Showing results for 
Show  only  | Search instead for 
Did you mean: 

How MWG can protect users from visiting sites vulnerable to the Heartbleed bug


The "Heartbleed" vulnerability (CVE-2014-0160) has impacted thousands of servers and products on the internet. With the power and flexibility of the rule engine in McAfee Web Gateway 7 you can now block or warn end users when they try to access one of those web sites that have not been patched yet and are still vulnerable.

To learn more about Heartbleed, please see this McAfee blog post:

A manual check of individual sites can be performed here:

Additional details regarding McAfee product mitigation and remediation can be found at:


The following tools and rules are provided as-is. They provide a simple scan for CVE-2014-0160 (also known as Heartbleed) on a public server. This scan is not accurate for every possible server configuration.

By no means are the rules or configurations officially supported. If you do have questions or comments please use the community to get assistance.

The web service required (see below) is best hosted on your own local server. McAfee reserves the right to disable the hosted service at any time (please also see the note about the auto expiration of the rules)

How it works

The issue with Heartbleed is that it is happening on such a generic level of HTTPS connections, that the standard rules of Secure Web Gateways from any vendor do not have visibility into the issue and can therefore not protect end users from vulnerable servers.

McAfee Web Gateway has the unique advantage of the so called "subscribed lists" and "external lists" features that allow it to talk to external services. We are using these features so that a "Heartbleed Vulnerability Checker" (going forward called "the tool") hosted on a web server, either on the internet or in your local environment, can provide information about vulnerable destination servers to MWG. The basis for this service is the tool also used for with a php script wrapper around it.

The three Components:

1. The tool

A web service API that provides real time status checks for vulnerable servers. MWG can query this service through its "external lists" feature. MWG provides the IP and port of the destination HTTPS server that an end user requested and the tool provides a real time response:

0: Not vulnerable or error
1: Vulnerable server detected

Responses to the real time check are cached on the local MWG for 1 hour

2. The list

Every time the tool detects a vulnerable server, it adds the IP to a list of known vulnerable servers. MWG consumes this list through its "subscribed list" feature.

The list of known vulnerable servers is refreshed by the MWG every 1 hour.

3. The re-check

Every hour the tool will re-check all sites on the list of known vulnerable servers to make sure we take them off the list once they have been patched or protected.

Demo Video

Rules for your MWG


MWG or newer (all 7.4.x versions)

SSL scanner enabled and deployed

At the bottom of this document you can find a zip file with the latest rule set and block pages for your MWG. Please download the zip file and follow these steps to install the block pages and then the rules:

1. Extract the zip file to your local PC

2. Open the McAfee Web Gateway UI and login as a policy admin

3. Import the block pages

Go to Policy >> Settings >> Actions >> Block >> URL Blocked

On the right side, click on Template Name >> Edit

Inside the Template Editor, click on Import and then select the block pages file inside the folder you extracted earlier


After the successful import, you should see two new block pages added to your collection:

- Heartbleed Block

- Heartbleed Coaching


4. Import the rules

Under Policy >> Rule Sets select your SSL Scanner rule set and right click on it. Then select Add >> Rule Set from Library


Inside the rule set library please select "import from file" and then import the rule set file you extracted earlier


5. Position the rules

Place the rule set insight your SSL scanner rule set right underneath the "Handle CONNECT Call" rule set


6. Decide whether you would like to block or just warn end users when they visit a vulnerable server

The default setting si to block access to vulnerable servers. all you have to do is to click "Save Changes" after the import of the rule set

To warn users (using MWG coaching functionality) please disable the rule "Block destination Servers vulnerable to heartbleed" and instead enable the rule "Enable Warning for servers Vulnerable to heartbleed".


Sample view of the Error Templates

Block Page:


Warning Page:


The web service and the auto expiration of the rules

The rules attached point to a web server that is running as a PoC at this time.

As the future of this server has not been determined, the rules provided contain an auto expiration element.

Basically the first entry in your "Heartbleed_Servers" subscribed list is an auto expiration date that McAfee controls


Once this expiration date has been reached, the imported rules will automatically stand down. The goal is to prevent any delays in processing end user requests once the web service is being taken offline.

To not rely on the PoC server, we highly encourage you to run your own server internally (see below)

How to host your own Service

You might wish to host your own service inside your network so that a) you do not have to send any data out to the internet and b) you do not rely on our service that eventually will be shut down.

At the bottom of this article you can find a zip file with the necessary scripts to host your own Heartbleed Check tool (instead of relying on a service on the internet that might not be reliably available)

These installation instructions are based on a Red Hat/ Centos 6.4 system with apache and PHP already installed. SELinux has been disabled.

1. Login as root (or sudo the below)

2. Install the epel repository


rpm -Uvh epel-release-6*.rpm

3. Install golang and git

yum install golang git

4. Create directory and set PATH

mkdir /opt/golang

export GOPATH=/opt/golang

5. Install the vulnerability check tool

(more info on the tool: )

go get

go install

6) Place the scripts on the web server

Copy the zip file downloaded from this article to your web server and place it under /var/www/

Then switch back to the command line:

cd /var/www


chown -R apache:apache heartbleed

7. Test your Server:

Real Time check (via external list on MWG). Result should be "0"

http://<ip of your web server>/heartbleed/check.php?

List of known vulnerable sites (via subscribed list on MWG).

http://<ip of your web server>/heartbleed/subscribe.php?prod=mwg

8. Add the hourly re-check script as a cron job

crontab -e

add the line

0 * * * * /bin/sh /var/www/heartbleed/ > /dev/null 2>&1

save and quit

9. Point MWG at your Server for the Heartbleed checks

Subscribed List

To change the subscribed list, go under Policy >> Lists >> Subscribed Lists >> String >> Heartbleed_Servers, then right click and select "Edit" , then select "Setup"

Please replace the existing IP with the IP or hostname of your web server


External List

To change the external list, go under Policy >> Settings >> External Lists >> Heartbleed_Check and replace the IP in the "Web service's URL" field with the IP or hostname of your web server



Why are all entries in the known vulnerable server list IP addresses?

The assumption is that the vulnerable openSSL version is used system wide on a server. So even if multiple hostnames were associated with one server, they were all vulnerable. Having the IP in the list covers all of these potential hosts.

What's up with the auto expiration?

As it is expected that vulnerable Heartbleed sites are getting patched over the next few weeks or month, the auto expiration makes sense and guarantees thats there will not be any delays for your end user requests when the service is taken offline

I am running my own server and I want to adjust the expiration date or even disable it

Open up /var/www/heartbleed/settings.php

In this file you can adjust the expiration date or you can uncomment the "NEVER" entry to disable expiration.



McAfee Web Gateway Rules and Blockpages

Scripts to run your own service



- All checks are based on IPs now instead of hostnames

- Rules have an auto expiration on them (first element of subscribed list)


You should change prerequisites to

MWG or newer, MWG or newer

7.4.0 to are vulnerable to heartbleed.

Version history
Revision #:
1 of 1
Last update:
‎04-17-2014 07:51 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community