CFA/Security-Research/MalwareDetection: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 46: Line 46:


=== Conclusions ===
=== Conclusions ===
* We should make decisions for users where we can, and warn unobtrusively when we cannot
* Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
* Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
* We should make decisions for users where we can, and warn unobtrusively when we cannot.  Warnings must be bold and discoverable, and make it difficult for the user to select the "wrong" option
* Integrate sandboxing to perform real-time checking for malware.  Each malicious website is short-lived, so blacklists limits protection
* Integrate sandboxing to perform real-time checking for malware.  Each malicious website is short-lived, so blacklists limits protection
* Finjan FF extension takes too long to load
* Finjan FF extension takes too long to load

Revision as of 00:24, 3 August 2007

« Comparative Feature Analyses
« Security Notes
« Security Research

Current Capabilities

  • Notification whenever downloading or installing software
  • Warn me when sites try to install add-ons

Upcoming Capabilities

  • Display error page when malware page is found - FF3
    • Malware checking blocks page loads
    • Check malware URL blacklist (like StopBadware.org)
    • API to allow callers to determine if given URI is in the blacklist

Features by 3rd parties or other browsers

  • Real-time with behavior-based profiling algorithms - Finjan SecureBrowsing FF extension, Haute Secure
    • Executable blocked
    • Embedded content blocked (ad, video, blog, photo, etc.)
    • Page blocked (in FF3)
    • Site blocked
    • One click to permanently add site to whitelist
  • Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
  • Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE
  • Integrate sandboxing feature like Sandboxie, GreenBorder, or IE extension SpyWall Anti-Spyware; integrate virus scanning and malware protection for retrieved content/files

Additional features

  • Ability to disable handling and downloading of certain file types - FF brainstorm

Screenshots

Haute Secure:

MalwareHauteSecureButton.PNG

MalwareHSembeddedContentBlocked.PNG

MalwareHSembeddedContentBlocked2.PNG

MalwareHSsiteBlocked.PNG

Search result malware detection:

File:MalwareFinjanFFext.PNG

Conclusions

  • We should make decisions for users where we can, and warn unobtrusively when we cannot
  • Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
  • Integrate sandboxing to perform real-time checking for malware. Each malicious website is short-lived, so blacklists limits protection
  • Finjan FF extension takes too long to load
Retrieved from "https://wiki.mozilla.org/index.php?title=CFA/Security-Research/MalwareDetection&oldid=64456"