Under Review

URL to test Website Blocking

  • 8 February 2013
  • 16 replies

Userlevel 7
I am sure I am not the only one who likes to test things out, and wonder if they are really working. I would like to see a specific URL set up just to test the URL blocking of the software. The URL would be included in the list of 'bad sites', but it would actually just have a message with something like "If you can see this, your software might not be correctly blocking known infected sites." You know it is working if the website is blocked, and something is not working if you are able to see it. This would give people like me a safe place to test out the function, as well as being able to openly (maybe) share that URL within the community to others who wish to verify that things are working correctly. What do the rest of you think?

16 replies

Userlevel 7
[Link to Chinese military zeroday APT removed by staff]
Userlevel 7
I was thinking of something like Browsercheck dot Webroot dot com or something like that. Something hosted BY Webroot to be assured that it is really safe, but will test the functionality.
Userlevel 7
We're going to look into doing this. It would probably be pretty quick and easy to do. Thanks!
Userlevel 7
No.. Thank you!  :D
It's an interesting idea to create a test URL but how do we know if the Webroot anti-malware is not "pre-programmed" to recognize this site or if the site can actually and validly "pose" as a malicious site, given that it is artificially created?  So whichever malicious site is setup, it has to be somehow made to be genuine.  Sorry, but I am not familiar with this aspect of computer and internet security so this may be a silly question, but it would be nice to know how the site would be setup so that it is truly a new surprise to Webroot.
Userlevel 7
The URL blocking, I believe, is done "in the cloud" by a "blacklist". What that means is that when your browser attempts to load a webpage, Webroot's servers check the web address and compare it to a list of known threats. By having the test URL included in the list of known threats (the Blacklist), if the URL blocking is working, it will stop the page from loading. It is actually "pre-programmed" as you say, but that is how it works: any newly found infected website is added to the Blacklist at Webroot's servers and then all Webroot users are instantly protected from that website, even without any new definitions being downloaded to your computer.
Userlevel 7
If you enter a URL over on Brightcloud, you will see a score for that site that is backed up by information about that site.  The information collected about the site is a separate thing from any of our programs that tap into that information database to use the classification.  So it's important to clarify we're talking about two different things here - the database and the programs that use it.
To use an example, if ThisSiteHostsMalware.com (this is ficititious) was observed by a threat researcher to have hosted malware at some point, the database classification takes that information into account, regardless of whether or not it's a malware host at this very second.  If it was seen to have recently been a malware host, it would essentially be blacklisted as such, by virtue of its low site score.  Then, if one of our programs that uses this classification service asks for information about that page, the database can report back that the site is untrustworthy, which triggers the block in the program.  While the site classification is kept up to date regarding malware, it uses factors such as age and popularity to make site score determinations as well.  A site might be very new and very rarely ever visited, for instance, which can lower the score.  Having had a malware infection in the recent past lowers the score very significantly.  There are other factors listed for any site you run through the check as well, such as the category of the site, etc.  The point is, not all of these factors are real-time or directly malware-based, which is normal and good.
How the test site could come in handy is to test the interaction between the program and the threat database it's talking to when a computer that has the program on it is visiting a threat site.  So yes, the test site would be set up to reflect the arbitrary conditions we set for it.  Notably, that is how we self-correct for any false positives already.  If a good site is visited by a researcher and deemed to be good even though the criteria normally used for determination says it's suspicious, it can be granted a good site score, regardless of its age or popularity, after a decision is made by a human.  So the answer to your question is that all of the site scores can be considered "pre-programmed" in some way.  We would not be testing the classification methods themselves, but rather the interaction between the program and the threat database.  This can be handy in cases in which a customer believes this interaction is somehow broken, which is what prompted David to make the idea. 
When it comes to testing the classification rules themselves on the database end, to the best of my knowledge, you're right that you would need an actual threat site to test against.  However, that is not what is being discussed since A. There are already measures in place on our end to QA our classifications and B. It poses the same problem as originally presented in that such a site would be unsharable to individuals asking if the program is doing what it's supposed to be doing.
Userlevel 7
Thank you for the much better explanation that anything I could have done!  :D 
Userlevel 5
Hello David, This is in the works so please stay tuned! Thank you, Shawn T Webroot Product Manager, Support
Userlevel 7
In the words of Phil from Duck Dynasty: "I am happy happy happy!"Thanks Shawn!
Userlevel 7
While this is still something we intend to do, we have to focus on our forthcoming 2014 edition of Webroot SecureAnywhere first. However, we will take this idea back under consideration following its release.
Userlevel 4
What about using the test URL found at http://www.amtso.org/ would that work?
Userlevel 7
Badge +55
It failed the Anti-Phishing test Firefox 24 & IE10.
Userlevel 7
Fail confirmed using Windows 7 with Chrome.
Userlevel 7
Confirmed on Vista with Opera 17 (Chromium).
So, v2014 has been released a while now. Any progress with this?
EDIT: the amtso phishing test page is blocked here on a machine that still has the 2013 webfiltering, but not blocked on a machine that has been updated to 2014 webfiltering.