167 Views
WEB protection of antivirus
WEB protection of antivirus

WEB protection is one of the modules of the antivirus protection arsenal that continuously analyzes the established connections and filters them. 
This page describes how the antivirus WEB protection works by blocking malicious sites and URLs. 
For a description and more general functioning of the antivirus, go on the page:  The antivirus: use and functioning

How WeB protections work

The antivirus WEB protection is a protection module in its own right that aims to protect WEB site computers and malicious web connections. 
If malicious content is detected, the threat is blocked and the WEB connection is interrupted, this interruption is important to ensure that the chain of infection is broken and the installation of the Trojan horse is possible. 
The problem is especially this cut of WEB connections and the control of the WEB flow. Indeed, if the antivirus detects a connection to a Web Exploit, emits an alert but does not cut the connection, the Web Exploit can continue the installation of the Trojan. 
Similarly, for a web page that blocks the WEB browser as Browlock or  Phone Support Scams – PC Support. If the antivirus blocks the connection to the malicious page, the web browser can be unblocked more easily.

Clearly, your antivirus has a WEB agent or WEB protection module that analyzes the WEB pages visited:

  • If a WEB site by its address is known to be blacklisted, the connection to it will be blocked and an alert will be issued. This can range from known WEB sites to host malicious content, to search engines linked to Browser Hijacker  ( BrowserModifier: Win32  at Microsoft)

Example with WEB protection with Avast!

At Avast !, the detection and infection is URL: MAL for Malicious URL.

  • WEB protection also analyzes the content of WEB pages, if malicious code is detected, the antivirus also blocks access. Often it is detection including the word JS for JavaScript or HTML for HTML page like JS / Redir or HTML: RedirMe-Inf  . Most of the time, it is malicious script (Javascript) that aims to redirect when loading a page, to malicious content, mainly Web Exploit .

Thus, if an alert is issued by the antivirus, when visiting a WEB site, the connection to the latter is cut off. 
Firefox displays the message ”  The connection has been reset “, Google Chrome displays the message ”  This site is unreachable “.

Threats blocked by WEB protection and notifications:

WEB protection not only checks WEB browsers connections but all processes that can connect to a WEB site. 
Thus, if a Trojan is installed on the computer and the control server address (see  How trojans work ), or a malicious file is trying to be downloaded, the antivirus can block the connection and issue an alert.

Here is for example the antivirus Avast! with the protection agents and WEB agents.

In general, for WEB filtering and WEB protection, you can also read this page which presents some tools:  Filtering and WEB protection

Blacklist (Blacklist) VS content analysis of WEB pages

The Blacklist is a malicious address database maintained by the Antivirus Editor. 
The listed addresses are known to host or distribute malware (viruses, trojans etc) . 
The connection to the site will be instantly blocked.

The antivirus WEB protection also analyzes the content of the WEB pages (the source code), if a malicious script is detected, the antivirus emits an alert and blocks the connection. 
This analysis works exactly like the file analysis but at the level of the WEB pages. 
The detections regarding these threats are usually labeled HTML or JS – eg: Trojan.Script.Heuristic-JS 
Below a detection of a malicious script HTML: Script-Inf by Avast!

For example, Microsoft can detect JS / TechBrolo on phone scam phone scam pages – PC Support.

What if your antivirus blocks a web page?

If a webpage has been blocked, your computer is not normally infected, since the malicious content has been blocked upstream. 
You can check by performing a scan of the computer. 
You can also perform a Malwarebytes Anti-Malware (MBAM) free version cleaning  .

If a malicious Web page is blocked regularly, even the WEB browser closed, then it is possible that an adware or trojan is active on the computer. 
The antivirus blocking the connections of the latter.

A disinfection of Windows is then to consider.

  • Delete Adware  and  Disinfection PUPs – PUP.Optional / Adwares
  • Disinfection and virus removal tutorial

To get personalized help, you can also create a topic on the forum:  VIRUS: Delete / Disinfect (Trojan, Adware, Ransomware, Backdoor, Spywares)

Other WEB protection

I remind you that internet browsers  also include modules for detecting malicious pages, as follows:

  • Google Chrome and Mozilla Firefox uses  Google SafeBrowsing
  • SmartScreen for Microsoft Internet Browsers: Internet Explorer and Microsoft Edge .