Interception of web content by AV software (was Re: VML Patch forWin9x?)

[98 Guy]

What does it mean that McAfee will complain of
"testvml[1].htm.vir" when I click...

http://www.isotf.org/zert/testvml.htm

THEN, yea, it will quarantine or delete the *.vir, but
STILL I end up with a crashed IE. I haven't yet switched to
the Win2K .dll.

(1) What is crashing me, if McAfee has quarantined the virus?

Dave? Can you answer that one?

(3) Or is this a diabolical plot of yours &/or of 98 Guy,
who IS prominently mentioned at that site?

No, no plot.

I submitted "testvml[1].htm" to virus total and only a handful of AV
software flagged it. Symantec was one of them.

I went to a Win-98 system that I haven't patched with the new version
of VGX.dll and verified that it crashes when viewing the above URL.
The NAV-2002 on that system was last updates Aug 28, so no it didn't
flag anything.

I then updated NAV to Sept 27 or 28 then went to that URL again, and
again it crashes IE, but NAV catches and quarantines testvml[1].htm
while the crash message is still on the screen.

So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.

Do we know if "modern" AV software intercepts and scans web content
BEFORE a browser sees it?

Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
current AV software?

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| PCR wrote:
|

What does it mean that McAfee will complain of
"testvml[1].htm.vir" when I click...

http://www.isotf.org/zert/testvml.htm

THEN, yea, it will quarantine or delete the *.vir, but
STILL I end up with a crashed IE. I haven't yet switched to
the Win2K .dll.

(1) What is crashing me, if McAfee has quarantined the virus?

|
| Dave? Can you answer that one?


The System was unpatched. Of course IE will crash.
Who siad this was a "virus". It isn't it is exploit code and it was NOT quarantined, the
software was set to rename not delete or quarantine.


||
| No, no plot.
|
| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it. Symantec was one of them.
|
| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.
|
| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.
|
| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?

How it is handles is dependant upon the settings of the AV software and the signatures that
software uses.

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| PCR wrote:
|

What does it mean that McAfee will complain of
"testvml[1].htm.vir" when I click...

http://www.isotf.org/zert/testvml.htm

THEN, yea, it will quarantine or delete the *.vir, but
STILL I end up with a crashed IE. I haven't yet switched to
the Win2K .dll.

(1) What is crashing me, if McAfee has quarantined the virus?

|
| Dave? Can you answer that one?


The System was unpatched. Of course IE will crash.
Who siad this was a "virus". It isn't it is exploit code and it was NOT quarantined, the
software was set to rename not delete or quarantine.


||
| No, no plot.
|
| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it. Symantec was one of them.
|
| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.
|
| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.
|
| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?

How it is handles is dependant upon the settings of the AV software and the signatures that
software uses.

 

[98 Guy]

| Is this a quirk of Win-98/NAV-2002, or does this apply to XP
| and current AV software?

How it is handles is dependant upon the settings of the AV
software and the signatures that software uses.

In my case, NAV did quarantine the .htm file from IE's cache. The
signatures are obviously not the issue here because the item was
detected.

There is no setting on NAV 2002 along the lines of interception of web
content before being handed off to the browser (as opposed to pop-mail
handling which NAV and other AV software obviously can do).

| Do we know if "modern" AV software intercepts and scans web
| content BEFORE a browser sees it?

I take it that because you haven't directly answered that question,
that you are acknowledging that indeed there is AV software and there
are mechanisms whereby the scanning of web-browser content can and
does happen before being rendered or processed by the browser?

The crashing of an IE window while attempting to view the URL in
question SHOULD NOT HAPPEN if a system has AV software that is capable
of detecting (and quarantining) the specific threat.

Detecting the threat inside a cached temporary file is too late if the
browser has already processed the code inside the file.

Many people are of the belief that their AV software will protect them
during web surfing. Clearly that protection can't happen if there is
no mechanism of passing web code through the AV software first before
being seen by the browser. Does any such mechanism exist for IE? For
Firefox or Mozilla?

 

[98 Guy]

| Is this a quirk of Win-98/NAV-2002, or does this apply to XP
| and current AV software?

How it is handles is dependant upon the settings of the AV
software and the signatures that software uses.

In my case, NAV did quarantine the .htm file from IE's cache. The
signatures are obviously not the issue here because the item was
detected.

