cancel
Showing results for 
Search instead for 
Did you mean: 
timode
Level 9

Coaching for potentially malicious files

Jump to solution

Hi,

I'm trying to create a security check for potentially malicious downloads.

What I like to achieve:

If a user tries to downloads a ZIP file which includes an executable, web gateway should present a warning page with a button to proceed anyway.

I created a rule which works nearly perfect. But there is a problem in case the download progress page is used.

The rule I built is the following:

ruleset.png

(Ignore the first one "Skip warning if progress page has been shown". This is only my workaround for the problem.)

So at the moment I try do download a malicious ZIP file, web gateway shows a coaching page with a button. As soon as I click on the button, the download starts. Perfect so far.

Problem is:

In case the download is big and web gatway shows the progress page. In this case the download page shows up and after that automatically the coaching page. But a click on the button does not result in any effect this time (no download).

I guesst this is because of the redirect. Normally the redirect goes to the last page which is the download. But this time the last page is the progress bar.

Any ideas??

cheers

Timo

0 Kudos
1 Solution

Accepted Solutions
timode
Level 9

Re: Coaching for potentially malicious files

Jump to solution

Finally I have what I wanted to have. I did not use coaching at all. There is only one problem. A downloaded file must be downloaded again after warning is accepted, if not cached.

So far I did this (sorry had to anonymize a bit):

rule.png

The Block Page contains a textfield which have to be typed in "OK" and a Submit-Button to xxx.mwg.local.

I know, this is very special. But maybe the answer helps someone.

Cheers

Timo

10 Replies
mbagheryan
Level 12

Re: Coaching for potentially malicious files

Jump to solution

can you send me the rule?

0 Kudos
timode
Level 9

Re: Coaching for potentially malicious files

Jump to solution

You will find the basic rule in the library within web gateway. When I have a solution for the problem I will built a general rule an upload to the ubb.

0 Kudos
mbagheryan
Level 12

Re: Coaching for potentially malicious files

Jump to solution

Are you using MCP (Client Proxy) ?

0 Kudos
timode
Level 9

Re: Coaching for potentially malicious files

Jump to solution

No.

Only zentral Proxy (Web Gateway) in Proxy-Mode.

0 Kudos
mbagheryan
Level 12

Re: Coaching for potentially malicious files

Jump to solution

It is a little strange to me and I suggest you to open a service request with mcafee gold support.

0 Kudos
asabban
Level 17

Re: Coaching for potentially malicious files

Jump to solution

Hello,

I am not sure if this is something support is able to help with as there is nothing wrong but this is a matter of coaching is supposed to work.

Usually for coaching we are in request cycle and what happens is:

- Request a URL

- Show coaching page

- Accept coaching, redirect to previous URL

- Requst the URL again

- Show content

One issue is that you have completely turned off the coaching rules for the "request cycle" and I think unlocking a coaching session is only possible in request cycle. The second issue is that MWG points back to the progress page URL instead of the originally requested URL. Even if you manage to point the redirect back to the originally requested URL the problem is that MWG will download the archive two times, which is not a clean solution as it may fail for larger downloads and is inconvenient.

What you want to do is getting the (temporary) URL where you can access the file from MWG directly, as it is stored locally for a while after progress pages completed. Theoretically it should be able to extract the required information and passed it along to the error templates, but it is not trivial.

What I wonder is the user experience that you are trying to achieve.

You described the use case as follows:

- User requests file

- MWG downloads the file using progress pages

- A message appears the user has to "agree"

- File is downloaded

MWGs default behaviour using the progress pages is similar:

- User requests file

- MWG downloads the file using progress pages

- A message says "download finished, click here to download"

- File is downloaded

May be it is much easier to extend the progress page to add some sort of disclaimer about potentially infected files. Maybe we could change the content of the "Download Finished" page based on if the archive is potentially dangerous or not?

Best,

Andre

0 Kudos
mbagheryan
Level 12

Re: Re: Coaching for potentially malicious files

Jump to solution

Dear Andre,

I am agree with what you are offering. Actually I am a little confused after mentioning the file size. I am totally self educated and may be I missed some article.

BTW Would you please to give me an Article which is mentioned your post specially below mentioned part:

Even if you manage to point the redirect back to the originally requested URL the problem is that MWG will download the archive two times, which is not a clean solution as it may fail for larger downloads and is inconvenient.



Thanks

M. Bagheryan

0 Kudos
timode
Level 9

Re: Re: Coaching for potentially malicious files

Jump to solution

Hello Andre,

that you for your support. I already tried to get the internal download url from the download page. But had no luck so far. Maybe I will investigate into this a bit more.

Good idea to extend the progress page. But there is one problem. For small files there will be no progress page. I like to have the additional warning page for potentially malicious files. Most of them are linked within an email and contain a very small zip file with an exe file inside. For those there normally is no progress page because of the small file size. (I can not show the progress page depending on the file content, because without downloading the file there is no file content). What I did so far is to disable the progress page for files smaller a few megabytes (using content lenght header). But you never know maybe in the future there is someone using a big file with a virus. Those people are very imaginative.

I'm also going to try to rebuild the function by using PDStorage instead of coaching. Coaching seems to overwrite the redirect URL no matter what I set "Redirect.URL" to. I will keep you updated.

cheers

Timo

0 Kudos
timode
Level 9

Re: Re: Coaching for potentially malicious files

Jump to solution

I don't find a way to receive the download ID. The ID seems to be a special function only available within the progress bare html template. Has anyone an idea how to store the download ID within a variable?

0 Kudos