If we block them the HTML Page might no longer work as it should work.
Is there any way to inform the User that there might be a security whole in the embedded JS and the proxy blocked such element?
The only way i found was to send an email to the user about the issue.
I like to prefere a popup or a warning page to inform the user.
Webwasher version 6.6.x (old Web Gateway) used to do something like this where it would replace the perpitrating script with an empty muted script. It was not very fun because it would usually end up breaking something else on the page.
The email alert is a really good idea because it at least gives them a clue that they were blocked for some embedded content.
I find that you get much better results and fewer false positives if you have 2 different GAM settings based on the site's reputation.
Have one setting that is lighter for URL.IsMinimalRisk == true, and one that's a little heavier for == false.
It's worked pretty well for the most part.
This sound good, but how do you block the whole page if you detect a behaves like JS? In most cases the JS will be downloaded seperatly from the html site. (include)....
To implment what Eric said, we split our "Block If Virus is Found" rule under "Gateway Anti-Malware" into two like this:
Would that be the correct way to do it?
Personally, i have the bottom dot on fort he trusted sites and top dot on for the untrusted sites.
I run all my home traffic through MWG and honestly, i find very little, if any false positives using that configuration.
Again. Is there a way to open a popup window if there is an AV Found in an JS script file?
I tried to add a js code opening a new window in the blocking page. This works for EICAR. But not for
an infected JS code. example http://www.faz.net contains http://www.faz.net/4.8.5/js/all_scripts.min.js.
MC will detect with heuristic engine: McAfeeGW: Heuristic.BehavesLike.JS.Exploit.M!89 (Mobile Code Behaviour 85 and enable removal of desinfected content is disabled)
I tried myself to find a solution - and I got it!
Currently only for JS findings :-) I think that's the mainly reason to inform the user why an object was blocked by AV engine.
What does the rule?
If the AV engine find a malware the body will be deleted and replaced with a little JS opening a new window.
Currently this is only proof of concept. Maybe someone will enhance the functionality :-)
Thanks MC for the great flexibel rule engine.