There is no setting on NAV 2002 along the lines of interception of web
content before being handed off to the browser (as opposed to pop-mail
handling which NAV and other AV software obviously can do).

| Do we know if "modern" AV software intercepts and scans web
| content BEFORE a browser sees it?

I take it that because you haven't directly answered that question,
that you are acknowledging that indeed there is AV software and there
are mechanisms whereby the scanning of web-browser content can and
does happen before being rendered or processed by the browser?

The crashing of an IE window while attempting to view the URL in
question SHOULD NOT HAPPEN if a system has AV software that is capable
of detecting (and quarantining) the specific threat.

Detecting the threat inside a cached temporary file is too late if the
browser has already processed the code inside the file.

Many people are of the belief that their AV software will protect them
during web surfing. Clearly that protection can't happen if there is
no mechanism of passing web code through the AV software first before
being seen by the browser. Does any such mechanism exist for IE? For
Firefox or Mozilla?

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PCR wrote:
So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.

I believe this is true.

Do we know if "modern" AV software intercepts and scans web content
BEFORE a browser sees it?

NOD32 certainly does. HTML/Exploit.VMLFill (3) added 23rd September,
http://www.eset.com/support/updates1.php?pageno=6

Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
current AV software?

It's a failing of NAV 2002. I can't comment on later versions as I don't
use it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFH+XS7uRVdtPsXDkRAtqdAKCXlkK4c9q+SiwClMlXABBZAZG0AgCfb50G
GDyLPuwxMfe6KQy6g8Y7BXg=
=PJ+b
-----END PGP SIGNATURE-----

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PCR wrote:
So basically NAV (2002 version) is not capable of intercepting bad WWW
content before IE handles it.

I believe this is true.

Do we know if "modern" AV software intercepts and scans web content
BEFORE a browser sees it?

NOD32 certainly does. HTML/Exploit.VMLFill (3) added 23rd September,
http://www.eset.com/support/updates1.php?pageno=6

Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
current AV software?

It's a failing of NAV 2002. I can't comment on later versions as I don't
use it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFH+XS7uRVdtPsXDkRAtqdAKCXlkK4c9q+SiwClMlXABBZAZG0AgCfb50G
GDyLPuwxMfe6KQy6g8Y7BXg=
=PJ+b
-----END PGP SIGNATURE-----

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| "David H. Lipman" wrote:
|
|>> Is this a quirk of Win-98/NAV-2002, or does this apply to XP
|>> and current AV software?|
| In my case, NAV did quarantine the .htm file from IE's cache. The
| signatures are obviously not the issue here because the item was
| detected.
|
| There is no setting on NAV 2002 along the lines of interception of web
| content before being handed off to the browser (as opposed to pop-mail
| handling which NAV and other AV software obviously can do).
|
|>> Do we know if "modern" AV software intercepts and scans web
|>> content BEFORE a browser sees it?
|
| I take it that because you haven't directly answered that question,
| that you are acknowledging that indeed there is AV software and there
| are mechanisms whereby the scanning of web-browser content can and
| does happen before being rendered or processed by the browser?
|
| The crashing of an IE window while attempting to view the URL in
| question SHOULD NOT HAPPEN if a system has AV software that is capable
| of detecting (and quarantining) the specific threat.
|
| Detecting the threat inside a cached temporary file is too late if the
| browser has already processed the code inside the file.
|
| Many people are of the belief that their AV software will protect them
| during web surfing. Clearly that protection can't happen if there is
| no mechanism of passing web code through the AV software first before
| being seen by the browser. Does any such mechanism exist for IE? For
| Firefox or Mozilla?

It doesn't matter if it is Web Content or any other disk file. The scanning is performed as
the file is written to the Browser cache.

No anti virus can intercept all communication between the PC and the Internet. If you want
that to happen, setup a Proxy Server between your LAN and the Internet and install anti
virus software on the Proxy Server. There are Gateway/Proxy appliances on the market for
this.

