In Search of the Best Web Security Solutions

It's no longer possible to stay secure on the Web using best practices; eWEEK Labs' Andrew Garcia tests a variety of Web security technology solutions and finds that most come up short.

Security companies have been getting more creative with offerings designed to shore up the Web browser by introducing a variety of solutions for the consumer market aimed at helping Web surfers make more intelligent and informed decisions about the sites they visit and the code they download.
The security companies designed these solutions to aid their most vulnerable and least savvy customers, so these technologies have not yet become part of the enterprise security suite feature set. However, you can expect some of these capabilities to find their way into the enterprise as users and administrators aim to lock down the browser.

During the past 12 months, I've experimented with a wide variety of Web security add-ons from a number of providers. I've found some things to like about most of them, but not enough to keep me using any of them for any length of time.

I started this investigation as a personal experiment. Up until last year, I was confident in my ability to avoid malware-to the point that I did not feel I needed anti-virus software on my personal machines.

I employed a range of corporately inspired best practices-patching the operating system, browser and applications in a timely fashion; running with limited rights on the local system; zealously avoiding attachments or doing anything stupid such as clicking on a suspected phish.

But, as the specter of Web-borne threats increased-particularly from sites I would normally trust-I started losing faith in my abilities to sniff out trouble before it ensnared me. I swallowed my pride and installed anti-virus on anything I browsed the Web with, and then started looking for even better security.

I started my exploration with the NoScript extension for the Firefox browser, a solution that strips Web sites down to their bare minimum by default-blocking Java, JavaScript, Flash and other plug-ins from running any code without my express approval. If I wanted to let something run, I could whitelist the Web site permanently or for the current session only. Or, I could approve only the particular applet that I wanted to run individually.

Then and now, NoScript has been my preferred method of locking down the Web browser, but those with whom I share my computers did not favor the level of granular control it requires. So, I started looking for something less intrusive.

During the last year, I've sampled three Web site reputation validation solutions: McAfee's SiteAdvisor Plus, Exploit Prevention Labs' LinkScanner Pro (recently acquired by AVG Technologies) and Trend Micro's TrendProtect. (In July, Symantec joined the ranks, announcing a beta program for SafeWeb, a new plug-in for Norton Internet Security 2009 that will provide similar services.)

SiteAdvisor Plus, LinkScanner and TrendProtect each aim to provide the user with critical information about a Web site before the user actually goes to the site, by presenting a quick visual signal (with a green, yellow or red indicator) about the relative trustworthiness of the site. This information can be imparted on a one-by-one basis (by a user verifying a particular link) or for multiple links as part of a Web search conducted on one of the big search engines.

SiteAdvisor Plus (which costs $20 for one PC per year) and LinkScanner Pro (also $20 for one PC a year) offer more in-depth validations than TrendProtect, which is free. (Both SiteAdvisor and LinkScanner also come in free versions, with a limited feature set.)

All three products base reputation on site information (such as when the domain was registered and in what country the site is hosted) and whether the site is known to host phishing or spoofing attempts.

SiteAdvisor and LinkScanner go further by looking for the existence of true threats on the sites by scanning for malware-albeit in very different ways.

SiteAdvisor performs its malware scans periodically, calling into question how accurate current findings may be since a scan could have been conducted months earlier, thereby missing recently added malware. In fact, since I started using the program last year, I've found McAfee has stopped reporting the date of the last scan conducted, leaving it a mystery to the user. Also, McAfee's score reflects an entire site, so SiteAdvisor could deny a legitimate Web site with malware on one hacked page.

But I like that SiteAdvisor weighs a site's affiliation as part of the assessment, punishing a site for linking to other sites with bad reputations. Also, SiteAdvisor tracks how much spam is generated by submitting an e-mail address to a site.

LinkScanner, on the other hand, performs malware scans at the user's request and evaluates each link (not just the whole site). So, if a user performs a search in Google, LinkScanner will crawl through each of the linked search findings listed on the first page to look for malicious code. I found that scans such as this were relatively quick as long as searches were limited to 10 items per page, but would hang interminably when my search preferences were set to deliver 100 items per page.

TrendProtect offers no malware scans. Instead, the program asks users to identify categories of content they want to avoid-such as sex or drug use. This approach is highly reminiscent of the Web-filtering software designed to protect children (or keep procrastinating adults away) from certain types of Web sites, rather than protecting against malicious code.

TrendProtect also provides the user with significantly less insight into how rating decisions are arrived at than competing solutions.

Only McAfee is trying to position its validation solution for corporate customers, integrating management and distribution support for SiteAdvisor Plus into its central management console. However, McAfee's biggest move to increase SiteAdvisor adoption was to partner with Yahoo to present the validation results automatically to anyone doing a search on via the SearchScan beta program, even those who do not have the software installed.

For the last couple weeks, I've been testing solutions designed to complement existing anti-virus solutions with additional in-line traffic scans. Check Point's ZoneAlarm ForceField utilizes in-line scanning along with a virtualized browser instance to protect the operating system from the browser and the content it receives. (See my review here.)

Meanwhile, Trend Micro has ramped up its modularized Web protection with the new Web Protection Add-On 1.2, designed to work seamlessly side by side with anti-virus solutions from Trend Micro, McAfee, Symantec, Sophos, Microsoft and Kaspersky.

The Web Protection Add-On monitors outbound Web requests and performs a scan of the incoming web traffic before it can get to the requesting browser. The add-on also monitors inbound traffic, looking for telltale signs of bot activity. Because the Add-On listens at the protocol level, it does require the use of a specific browser.

The Web Protection Add-on is currently available only as a 90-day free trial; firm pricing details are expected soon.

Senior Analyst Andrew Garcia can be reached at [email protected]