Exploit Prevention Labs Linkscanner Pro takes a decidedly different approach to identifying and alerting users to potentially harmful Web sites. Rather than scan all the Web sites on the Internet and rank them, as McAfee SiteAdvisor does, Linkscanner Pro scans sites as they download onto your browser, identifying code and links known to be malicious. Linkscanner Pro is available as a paid service, and it's the only secure browsing tool we reviewed to include Firefox, Internet Explorer, and Opera. A free version, Linkscanner Lite, is only available for Internet Explorer, although a Firefox version is promised. Linkscanner is the brainchild of veteran antivirus researcher Roger Thompson, and rather than rely on database information, it takes a live snapshot of the health of any given Web site as it loads, quickly identifying sites that have been altered by criminal hackers via cross-site scripting attacks, such as the 2007 Super Bowl Web site. For blocking malicious code from entering your brwoser, Linkscanner is excellent, however, we found it doesn't always identify ordinary, nonexploit-related phishing and fraud sites with such zeal.
We had no trouble installing Linkscanner Pro. Unlike the free Netcraft toolbar and SiteAdvisor, Linkscanner Pro works in the background, identifying Web site content independent of which Internet browser you use. Unlike SiteAdvisor and the Netcraft toolbar, Linkscanner Pro has its own interface. There's a tab to cut and paste suspicious URLs--handy for ferreting out e-mail phishing attacks. There's a tab that displays all active Internet services on your computer--handy for spotting spyware. There are tabs for exploits prevented and exploit sites blocked (that is, sites hosting the exploit code).
Unlike the Netcraft toolbar, which only detects suspected phishing sites, Linkscanner Pro and SiteAdvisor display their safety ratings over your current Internet search result page when using Google, Yahoo, or Live.com, but not Ask or A9. While Linkscanner Pro and SiteAdvisor generally agreed, we did find more than one legitimate Web site that Linkscanner Pro identified as suspicious that SiteAdvisor did not flag.
One defaced Web site is a Massachusetts-based restaurant Web site infected with a malicious Trojan. When viewing the source of the page, the hacker-added iframe script appears at the very bottom, calling out to a site in Korea known to host malicious code. Linkscanner blocked only the iframe code and otherwise allowed us access to the legitimate site. SiteAdvisor, both free and paid, allowed us to access the legitimate site without so much as a warning. Clicking the SiteAdvisor detailed explanation reveals that the site was checked and marked safe for browsing within the SiteAdvisor database. Neither Netcraft toolbar nor the antiphishing protection in Firefox 2 or Internet Explorer 7 blocked our access to this site.
Another legitimate site is an adult-content site hosted in a foreign country; it currently hosts a malicious WMF file. With the free version of SiteAdvisor enabled in Firefox 2, we were allowed to visit the site, and we were even prompted to install the malicious WMF file. With the paid version of SiteAdvisor Plus on Internet Explorer 7, both the site and the file were blocked. Linkscanner Pro also blocked access and called out the specific threats on the page. Again, the Netcraft toolbar nor the antiphishing protection in Firefox 2 or Internet Explorer 7 blocked our access to this site.
But Linkscanner Pro failed to identify the ordinary, nonexploit-related phishing sites we visited. Using 10 sites recently reported to a reputable, independent phish-tracking site, we found that the premium SiteAdvisor Plus identified and blocked access to all 10 sites, tied with the free Netcraft toolbar; next best tools were Linkscanner Pro and Firefox 2, each identifying or blocking access to 7 suspected phishing sites; they were followed by Internet Explorer 7 with an abysmal 5, or half the sites visited. The free edition of McAfee SiteAdvisor gave us inconsistent results over the five days we tested it, so it was not ranked. In general, we found that IE 7 (at the bottom of our results pile) consistently failed to catch phishing sites less than one hour old, although IE 7 caught all phishing sites known for at least one hour or more. Most phishing sites are removed after their initial 72 hours.
The Exploit Prevention Labs site provides a helpful FAQ page, a user guide, and contact information for both the free and paid versions of Linkscanner. E-mail is answered within two business days. There is no telephone support.
In general, we were pleased with Linkscanner Pro's support for Firefox, Internet Explorer, and Opera, with its configurability, and with its protection against malicious code downloads. We were surprised at how common such downloads are. Still, we'd like to see Linkscanner Pro deliver better antiphishing protection.