raynor 2 Posted June 28, 2015 Posted June 28, 2015 (edited) How does ESET's web access protection & antiphishing protection check the URLs the user visits? Is this done online (i.e. all visited URLs are transmitted to one of ESET's servers) or offline (i.e. the URLs are just compared with the offline virus databases). Does it make a difference whether LiveGrid is enabled or not ? Offline comparison would be similar to what Firefox does (it downloads a list of malicious URLs and then compares the URLs you visit with its offline list). Take a look here: hxxp://blog.emsisoft.com/2015/05/10/emsisoft-anti-malware-emsisoft-internet-security-10-available-2/ They claim: "9 out of 11 well known antivirus/anti-malware products track and submit all your visited websites to some far-away server [...]" which is of course a rather bold claim and i hope that this can be dismissed as "marketing" So, what about ESET Thank you and cheers Raynor Edited June 28, 2015 by raynor
Administrators Marcos 5,458 Posted June 28, 2015 Administrators Posted June 28, 2015 1, URLs are checked both online and offline, if needed. 2, Having LiveGrid enabled makes a difference. As of version 9, disabling LiveGrid will turn protection status red.
raynor 2 Posted June 29, 2015 Author Posted June 29, 2015 1, URLs are checked both online and offline, if needed. Thank you for your reply. Could you please elaborate a bit on what you mean by "if needed"? Does that mean that URLs are usually checked offline against the virus databases and then, ONLY if something looks suspicious, are checked online in addition? Or does that mean that all URLs are ALWAYS chekced offline AND online? Thanks again! Raynor
Administrators Marcos 5,458 Posted July 2, 2015 Administrators Posted July 2, 2015 Any url you open in a browser is checked online. During an on-demand scan of files on a disk the offline url blacklist is used.
rugk 397 Posted July 2, 2015 Posted July 2, 2015 (edited) Oughh... Not that pretty. Is the URL at least hashed before it's checked online? (If so what hashing algorithm is used?) And maybe much more important: Is this check done via HTTPS? And the thing with offline scan is confusing: So if you scan the disk offline you can only can find some URLs in browser histories or as (very rarely used) .url or .lnk files. What else with URLs could you find? So if you find a malicious URL in the browser history - what do you do with it? Delete it? And what is much more interesting: If you already have the offline database why don't just use it for all checks? BTW this only affects the detection of malicious URLs, doesn't it? Because the phishing database is updated every 15 minutes and is used offline? And another strange thing: If the check would be done instantly online why do you even need VSD updates before you e.g. unblock a false positive website? Edited July 2, 2015 by rugk
rugk 397 Posted July 17, 2015 Posted July 17, 2015 Sorry for dumping this but could you please answer my questions?
Administrators Marcos 5,458 Posted July 18, 2015 Administrators Posted July 18, 2015 1, The communication with ESET's LiveGrid servers is secured. 2, Browser's history is not checked. 3, The offline database does not contain most current data. Otherwise a huge amount of data would have to be downloaded every while. It makes no sense to use it for everything, especially when it comes to email and web protection. We won't disclose internal information of how our security program works for obvious reasons so not all questions may be answered at times.
Recommended Posts