The service is in early beta at the moment – in fact, it wasn’t made available to the public until a few days ago – this is something that needs to be kept in mind when assessing the service as it stands today – I know that those behind Haute Secure want any and all feedback regarding their service, and I’ll be making a point of bringing your blog to their attention, but personally I prefer to emphasise that a service is in beta when writing about it so that the final product is not judged on writings about early builds )

You and I have expressed similar concerns. I have been having an ongoing dialogue with those behind Haute re things such as the product’s chattiness and my concerns about the flagging of entire domains on the basis of past incidents – hopefully things will improve if more emphasis is placed on *content* warnings and they are made easier to distinguish from *domain* warnings.

I worry that wholesale warnings triggered by domains will lead to Haute Secure eventually being ignored (something I have shared with the team).

That being said, we are facing some real problems such as COLOs when they run old or badly configured servers which leads to hundreds, if not thousands, of sites being compromised and hostile code inserted for the express purpose of infecting visitors. Then there are the numerous dangerous domains that all point to the same IP address. In such situations I would be more than happy for an entire IP range to trigger a domain warning because it’s likely to be more effective than trying to block thousands of individual web sites at as COLO.

The same can be said for services like myspace which can have hundreds if not thousands of pages that have been compromised. Sometimes it is easier to warn about the entire domain which has been the source of recurring problems than to try and track down and block thousands of individual URLS.

The URLs you mention as being marked as ‘safe’ are a problem (as we both so well know) ) But, Haute is based around behavioural analysis – and its purpose is to try and warn us of sites that are trying to do something bad (as distinct to offering betrayware for download) so if the site is not being seen to actively try to install malware on a system without user interaction then they may fall outside the scope of the product as it stands today – and you and I both know how good those behind winfixer are at evading detection.

You may find these articles interesting:

http://community.hautesecure.com/forums/p/27/30.aspx#30

http://community.hautesecure.com/blogs/company/archive/2007/07/12/the-details-on-beta-build-419-rtw-of-haute-secure.aspx

http://community.hautesecure.com/forums/t/29.aspx

As always, my best wishes,

Sandi &c.

Thanks for the feedback. It appears our design goals for this version are not clear. This release is designed to prevent users from malware attacks delivered by drive-by exploits. As you probably know, there is virtually no protection today whatsoever against them. We created a solution to do this in two ways: the first is the Haute Secure client on your PC that stops malicious code from executing without a user’s permission. The second is the constantly updated malicious link database that stops the delivery of malicious code by blocking links known to be laced with malware. For example, if you were to browse to winfixer.com, and it tried to exploit your browser (or a 3rd party plugin) to install malware, this would be something Haute Secure catches and stops. If it asks the user for explicit permission to download winfixer and the user clicks “yes”, we do not currently protect from that.

It holds then that the results we gave you are correct: those sites listed as dangerous have indeed been caught and verified as delivering (via drive by exploits) malicious code on unsuspecting users’ PCs. If you have had a chance to use the product, you’ll see that we do not block the popular sites that we found are distributing malware. Rather, we give you notice that we found malware on them and will stop drive-by exploits lurking on them as you browse the site.

Protecting users who click “yes” and become infected is a separate problem space and we have plans to address it with the same approach in the future. In the near term, we will enable members in the community such as yourself to contribute links like winfixer.com to the block lists. That way we’re blocking the page from loading and keeping people away from the temptation of downloading malicious code.

With respect to analyzing script, I agree that this is an approach to the problem. There are other products on the market that do this, but as a general rule, they require signatures of the exploit code to work. Haute Secure is behavior-based, and therefore requires no signatures and can detect infection attempts from exploitation of 0-day vulnerabilities.

Please keep in mind that this is a beta release. Your continued constructive criticism will help us improve future releases of this product. Thanks again for the feedback.

Steve