Miscategorization and AV false positives are a pain. This product is more of a pain than that of your competitors. So if you'll excuse a constructive and well meaning rant aimed to improve your product and customers' lives....
1) URL Categorization
For one, I have to authenticate to gripe about a url categorization, and the user interface flow of that page https://www.trustedsource.org/en/feedback/url?action=checksingle&p=mcafee is pretty lame. If I pop quickly onto the page to see the categorization of the URL, I can do so without auth (hooray), but if I want to dispute or refine that classification to trigger a review with the priority appropriate to being a paying customer, now I have to auth, and I lose the data I already entered for that URL. it's a few seconds, but I have to do this sort of thing way more than I want to. I'd love a URL I can bookmark that preselects that I'm MWG resident, and lets me slap in a URL, and dispute a classification just by entering a minimum amount of info. Bluecoat doesn't make customers auth for this. They also seem to get back to ya a little quicker as well. http://sitereview.bluecoat.com/index.jsp
2) Next, heuristic gateway anti-malware detections...a bit of a bane of my existence. Oh my god are these false positive prone. I need ways to quickly report these, and I haven't yet figured out how most surgically to whitelist certain flavors of detection or turn them off without ditching Heuristics entirely (I'm welcome to others' advice here).
Returning to the reporting of potential false positives though... your URL categorization people won't deal with these requests. They say, report to Avert. Now here's what's great--if you want to report a false positive heuristic gateway anti-malware detect to Avert, you know what they require? A sample. A file sample. Zipped and encrypted with the password "infected." Guess what I can't do if I'm behind a mcafee web gateway that's got a false positive heuristic detection on a URL I am pretty darned sure is clean? That's right... I can't exactly get the file sample downloaded because the freaking gateway has blocked it as a heuristic malware detection. *face palm* So... how bout someone asking the Avert gateway antimalware folks to accept a URL as valid input to their submission process? Please? Pretty please? Save me the fun of using curl and a competitor's proxy that doesn't have a false positive to gather a sample in a cygwin window then jumping to a DOS window to run infozip with a -e and then going to an email client and attaching the file to email and hoping my DLP enabled email gateway might let me send that out to you even though DLP won't be able to inspect the encrypted zip? And while we're at it, maybe have a way right in the email submission to automagically generate a support ticket or prioritize the issue if I provide my grant number, so I get higher priority than randoms submitting samples? And spare me this tremendously inefficient process of submit sample to Avert, wait for some sort of confirmation mail back that doesn't always come, then open a support ticket and ask support to escalate the Avert case?
Because, honestly, I have more than enough administration to do on your products as well as other vendors than to pat my head rub my tummy, and zip encrypt things when me emailing you a URL and a description of where it came from really outta be sufficient information for Avert ot review a false on a heuristic detection.
Regis.Message was edited by: Regis on 8/22/12 11:32:09 PM CDT
thanks for sharing your perception and experience on the sample submission process. Please contact me via PIM and include your personal contact details. I'll follow up with you on this topic.
thanks for raising this,
Wow. Extremely impressed to find the product manager so quickly and enjoy a response. PM sent.
I've got to say we've struggled with the same issues as well. I never understood why there were two different process to go through or why there were so many steps involved. With repect to the malware problem, we just stopped reporting them as it's way to painful a process.
Honestly, I think MWG should have a section in the GUI to select and report UN/MISS categorized URLs and Malware flase positives.
We love the product and the support team behind it, but streamlining some of the mundane and time consuming process would go a long way to improving customer satisfaction.
That would be awesome actually. Hell, ePO needs this too.
THat way, authenticated in a licensed web gateway portal, the submission could happen very easily, over an encrypted channel, and be tied to a grant number, etc.
Being able to submit feature requests on mcafee products without a soul crushingly broken FMR process that involves both a third party site AND an activeX control from that relatively unknown third party site would surely make customers more likely to submit them, but that's a rant for another day.
Just one comment on the virus samples, have ya'll seen the ruleset I created for collecting samples? It makes things super easy (you still have to zip and compress them) but at least you dont have to worry about finding the sample yourself.
>> what I can't do if I'm behind a mcafee web gatewaythat's got a false positive heuristic detection on a URL I am pretty darnedsure is clean?
Please take a moment to read the steps to submit a GW False as described in https://kc.mcafee.com/corporate/index?page=content&id=KB62662
For all MWG versions, use thefollowing steps to collect a sample:
>> how bout someone asking theAvert gateway antimalware folks to accept a URL as valid input to theirsubmission process?
We currently support URL submissions via email. If a user were to submit the URL of the falsely detected file to McAfee, a human researcher will attempt to download the file (provided it is still available on the site).One can submit the URL in question via email to Virus_research_gateway@avertlabs.com. I’ve requested the Labs team to update KB62662 to state this.
Thanks Vinoo. Knowing that this email address exists and accepts URL's is a good thing, and having the KB updated to reflect that is also a good thing.
Is there a support method of creating non-root users on the web gateway? My commitment to defense in depth keeps me rather hesitant to handle potentially malicious samples as root on a web gateway appliance. (Imagine the lulz for attackers if an apparent false positive turned around an excercised some potential 0day in zip or wget. )
Is there a way to pull samples out of web gateway cache? One of my remaining false positive PITA are for video streams. I'm not sure exactly which video platform provider is involved, among the very likely falses I'm seeing are from stream URL's that you can't really go back and grab samples out of as the links expire. For example:
Any way to fish these out of a cache to submit for "potential false" analysis?
As Jon mentioned, the Body.file(filename) method that allows you to capture samples on the gateway is a useful method.
In conjunction with that, I also usually put a ruleset surrounding just a special set of Antimalware rules that will listen on a special proxy port (7890, for example) and are restricted to a workstation's IP address.
You can also setup a seperate VMware that your test workstation can go to, so it doesn't interferer with your production, if you want.
And finally, I always use FileInsight to actually get the request.
Here's what I mean.
I turn on a listening proxy on port 7890 and Have a set of rules near the top of the policy:
|Anti-Malware: AVOnly (Port 7890)|
[This is a convenient way to use only the Antimalware engine and no other filtering. Used primarily in the lab for security teams to analyze a web site or file. Setup a listening proxy port on 7890 and point your browser to it. Warning: This opens up the proxy for all unauthenticated traffic with no category blocks. So restrict it down by the Client IP in the Antimalware: Quarantine IPRange list]
Applies to Requests: True / Responses: True / Embedded Objects: True
1: Proxy.Port equals 7890
2: AND Client.IP is in range list Anti-Malware: Quarantine IPRange
Then, from that special workstation, I use FileInsight to go to the URL. It will not render the results and exploit anytthing if the actual malware gets through.
If it's blocked, all you see is the HTML of the block page:
If something gets through, you see the code that you can save and submit:
For blocked files, they now reside in Quarantine that you can download:
So now i can get samples from a quarantine or directly from an isolated workstation without getting accidently infected. And I didn't have to logon to a shell once or use wget or curl.
FileInsight can be found at:
Message was edited by: eelsasser on 9/10/12 10:29:57 PM EDTAdded rules to the message on 9/10/12 10:31:00 PM EDT