One defaced Web site is a Massachusetts-based restaurant Web site infected with a malicious Trojan. When viewing the source of the page, the hacker-added iframe script appears at the very bottom, calling out to a site in Korea known to host malicious code. Linkscanner blocked only the iframe code and otherwise allowed us access to the legitimate site. SiteAdvisor, both free and paid, allowed us to access the legitimate site without so much as a warning. Clicking the SiteAdvisor detailed explanation reveals that the site was checked and marked safe for browsing within the SiteAdvisor database. Neither Netcraft toolbar nor the antiphishing protection in Firefox 2 or Internet Explorer 7 blocked our access to this site.
Another legitimate site is an adult-content site hosted in a foreign country; it currently hosts a malicious WMF file. With the free version of SiteAdvisor enabled in Firefox 2, we were allowed to visit the site, and we were even prompted to install the malicious WMF file. With the paid version of SiteAdvisor Plus on Internet Explorer 7, both the site and the file were blocked. Linkscanner Pro also blocked access and called out the specific threats on the page. Again, the Netcraft toolbar nor the antiphishing protection in Firefox 2 or Internet Explorer 7 blocked our access to this site.
But Linkscanner Pro failed to identify the ordinary, nonexploit-related phishing sites we visited. Using 10 sites recently reported to a reputable, independent phish-tracking site, we found that the premium SiteAdvisor Plus identified and blocked access to all 10 sites, tied with the free Netcraft toolbar; next best tools were Linkscanner Pro and Firefox 2, each identifying or blocking access to 7 suspected phishing sites; they were followed by Internet Explorer 7 with an abysmal 5, or half the sites visited. The free edition of McAfee SiteAdvisor gave us inconsistent results over the five days we tested it, so it was not ranked. In general, we found that IE 7 (at the bottom of our results pile) consistently failed to catch phishing sites less than one hour old, although IE 7 caught all phishing sites known for at least one hour or more. Most phishing sites are removed after their initial 72 hours.
The Exploit Prevention Labs site provides a helpful FAQ page, a user guide, and contact information for both the free and paid versions of Linkscanner. E-mail is answered within two business days. There is no telephone support.
In general, we were pleased with Linkscanner Pro's support for Firefox, Internet Explorer, and Opera, with its configurability, and with its protection against malicious code downloads. We were surprised at how common such downloads are. Still, we'd like to see Linkscanner Pro deliver better antiphishing protection.