Passive Toolbar Detectiontoolbar
Posted 30 March 2013 - 03:25 PM
Those toolbars are an incredible annoyance and like I said they can often come close to viral behavior. I've gotten rid of my regular antivirus because in the last 8 years it has never had to do anything on my system, nor did any of them ever bother blocking the smaller kind of malware. I installed Immunet again just to have at least a basic protection anyway (without the fancy firewall, sandbox, bla bla), but it doesn't seem to detect even the common Ask toolbar (I downloaded a few toolbars and tested it).
I can imagine the reason for not wanting to block toolbars: they're included in a lot of installers, so detecting them there would mean half of your legitimate downloads get flagged.
That's why I'd like to suggest passively blocking them. When they're detected in a setup, simply alert the user to the fact that there's a toolbar in the installer. Then try to pick out the toolbar's files separately from the legitimate program/installer while it's running. They often come with their own DLLs, EXEs and other specific files (usually in fixed locations too) that can easily be picked out just like any other malicious file can. They also often perform certain typical actions (like specific registry writes) that can be picked up as well.
Would this be possible? If not, I don't see any reason to keep even Immunet installed. But if Immunet could take over the annoying job of having to take care of this smaller kind of malware, it'd be a pretty unique feature for Immunet to brag with and give it a trump card over all other programs.
PS: by toolbar I of course mean both toolbars as well as any other type of small, friendly-acting crapware like half of what Cnet.com has to offer (their download-hijacking techtracker and toolbar-installing downloader).
As a far-fetched alternative, it would be neat if Immunet could somehow cooperate with Inno Setup: a free, customizable and scriptable installer that may be used by anyone. If the two companies can help each other spread, developers may automatically stop using installers that force toolbars and such onto the user and instead use Inno, retroactively decreasing the frequency of finding crapware installers.
Any other initiative similar to this would also help the cause, of course. After all, all good software starts out small and later becomes a standard if it is spread by people with a respected voice. Just look at stories like OpenGL vs DirectX and such, or any other of the classic "white knight"-wares of today.
The meat of the idea is just that it would be great if Immunet (and other protection programs) could finally start dealing with smaller malware as well instead of only handling the big shots, regardless of how it's implemented. MBAM does a slightly better job but it's not good enough.
PS: I just remembered the right word for them: MBAM calls them PUP or Potentially Unwanted Programs
- Hapewsleppucel likes this
Posted 01 April 2013 - 10:25 PM
Posted 02 April 2013 - 10:32 AM
I think you read my post upside-down...
It might be nice to have one. But I don't really care for tool bars. It would be nice for the users who do like tool-bars though. thumbs up.
Posted 02 April 2013 - 11:07 AM
Some toolbars "can be a real pain" in the you know what to get rid of too as you also pointed out! The AVG toolbar is one. Of course this toolbar is not malicious but it installs files in several different locations in your system and even if you do uninstall it there are left over files and orphaned registry threads that you have to hunt down and manually delete to completely get rid of it. I mentioned the AVG toolbar because I just updated some software that I use and the installer package had that toolbar included where in the past it did not.
* Immunet Global Forum Moderator *
Posted 02 April 2013 - 03:05 PM
Most do this to keep costs down and to afford to keep offering free versions of their product as they are paid to include these third party toolbars in the installer.
Well yes, but that doesn't mean that security programs can't target and block them (or rather, their post-install files and registry entries) anyway. People do that already, only manually.
Posted 02 April 2013 - 03:56 PM
* Immunet Global Forum Moderator *
Posted 02 April 2013 - 05:25 PM
Well yes, it would be nice if it doesn't bog down the performance, but behavior-based blocking is also not what I'm suggesting here. All I'm suggesting is to include the common toolbars and other sneakware as well instead of only real viruses in the existing detection methods. Include their EXEs and DLLs into the database and leave the rest as is, that way toolbars and such will get detected/cleaned up the moment they're installed just the same as any other malware currently detected by Immunet.
Edit: although I can imagine registry monitoring isn't in the current features, but I can't see that adding much strain to the performance.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users