, but does not prevent access to them.

Also, after checking those suspicious sites, I realized that LinkScanner Pro does not detect nothing wrong on the links that I got, but it blocks the exploits, drive-by downloads, hacked sites, etc where we might be redirected to. Almost forgot that it also will block any attempt of redirection caused by hidden iframes.

Perhaps you could know more by reading here Free Antivirus Download for PC | AVG Virus Protection Software and also take a look at the whitepaper talking about this sort of thing Free Antivirus Download for PC | AVG Virus Protection Software

Here is what the PDF says about how it works:


SocketShield currently offers two levels of protection: Blocking and Shielding.
• In Blocking, the software uses a list of IP addresses that are known exclusive purveyors
of exploits, and all http requests for any page within these domains are simply blocked.
• In Shielding, the program is “exploit‐aware” for all current exploits as well as for a select
list of recent exploits, by their signatures and/or other uniquely identifiable components.
When SocketShield inspects a stream and discovers an exploit, the program acts
according to a rule‐set for that exploit and the calling application to identify and execute
on what to do to stop it. This will usually simply be to cut off the stream, but other
options are possible, including modifying the stream or other more aggressive actions.


They have an LSP driver, they have a block list that it looks up against and then they try to identify some of the exploit signatures.

So its again a signature based system…

I believe a more secure architecture would be to study these links in a VM. Create a decoy and let the site attack the decoy in a VM and then merely watch the “Real Intention” of the “malicious site”.

Melih

That sounds nice :slight_smile: Hey maybe it could be possible to create this VM in the memory, It’s not like the browser uses a large amount of space anyway. And if found to be safe… Let it access your REAL browser (:NRD)

I don’t know if that is a good idea or me just being stupid lol.

I don’t think this should take place at user’s machine.
there should be an infrastructure in the cloud (on the web) whereby each URL is checked by letting it do its thing against decoys hence revealing their true colour!!

Melih

I agree with you. There is no point of having such fighting “device” on the users machine, because the malicious site (what is in it) could still bypass it and do some nasty things to the machine.
So, I totally back you up on your idea. Sounds VERY interesting.
Perhaps, that infrastructure in the cloud, could be not just a virtual environment, but also make use of honeypots that simulate vulnerabilities on the system, so that those malicious sites could actually believe they were being accessed by a machine full of breaches…

It is just a thought… or was perhaps what you were already thinking of… tell me what you think. Do you think it could be possible to exist such defense mechanism?

If your thinking about having a server to scan these certain sites maybe it would be also be able to scan small files for viruses… sort of using the in the cloud as a proxy but scanning the content as it comes through

ok, now that you understand our approach… keep watching this space :wink:

melih

Just wanted to add a little more about Web of Trust.

Site reputation data comes from the user community in combination with trusted sources such as listings of phishing sites, and it’s recalculated every 30 minutes, so it’s fresh. More than just warnings about malware, spam, etc., we provide information on trustworthiness, vendor reliability, privacy and child safety. Reputation regarding “vendor reliability” and “child safety” especially benefits from human input because people have the opportunity to share their experiences with others.

WOT can be a part of a layered approach to security, and together with great programs like Comodo, help to make everyone safer.

Deborah
Web of Trust

Deborah.

Thanks for Registering and explaning WOT further to us!

Josh (Global Mod).

There is one problem… “Wot” happens if one of the trusted sites is compromised?? It would be giving users a false sense of security

Dear J2897, I’m not the techie one here at WOT, but maybe you have to enable the “Automatic login” feature in the WOT add-on settings? I have asked if one of our developer’s can assist you with your problem.

Kyle, our system would notice if a trusted source differed from the others, and its reliability would be investigated. And besides, one rating wouldn’t be enough to change a website’s entire reputation. The reliability of the reputations change as the system gathers more supporting evidence in the form of users’ ratings and information from additional trusted sources.

Deborah
Web of Trust

Hey Deborah, That is reaction though. What happens if A widely used site such as “Youtube” was comprised and your service says it’s safe, millions of people would be affected in a short time waiting for you to… REACT

Hello Deborah,

I found interesting the choice of the words “would notice”, rather than “will notice”. If you say it would, then it may happen that it won’t?
Also, Kyle is right when says ““Wot” happens if one of the trusted sites is compromised?? It would be giving users a false sense of security” and when he says " What happens if A widely used site such as “Youtube” was comprised and your service says it’s safe, millions of people would be affected in a short time waiting for you to… REACT"

Tools such as WOT, SiteAdvisor, Symantec Safeweb (something like that) provide a false sense of security.
How?
Well, let’s suppose that at this precise moment they all tag a site green. People will visit it, no harm done.
Now, let’s assume that on a new search people, among other sites, got the same one on a google search. They tag it green, once again. But this time, despite being tagged green, the site has been hacked and would exploit users. People would go to that site thinking it was safe… but that was not the case… We only can imagine the mess it would create to the system.

My point is that if a site is green at a specific moment, one second later, may have been already hacked, and people will rely on the tags provided by WOT/SiteAdvisor/Symantec’s Safeweb.

Or do you guys at WOT investigate the sites as a daily routine?
Also, what keeps people from tagging A site or B site as green, when they actually may be people wanting to harm other people’s system? What could prevent me from creating a site, then on services such as WOT tag it as green, and you (wot community) confirm that, and later on I will insert malicious code into it… Will you notice it?

See my point?

I think Browser Defender (pctools) offers some hueristic analysis within the web site visted. I currently use this along side Avast Home and CFP with D+. I’m not sure of the others mentioned in this thread if they have hueristics. However, I have not tested this with a hacked site also pctools was bought out by symantec so who knows what is going to happen.

Al

There are cases where a reputation rating may not be correct. We don’t claim 100% accuracy. However, safe surfing tools such as WOT can be used as an extra layer of protection along with your regular arsenal of defense.

Security companies have started to develop reputation-based security systems realizing that consumers and security vendors need to join forces to ward off threats. Mark Bregman, the CTO of Symantec, has written an excellent article on this topic: Cybersecurity News, Awards, Webinars, eSummits, Research | SC Media

Best regards,
Deborah
Web of Trust

Deborah, That article is irrelevant as they are talking about programs and files - WOT is website reputation.

Currently I don’t think there is anything really effective for finding web based exploits and cross scripting etc…
It’s like trying to eat your pork with a spoon! It just doesn’t work.

Dear J2897,
If you have any problems with WOT, please contact Sami or Timo at support@mywot.com.

Best regards,
Deborah
Web of Trust