Web filtering went wrong for BitDefender Endpoint Security

I recently bumped into an interesting case when dealing with a web page blocked by BitDefender antivirus. If page is unsafe or blocked by system administrator, your browser will show a page like this:

As shown on the screenshot, the page being blocked is a Ukrainian version of Google search: https://www.google.com.ua. Since I am not happy with this page being blocked, I’d like to find a solution on how to overcome this problem. And the logical step would be to try out another http client like a wget. For those who is not familiar with wget, it is a must have HTTP client from GNU/Linux world and can be dowloaded for Windows from here: http://gnuwin32.sourceforge.net/packages/wget.htm

OK, let’s do wget https://www.google.com.ua and …

As you can see, wget works! Well, obviously the only difference between wget and chrome.exe is the binary name, since both are a valid HTTP clients. If Bitdefender is doing the filtering based on names of binaries, we can try to “forbid” wget by renaming it to chrome.exe and see if it fails with the same url. So, I rename wget.exe to chrome.exe and try again:

… and renaming wget.exe to chrome.exe made the Bitdefender blocking the page: 403 Blocked by Bitdefender. Now, it also means that doing reverse and renaming your chrome.exe (or any well-know browser like firefox.exe or opera.exe) to wget.exe or something.exe will allow you to bypass Bitdefender content checking policy and escape from being blocked.

This is not really a bug of Bitdefender, rather a poor design of the overall solution. I can’t really imagine that renaming binary name may allow you to escape from being monitored. I wonder, what are the other corner cases out there hidden in the code?

You can’t really find a good excuse for this bug because detecting browsers is not a rocket science. You may populate list of Add/Remove programs and check InstallLocation property and then check it when program executes, you may also detect which certificate is used to sign binary and see that it’s signed by Google or Mozilla or MS, or whatever. If you are lazy you may just build a predefine set of pathes (C:\Program Files\Firefox\*) and check all binaries from these paths. All these solutions have disadvantages and advantages but they are still a way better than just doing a check by process name.

I know that in modern IT Engineering world there is always a balance between “doing it quick and covering the marked before the competitor” and making it stable & solid. I just don’t understand why small things which can lead to a big consequences are not taken into account by a big software production companies which definitely have more resources than startups to make things right.


Leave a Reply

Your email address will not be published. Required fields are marked *