Security Software Moves Toward Blocking Sites
For years, computer security software lurked in the background and tried to stop viruses and other malicious programs as they attack your computer. Newer products are trying to keep users from reaching Web sites before the programs can even launch an attack, essentially stopping threats at the source.
On Monday, McAfee Inc. unveiled software for blocking sites identified by the company's researchers as troublesome. They include sites that distribute "spyware" and "adware" programs that track your computer usage or bombard you with pop-up ads.
The offering follows last month's release of new browsers -- Microsoft Corp.'s Internet Explorer 7 and Mozilla's Firefox 2 -- packaged with tools that block users from known and suspected "phishing" sites, which try to steal passwords by mimicking legitimate sites.
Earlier, OpenDNS LLC, a vendor of the domain name directories that help browsers locate Web sites, gave service providers, companies and other customers the option of striking known phishing sites from the databases, making them appear nonexistent when browsers try to look up their locations.
McAfee likened its approach to the defense team in a soccer match. Only when users pass that first line of defense would traditional security products -- the goalie -- kick in by trying to detect a malicious program by its characteristics or its behavior.
"We think it's a great complement, an early defense," said Kelly Ford, McAfee's marketing director. He described the traditional security measures as "heavy artillery."
McAfee already offers a free SiteAdvisor tool to warn users of trouble sites. When users try to visit a site, SiteAdvisor first checks the address against McAfee's database of 8 million sites and returns a "red," "yellow" or "green" recommendation. Similar information is provided for results of queries made to Google Inc. and other major search engines.
With the SiteAdvisor Plus product launching Monday, "red" and "yellow" sites are blocked completely, and a password is needed to override the software. The premium version also checks links within some e-mail and instant messages and includes a phishing filter similar to the browsers'.
McAfee will continue to sell anti-virus, anti-spyware and other traditional security products. SiteAdvisor Plus, which sells for $25 a year for a single user and $50 for a household with three computers, can run with traditional security software from competitors, Ford said.
Meanwhile, Symantec Corp. incorporated an address-based phishing filter into its newer products, Norton Internet Security 2007 and Norton Confidential.
Johannes B. Ullrich, chief research officer with the SANS Institute security group, said such address-based products are actually easier to implement than traditional approaches and reduce the chances that legitimate programs will be blocked.
Some Internet service providers already block a handful of problem sites, but "the maintenance of such block lists is typically too expensive for an ISP," Ullrich said. The newer products, he said, make larger and more current block lists available.
Limitations do exist with address-based systems.
For one, it could take hours or days for researchers to discover a new site to add to the banned list, whereas traditional software might detect an old threat on a new site right away.
Many systems also require that the Web address be checked against a central database over the Internet before a page can load -- in McAfee's case, potentially adding a second or two.
For that reason, Microsoft stuck with an anti-phishing tool, said Gary Schare, director of Internet Explorer product management. He said phishing sites are different because IE can still begin loading the page while the check is made; it'd take more than a few seconds before a user begins typing a password anyway. With malicious software, the attack can begin immediately.
Historically, address-based blocking has been limited to filters for pornography, gambling and other sites deemed inappropriate for children or the workplace. Some anti-phishing products had existed, but generally as part of browser toolbars that users must download.
The greater availability of address-blocking tools could raise questions of censorship, though vendors say users can override any blocks and Web site owners can challenge listings.
And real-time checks require users to trust the vendor's privacy practices.
Mozilla ships Firefox with a browser-based block list updated at least once an hour, meaning Web addresses aren't sent to a remote database for checking. But for the most current lists, Firefox lets users send addresses to a service run by Google with other options to come.
Microsoft did not bother with a browser-based list, considering it "guaranteed to be out of date," Schare said, adding that IE sometimes strips the portion of Web addresses that may contain personal information.
With IE, the browser's address bar on top turns red when a visitor tries to access a known phishing site. With Firefox, the entire browser is grayed, save for a warning in a pop-up balloon.
Christopher Beard, Mozilla's vice president of products, said software developers are having to develop new security techniques as the Web browser plays a greater role in commerce, banking and other facets of life.
"While the Web's evolving and people are moving online, so are the threats and the risks," Beard said. "Everyone including us are looking for ways to protect people from those risks."