The Anti-virus Times

Tuesday, April 23, 2024

In our Anti-virus Times issues, we often talk about the importance of using comprehensive protection to shield devices from virus threats. This applies not only to computers running Windows — every operating system requires a special approach to security due to certain features pertaining to their operation, architecture and purpose. At the same time, users of home devices, who tend to choose Windows or macOS, are potentially exposed to a huge number of digital threats. And we are not just talking about possible malware infections, especially in the case of Windows, which is still far ahead in this indicator. There are other dangers — for example, network fraud, which, unfortunately, is inseparable from the Internet. Considering that our lives are increasingly moving online, the activity that fraudsters engage in is a real curse for the modern digital environment.

As for virus threats, the main channel used to spread them is the Global Network. For example, trojans, backdoors, encryption ransomware, and other dangerous programs are often disguised as useful software that users search for on various sites. Do not forget that on the Internet, you can find many links to sites where infected executable files are distributed or malicious scripts are at work.

Of course, a good anti-virus should neutralize threats when they appear on the hard disk or in the RAM of a device, regardless of how the malicious code got into the system. A number of detection technologies and methods are used for this purpose. But in modern realities, it is extremely important to have an additional layer of protection aimed at ensuring that a computer and its user are secure when working online. Therefore, an important task of anti-virus software is to control and filter network traffic passing through a protected computer. In today's article, we will talk about the SpIDer Gate module, which is part of the comprehensive product Dr.Web Security Space for computer protection. In Dr.Web products, this component is also called the HTTP monitor.

What is the HTTP monitor?

SpIDer Gate is included in Dr.Web Security Space for Windows, macOS and Linux. Despite the general idea, in all cases, some implementation features and module capabilities differ due to the fundamental differences between the operating systems themselves. Below we will look at SpIDer Gate in the context of the most common system — Windows.

The HTTP monitor SpIDer Gate is an online monitor that scans and filters web traffic. Traffic in a general sense is the amount of data transmitted over a network. We will not go into technical details; however, in this article we will talk about traffic transmitted over the HTTP protocol and its secure HTTPS version. HTTP (HyperText transfer protocol) is a top-level network protocol that runs on top of the TCP/IP protocol stack. Different programs use different protocols to exchange information. For example, when a computer is connected to the Internet, its operating system typically has multiple network connections open. Most of them operate invisibly for users. So, the OS connects to the necessary servers from time to time to check and download updates. Applications can also use the Internet for a variety of purposes: to authenticate licenses, to download updates and files, to send diagnostic data and statistics, telemetry, etc. Some connections work openly — for example, when a user visits sites using a browser. The HTTP protocol allows a browser to interact with the web server, receive and display the content of pages, and download files. In addition to browsers, many applications carry out network interaction using HTTP. It should be noted that web traffic makes up the lion's share of the exchange generated by users when working on the Internet.

The HTTP monitor SpIDer Gate analyzes such traffic for malicious objects in real time. In this case, data scanning does not depend on the browser or application, or on the port through which the web traffic passes. Depending on the settings, SpIDer Gate can scan both incoming and outgoing traffic, as well as data transmitted over the secure HTTPS protocol. Malicious objects and infected pages are automatically blocked before they are downloaded to the computer, which greatly increases the device's security. In addition, SpIDer Gate is responsible for filtering out phishing resources and sites that distribute malware. To do this, data from the cloud service and current Dr.Web virus databases are used.

How does SpIDer Gate work?

The SpIDer Gate component is based on the Dr.Web Net filtering Service, which also ensures the operation of Parental Control and the Dr.Web SpIDer Mail component. This service is a filter and, like a proxy server, it passes all network connections through itself in order to scan traffic. The constant background operation of the service and HTTP monitor SpIDer Gate barely affects the PC's speed and the quality of the Internet connection. It is worth mentioning separately that the Dr.Web Net filtering Service does not consume network traffic. Third-party analyzers and accounting systems may show high traffic consumption by this service, but in fact, the data transfer is initiated by other applications — the filter only acts as an intermediary for scanning.

But let's get right back to SpIDer Gate and web traffic. By default, the HTTP monitor scans incoming HTTP traffic only. If necessary, outgoing traffic scanning can be added, and scanning of encrypted data transmitted over the secure HTTPS protocol can be enabled. Our readers remember that content encrypted in the usual way cannot be viewed. And how does an anti-virus scan and check such traffic? In this case, to bypass fundamental restrictions, Dr.Web acts as an intermediary between the remote web server and the computer, using its own root security certificate (we wrote in detail about digital certificates and HTTPS in this article). Thus, HTTPS traffic remains protected from outsiders and is checked by the SpIDer Gate component. In addition, it should be noted that in this mode, sites that support HTTPS transmissions will have a Dr.Web certificate, and not the one that is actually issued to the site. Therefore, if you have the useful habit of periodically checking site certificates in the browser and have enabled the setting to check protected traffic, do not be surprised by the presence of a Dr.Web certificate — this is how it should be. By the way, other anti-virus vendors do the same.

In addition to performing anti-virus scans of transmitted data, SpIDer Gate filters sites by URL. Access to websites known to be sources for spreading malware is blocked automatically. But Dr.Web databases also include non-recommended sites that, if visited, can harm users in one way or another. By default, access to these sites is also restricted, but the user can add a site they need to the exclusions or, at their own risk, disable the blocking of such resources. Note that anti-virus scans of these sites will work regardless.

How to configure SpIDer Gate

With the default settings, the HTTP monitor works in the optimal mode. At the same time, users can configure the component depending on their needs. Thus, enabling HTTPS traffic scanning will increase overall security, but, in some cases, in order for an application to work correctly, it may be necessary to import a Doctor Web digital certificate into it or, in case of conflicts, add the application to the exceptions. Before doing so, you should be absolutely sure that the program excluded from scanning is secure.

Scanning outgoing web traffic in normal conditions may be redundant, so this option is disabled by default. Outgoing malicious traffic is generated if a device is already infected with malware or is part of a botnet. However, in this case, the task of eliminating the threat falls to the anti-virus’s remaining modules, which should perform the corresponding preventive procedures. Experienced users may need to check outgoing web traffic if their computer is operating in an environment that is dangerous with regards to virus threats.

The Exclusions setting is quite important. This is a whitelist of applications whose web traffic will be excluded from scanning. However, we do not recommend adding applications to the exclusions unless absolutely necessary, especially those that do not have a valid digital signature (however, even a signature’s presence does not guarantee a program’s safety).

As already mentioned, you can create a whitelist of sites to which access will be granted, regardless of the component settings. If the Block non-recommended sites option is enabled in SpIDer Gate, the user can allow certain sites to be accessed by adding them to the Exclusions list. At the same time, it should be remembered that the policy regarding non-recommended sites is similar to the detection of unwanted software, which we wrote about in this article. Having an anti-virus control access to such resources is a way to give users added protection.