CFA/Security-Research/MalwareDetection

« Comparative Feature Analyses
« Security Notes
« Security Research

Current Capabilities

• Notification whenever downloading or installing software
• Warn me when sites try to install add-ons

Upcoming Capabilities

• Tell me if a download is suspected malware - FF3

Features by 3rd parties or other browsers

• Real-time with behavior-based profiling algorithms - Finjan SecureBrowsing FF extension, Haute Secure
  • Executable blocked
  • Embedded content blocked (ad, video, blog, photo, etc.)
  • Page blocked
  • Site blocked
• URL Blacklist - StopBadware.org
• Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
• Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE

Additional features

• Ability to disable handling and downloading of certain file types - FF brainstorm

Screenshots

Haute Secure:

Search result malware detection:

File:MalwareFinjanFFext.PNG

Conclusions

• Phishing information is displayed in the Address Bar, so it makes sense to display Malware information there as well. UI may take similar form
• Security page should show up when the browser blocks a page (like Haute Secure)
• Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
• We should make decisions for users where we can, and warn unobtrusively when we cannot
• Finjan FF extension takes too long to load