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| "David H. Lipman" wrote:
|
|>> Is this a quirk of Win-98/NAV-2002, or does this apply to XP
|>> and current AV software?|
| In my case, NAV did quarantine the .htm file from IE's cache. The
| signatures are obviously not the issue here because the item was
| detected.
|
| There is no setting on NAV 2002 along the lines of interception of web
| content before being handed off to the browser (as opposed to pop-mail
| handling which NAV and other AV software obviously can do).
|
|>> Do we know if "modern" AV software intercepts and scans web
|>> content BEFORE a browser sees it?
|
| I take it that because you haven't directly answered that question,
| that you are acknowledging that indeed there is AV software and there
| are mechanisms whereby the scanning of web-browser content can and
| does happen before being rendered or processed by the browser?
|
| The crashing of an IE window while attempting to view the URL in
| question SHOULD NOT HAPPEN if a system has AV software that is capable
| of detecting (and quarantining) the specific threat.
|
| Detecting the threat inside a cached temporary file is too late if the
| browser has already processed the code inside the file.
|
| Many people are of the belief that their AV software will protect them
| during web surfing. Clearly that protection can't happen if there is
| no mechanism of passing web code through the AV software first before
| being seen by the browser. Does any such mechanism exist for IE? For
| Firefox or Mozilla?

It doesn't matter if it is Web Content or any other disk file. The scanning is performed as
the file is written to the Browser cache.

No anti virus can intercept all communication between the PC and the Internet. If you want
that to happen, setup a Proxy Server between your LAN and the Internet and install anti
virus software on the Proxy Server. There are Gateway/Proxy appliances on the market for
this.

 

[98 Guy]

98 Guy wrote:

NOD32 certainly does. HTML/Exploit.VMLFill (3) added 23rd September,
http://www.eset.com/support/updates1.php?pageno=6

You are confusing the simple detection of that exploit when
encountered in, say, a cached file, vs the REAL TIME detection of the
exploit code as it comes off the internet and into the browser.

It's a failing of NAV 2002.

I contend that you are not understanding the question.

 

[98 Guy]

98 Guy wrote:

NOD32 certainly does. HTML/Exploit.VMLFill (3) added 23rd September,
http://www.eset.com/support/updates1.php?pageno=6

You are confusing the simple detection of that exploit when
encountered in, say, a cached file, vs the REAL TIME detection of the
exploit code as it comes off the internet and into the browser.

It's a failing of NAV 2002.

I contend that you are not understanding the question.

 

[98 Guy]

No anti virus can intercept all communication between the PC
and the Internet.

Ok, then WHICH AV software can intercept SOME of the communication
between the PC and the internet (or in this case, between a web server
and a browser) ????

If the answer is none, then what does that say about the entire AV
industry? I'll tell you what it says. It says that they've been
fostering the myth that they can make your web browsing more safe or
more secure, when they really can't, because their products are NOT
SITUATED in the right place (between the internet and the browser)
hence they are not in a good position to deflect a threat. They can
tell you afterwards that something got in, but they can't stop your
browser from being infuenced by the threat first.

 

[98 Guy]

No anti virus can intercept all communication between the PC
and the Internet.

Ok, then WHICH AV software can intercept SOME of the communication
between the PC and the internet (or in this case, between a web server
and a browser) ????

If the answer is none, then what does that say about the entire AV
industry? I'll tell you what it says. It says that they've been
fostering the myth that they can make your web browsing more safe or
more secure, when they really can't, because their products are NOT
SITUATED in the right place (between the internet and the browser)
hence they are not in a good position to deflect a threat. They can
tell you afterwards that something got in, but they can't stop your
browser from being infuenced by the threat first.

 

[PCR]

| PCR wrote:
|
| > What does it mean that McAfee will complain of
| > "testvml[1].htm.vir" when I click...
| >
| > http://www.isotf.org/zert/testvml.htm
| >
| > THEN, yea, it will quarantine or delete the *.vir, but
| > STILL I end up with a crashed IE. I haven't yet switched to
| > the Win2K .dll.
| >
| > (1) What is crashing me, if McAfee has quarantined the virus?
|
| Dave? Can you answer that one?
|
| > (3) Or is this a diabolical plot of yours &/or of 98 Guy,
| > who IS prominently mentioned at that site?
|
| No, no plot.

OK, then. Anyhow, none of the wording in your file, such as "If you can
see two colored boxes" shows up on my screen.

| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it. Symantec was one of them.

McAfee does well too.

| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.

McAfee appears to trap it first. However, after I have chosen to delete
or move the file, IE will try to open the page & crash to the IE Report
Tool with an incredibly enormous report. Thus far, I have spared MS &
chosen to not send it!

| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.

Do you actually see the wording on your screen that you put into
TestVML.htm? If not, I suppose it did not execute.

| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?

