CFA/Security-Research/MalwareDetection: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
 
(9 intermediate revisions by the same user not shown)
Line 10: Line 10:


=== Upcoming Capabilities ===  
=== Upcoming Capabilities ===  
* Tell me if a download is suspected malware - FF3
* Display error page when malware page is found - FF3
** Malware checking blocks page loads
** Check malware URL blacklist (like StopBadware.org)
** API to allow callers to determine if given URI is in the blacklist


=== Features by 3rd parties or other browsers ===  
=== Features by 3rd parties or other browsers ===  
Line 16: Line 19:
** Executable blocked
** Executable blocked
** Embedded content blocked (ad, video, blog, photo, etc.)
** Embedded content blocked (ad, video, blog, photo, etc.)
** Page blocked
** Page blocked (in FF3)
** Site blocked
** Site blocked
* URL Blacklist - StopBadware.org
** One click to permanently add site to whitelist
* Protected Mode - runs in isolation from other applications in the OS.  Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
* Protected Mode - runs in isolation from other applications in the OS.  Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
* Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE
* Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE
* Using virtual machine techniques - GreenBorder (bought by Google)
* Integrate sandboxing feature like Sandboxie, GreenBorder, or IE extension SpyWall Anti-Spyware; integrate virus scanning and malware protection for retrieved content/files


=== Additional features ===  
=== Additional features ===  
* Integrate sandboxing feature like Sandboxie or IE extension SpyWall Anti-Spyware; integrate virus scanning and malware protection for retrieved content/files - FF brainstorm
* Ability to disable handling and downloading of certain file types - FF brainstorm
* Ability to disable handling and downloading of certain file types - FF brainstorm
* Extension installation - one click to permanently add site to whitelist - FF brainstorm


=== Screenshots ===
=== Screenshots ===
Line 45: Line 46:


=== Conclusions ===
=== Conclusions ===
* Phishing information is displayed in the Address Bar, so it makes sense to display Malware information there as well.  UI may take similar form
* We should make decisions for users where we can, and warn without being annoying when we cannot
* Security page should show up when the browser blocks a page (like Haute Secure)
* Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
* Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
* We should make decisions for users where we can, and warn unobtrusively when we cannot
* Integrate sandboxing to perform real-time checking for malware.  Each malicious website is short-lived, so blacklists limit protection
* Finjan FF extension takes too long to load
* Finjan FF extension takes too long to load

Latest revision as of 06:47, 8 August 2007

« Comparative Feature Analyses
« Security Notes
« Security Research

Current Capabilities

  • Notification whenever downloading or installing software
  • Warn me when sites try to install add-ons

Upcoming Capabilities

  • Display error page when malware page is found - FF3
    • Malware checking blocks page loads
    • Check malware URL blacklist (like StopBadware.org)
    • API to allow callers to determine if given URI is in the blacklist

Features by 3rd parties or other browsers

  • Real-time with behavior-based profiling algorithms - Finjan SecureBrowsing FF extension, Haute Secure
    • Executable blocked
    • Embedded content blocked (ad, video, blog, photo, etc.)
    • Page blocked (in FF3)
    • Site blocked
    • One click to permanently add site to whitelist
  • Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
  • Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE
  • Integrate sandboxing feature like Sandboxie, GreenBorder, or IE extension SpyWall Anti-Spyware; integrate virus scanning and malware protection for retrieved content/files

Additional features

  • Ability to disable handling and downloading of certain file types - FF brainstorm

Screenshots

Haute Secure:

MalwareHauteSecureButton.PNG

MalwareHSembeddedContentBlocked.PNG

MalwareHSembeddedContentBlocked2.PNG

MalwareHSsiteBlocked.PNG

Search result malware detection:

File:MalwareFinjanFFext.PNG

Conclusions

  • We should make decisions for users where we can, and warn without being annoying when we cannot
  • Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
  • Integrate sandboxing to perform real-time checking for malware. Each malicious website is short-lived, so blacklists limit protection
  • Finjan FF extension takes too long to load
Retrieved from "https://wiki.mozilla.org/index.php?title=CFA/Security-Research/MalwareDetection&oldid=64848"