CFA/Security-Research/MalwareDetection
From MozillaWiki
< CFA | Security-Research
« Comparative Feature Analyses
« Security Notes
« Security Research
Contents
Current Capabilities
- Notification whenever downloading or installing software
- Warn me when sites try to install add-ons
Upcoming Capabilities
- Display error page when malware page is found - FF3
- Malware checking blocks page loads
- Check malware URL blacklist (like StopBadware.org)
- API to allow callers to determine if given URI is in the blacklist
Features by 3rd parties or other browsers
- Real-time with behavior-based profiling algorithms - Finjan SecureBrowsing FF extension, Haute Secure
- Executable blocked
- Embedded content blocked (ad, video, blog, photo, etc.)
- Page blocked (in FF3)
- Site blocked
- One click to permanently add site to whitelist
- Protected Mode - runs in isolation from other applications in the OS. Restricts exploits and malware from writing to any location beyond Temporary Internet Files without explicit user consent - IE7
- Cross-domain barriers - prevent script on webpages from interacting with content from the other domains or windows; protects against malware by helping prevent malicious websites from manipulating flaws in other websites - IE
- Integrate sandboxing feature like Sandboxie, GreenBorder, or IE extension SpyWall Anti-Spyware; integrate virus scanning and malware protection for retrieved content/files
Additional features
- Ability to disable handling and downloading of certain file types - FF brainstorm
Screenshots
Haute Secure:
Search result malware detection:
Conclusions
- We should make decisions for users where we can, and warn without being annoying when we cannot
- Specific content blocking and other warnings should display an indicator in the Address Bar with more information upon user click (like Haute Secure)
- Integrate sandboxing to perform real-time checking for malware. Each malicious website is short-lived, so blacklists limit protection
- Finjan FF extension takes too long to load