 

[PCR]

| PCR wrote:
|
| > What does it mean that McAfee will complain of
| > "testvml[1].htm.vir" when I click...
| >
| > http://www.isotf.org/zert/testvml.htm
| >
| > THEN, yea, it will quarantine or delete the *.vir, but
| > STILL I end up with a crashed IE. I haven't yet switched to
| > the Win2K .dll.
| >
| > (1) What is crashing me, if McAfee has quarantined the virus?
|
| Dave? Can you answer that one?
|
| > (3) Or is this a diabolical plot of yours &/or of 98 Guy,
| > who IS prominently mentioned at that site?
|
| No, no plot.

OK, then. Anyhow, none of the wording in your file, such as "If you can
see two colored boxes" shows up on my screen.

| I submitted "testvml[1].htm" to virus total and only a handful of AV
| software flagged it. Symantec was one of them.

McAfee does well too.

| I went to a Win-98 system that I haven't patched with the new version
| of VGX.dll and verified that it crashes when viewing the above URL.
| The NAV-2002 on that system was last updates Aug 28, so no it didn't
| flag anything.
|
| I then updated NAV to Sept 27 or 28 then went to that URL again, and
| again it crashes IE, but NAV catches and quarantines testvml[1].htm
| while the crash message is still on the screen.

McAfee appears to trap it first. However, after I have chosen to delete
or move the file, IE will try to open the page & crash to the IE Report
Tool with an incredibly enormous report. Thus far, I have spared MS &
chosen to not send it!

| So basically NAV (2002 version) is not capable of intercepting bad WWW
| content before IE handles it.

Do you actually see the wording on your screen that you put into
TestVML.htm? If not, I suppose it did not execute.

| Do we know if "modern" AV software intercepts and scans web content
| BEFORE a browser sees it?
|
| Is this a quirk of Win-98/NAV-2002, or does this apply to XP and
| current AV software?

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| Ok, then WHICH AV software can intercept SOME of the communication
| between the PC and the internet (or in this case, between a web server
| and a browser) ????
|
| If the answer is none, then what does that say about the entire AV
| industry? I'll tell you what it says. It says that they've been
| fostering the myth that they can make your web browsing more safe or
| more secure, when they really can't, because their products are NOT
| SITUATED in the right place (between the internet and the browser)
| hence they are not in a good position to deflect a threat. They can
| tell you afterwards that something got in, but they can't stop your
| browser from being infuenced by the threat first.

None at the PC level.

 

[David H. Lipman]

From: "98 Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| Ok, then WHICH AV software can intercept SOME of the communication
| between the PC and the internet (or in this case, between a web server
| and a browser) ????
|
| If the answer is none, then what does that say about the entire AV
| industry? I'll tell you what it says. It says that they've been
| fostering the myth that they can make your web browsing more safe or
| more secure, when they really can't, because their products are NOT
| SITUATED in the right place (between the internet and the browser)
| hence they are not in a good position to deflect a threat. They can
| tell you afterwards that something got in, but they can't stop your
| browser from being infuenced by the threat first.

None at the PC level.

 

[kurt wismer]

Ok, then WHICH AV software can intercept SOME of the communication
between the PC and the internet (or in this case, between a web server
and a browser) ????

really more of an anti-malware than an anti-virus specifically, but -
socketshield...

 

[kurt wismer]

Ok, then WHICH AV software can intercept SOME of the communication
between the PC and the internet (or in this case, between a web server
and a browser) ????

really more of an anti-malware than an anti-virus specifically, but -
socketshield...

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You are confusing the simple detection of that exploit when
encountered in, say, a cached file, vs the REAL TIME detection of the
exploit code as it comes off the internet and into the browser.

No I am not. NOD32 intercepts web content as it is being downloaded from a
server and before it is sent to the client. Either it replaces the content
with a custom warning or terminates the connection and opens a warning window.

After asking a question, it's rude to then accuse a replyee of not knowing
what they are talking about before finding facts to back up your rebuke. It
also makes you look rather silly.

I contend that you are not understanding the question.

That's nice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFFIMjR7uRVdtPsXDkRAlCHAJ9XNgvbiqG5i6BC96eVdF2wDm0z/QCggjl9
90uhUZ/YJwVlJBieuM2utDM=
=Fu4v
-----END PGP SIGNATURE-----