cancel
Showing results for 
Search instead for 
Did you mean: 
feickholt
Level 10

AV Question: How handle JS finding?

Since we use AV we found several Heuristic findings in JavaScript.

If we block them the HTML Page might no longer work as it should work.

Is there any way to inform the User that there might be a security whole in the embedded JS and the proxy blocked such element?

The only way i found was to send an email to the user about the issue.

I like to prefere a popup or a warning page to inform the user.

Any ideas?

Frank

0 Kudos
9 Replies
McAfee Employee

Re: AV Question: How handle JS finding?

Hi Frank,

Webwasher version 6.6.x (old Web Gateway) used to do something like this where it would replace the perpitrating script with an empty muted script. It was not very fun because it would usually end up breaking something else on the page.

The email alert is a really good idea because it at least gives them a clue that they were blocked for some embedded content.

Best,

Jon

0 Kudos
eelsasser
Level 15

Re: AV Question: How handle JS finding?

I find that you get much better results and fewer false positives if you have 2 different GAM settings based on the site's reputation.

Have one setting that is lighter for URL.IsMinimalRisk == true, and one that's a little heavier for == false.

In the config I use, the MinimalRisk sites have the classification slider up to 95 and the Enable removal of disinfectable content (which replaces the offending javascript function with a void() so as not to break the whole page).

The settings for !MinimalRisk have the slider down to 80 and do a block for the whole page if the javascript is detected.

It's worked pretty well for the most part.

0 Kudos
feickholt
Level 10

Re: AV Question: How handle JS finding?

This sound good, but how do you block the whole page if you detect a behaves like JS? In most cases the JS will be downloaded seperatly from the html site. (include)....

0 Kudos
jspanitz
Level 7

Re: AV Question: How handle JS finding?

To implment what Eric said, we split our "Block If Virus is Found" rule under "Gateway Anti-Malware" into two like this:

MWG-AntiMalware.PNG

Would that be the correct way to do it?

0 Kudos
eelsasser
Level 15

Re: AV Question: How handle JS finding?

Yes, that would be what i have as well:

Capture.png

0 Kudos
jspanitz
Level 7

Re: AV Question: How handle JS finding?

Thanks again Erik.  One last question.   Would changing the settings below for trusted sites have any appreciable benefit or cause any real concern?   Specifically the Common Files settings.  The goal here is to prevent the myriad of issues we have with business critical web sites that do not display properly.  I am assuming most of them are code and JavaScript issues, so not sure changing these settings would help or hurt.

MWG-AVPrescan.JPG

0 Kudos
eelsasser
Level 15

Re: AV Question: How handle JS finding?

Personally, i have the bottom dot on fort he trusted sites and top dot on for the untrusted sites.

I run all my home traffic through MWG and honestly, i find very little, if any false positives using that configuration.

0 Kudos
feickholt
Level 10

Re: AV Question: How handle JS finding?

Again. Is there a way to open a popup window if there is an AV Found in an JS script file?

I tried to add a js code opening a new window in the blocking page. This works for EICAR. But not for

an infected JS code. example http://www.faz.net contains http://www.faz.net/4.8.5/js/all_scripts.min.js.

MC will detect with heuristic engine: McAfeeGW: Heuristic.BehavesLike.JS.Exploit.M!89 (Mobile Code Behaviour 85 and enable removal of desinfected content is disabled)

0 Kudos
feickholt
Level 10

Re: AV Question: How handle JS finding?

OK!

No answer?

I tried myself to find a solution - and I got it!

Currently only for JS findings :-) I think that's the mainly reason to inform the user why an object was blocked by AV engine.

What does the rule?

If the AV engine find a malware the body will be deleted and replaced with a little JS opening a new window.

Currently this is only proof of concept. Maybe someone will enhance the functionality :-)

Thanks MC for the great flexibel rule engine.

Regards

Frank

0 Kudos