Jump to content


Photo

Passive Toolbar Detection

toolbar

  • Please log in to reply
6 replies to this topic

#1 Faziri

Faziri

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 30 March 2013 - 03:25 PM

Toolbars are included in a lot of program installers. Some are relatively minor, like the easily fixable Ask and Babylon toolbars, but some are quite a lot closer to what could be called a virus, like Mixidj and its Delta toolbar. The latter took me over an hour to clean out of my system: it had spread itself into all of my browsers, the program files, appdata, programdata, Windows\Installer dir, etc and kept repairing itself out of thin air whenever I took out a chunk of it. Before you ask, I'm a power user and I know everything in my system inside-out, so if even I need an hour to fix it, then yes, that toolbar is a really sneaky little thing.

Those toolbars are an incredible annoyance and like I said they can often come close to viral behavior. I've gotten rid of my regular antivirus because in the last 8 years it has never had to do anything on my system, nor did any of them ever bother blocking the smaller kind of malware. I installed Immunet again just to have at least a basic protection anyway (without the fancy firewall, sandbox, bla bla), but it doesn't seem to detect even the common Ask toolbar (I downloaded a few toolbars and tested it).

I can imagine the reason for not wanting to block toolbars: they're included in a lot of installers, so detecting them there would mean half of your legitimate downloads get flagged.

That's why I'd like to suggest passively blocking them. When they're detected in a setup, simply alert the user to the fact that there's a toolbar in the installer. Then try to pick out the toolbar's files separately from the legitimate program/installer while it's running. They often come with their own DLLs, EXEs and other specific files (usually in fixed locations too) that can easily be picked out just like any other malicious file can. They also often perform certain typical actions (like specific registry writes) that can be picked up as well.

Would this be possible? If not, I don't see any reason to keep even Immunet installed. But if Immunet could take over the annoying job of having to take care of this smaller kind of malware, it'd be a pretty unique feature for Immunet to brag with and give it a trump card over all other programs.

PS: by toolbar I of course mean both toolbars as well as any other type of small, friendly-acting crapware like half of what Cnet.com has to offer (their download-hijacking techtracker and toolbar-installing downloader).

-----

As a far-fetched alternative, it would be neat if Immunet could somehow cooperate with Inno Setup: a free, customizable and scriptable installer that may be used by anyone. If the two companies can help each other spread, developers may automatically stop using installers that force toolbars and such onto the user and instead use Inno, retroactively decreasing the frequency of finding crapware installers.

Any other initiative similar to this would also help the cause, of course. After all, all good software starts out small and later becomes a standard if it is spread by people with a respected voice. Just look at stories like OpenGL vs DirectX and such, or any other of the classic "white knight"-wares of today.

-----

The meat of the idea is just that it would be great if Immunet (and other protection programs) could finally start dealing with smaller malware as well instead of only handling the big shots, regardless of how it's implemented. MBAM does a slightly better job but it's not good enough.

PS: I just remembered the right word for them: MBAM calls them PUP or Potentially Unwanted Programs
  • Hapewsleppucel likes this

#2 Zurchiboy

Zurchiboy

    Advanced Member

  • Members
  • PipPipPip
  • 105 posts

Posted 01 April 2013 - 10:25 PM

It might be nice to have one. But I don't really care for tool bars. It would be nice for the users who do like tool-bars though. thumbs up.

#3 Faziri

Faziri

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 02 April 2013 - 10:32 AM

It might be nice to have one. But I don't really care for tool bars. It would be nice for the users who do like tool-bars though. thumbs up.

I think you read my post upside-down...

#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,833 posts
  • LocationOil City, Pa. U.S.A.

Posted 02 April 2013 - 11:07 AM

I agree with you Faziri about toolbars. I would rather have another hole in my head than install any third party toolbar to any browser I use, lol! Seriously though, like you pointed out it's becoming all too common for company's to include their own or other third party toolbars in their installers. Most do this to keep costs down and to afford to keep offering free versions of their product as they are paid to include these third party toolbars in the installer. Today when installing or updating software one has to be very careful what you click on or accecpt during the installiation process or you end up with something you didn't want. Some installers won't even give you the choice to "opt out" which is rather underhanded in my view. You end up with stuff you didn't expect or want installed.

Some toolbars "can be a real pain" in the you know what to get rid of too as you also pointed out! The AVG toolbar is one. Of course this toolbar is not malicious but it installs files in several different locations in your system and even if you do uninstall it there are left over files and orphaned registry threads that you have to hunt down and manually delete to completely get rid of it. I mentioned the AVG toolbar because I just updated some software that I use and the installer package had that toolbar included where in the past it did not.

Regards, Ritchie...

* Immunet Global Forum Moderator *


#5 Faziri

Faziri

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 02 April 2013 - 03:05 PM

Most do this to keep costs down and to afford to keep offering free versions of their product as they are paid to include these third party toolbars in the installer.


Well yes, but that doesn't mean that security programs can't target and block them (or rather, their post-install files and registry entries) anyway. People do that already, only manually.

#6 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,833 posts
  • LocationOil City, Pa. U.S.A.

Posted 02 April 2013 - 03:56 PM

There exists software that will do just that already. I was given a free one year lisence for Emsisoft's Mamutu to evaluate. Mamutu is a behavior analysis and blocking program. http://www.mamutu.co...oftware/mamutu/ It would notify you if an installer was attempting to install other than the intended software and give you the option to permit or block the aditional install. If Immunet could include some type of behavior analysis/blocker like Mamutu that would be a real plus! That's if Immunet could still maintain a low system footprint by adding this feature I would be all for it.

* Immunet Global Forum Moderator *


#7 Faziri

Faziri

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 02 April 2013 - 05:25 PM

~snip~


Well yes, it would be nice if it doesn't bog down the performance, but behavior-based blocking is also not what I'm suggesting here. All I'm suggesting is to include the common toolbars and other sneakware as well instead of only real viruses in the existing detection methods. Include their EXEs and DLLs into the database and leave the rest as is, that way toolbars and such will get detected/cleaned up the moment they're installed just the same as any other malware currently detected by Immunet.

Edit: although I can imagine registry monitoring isn't in the current features, but I can't see that adding much strain to the performance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users