cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

Miscategorization and AV false positives are a pain.   This product is more of a pain than that of your competitors.   So if you'll excuse a constructive and well meaning rant aimed to improve your product and customers' lives....

1) URL Categorization

For one, I have to authenticate to gripe about a url categorization, and the user interface flow of that page https://www.trustedsource.org/en/feedback/url?action=checksingle&p=mcafee  is pretty lame.  If I pop quickly onto the page to see the categorization of the URL, I can do so without auth (hooray), but if I want to dispute or refine that classification to trigger a review with the priority appropriate to being a paying customer, now I have to auth, and I lose the data I already entered for that URL.   it's a few seconds, but I have to do this sort of thing way more than I want to.    I'd love a URL I can bookmark that preselects that I'm MWG resident, and lets me slap in a URL, and dispute a classification just by entering a minimum amount of info.   Bluecoat doesn't make customers auth for this.  They also seem to get back to ya a little quicker as well.  http://sitereview.bluecoat.com/index.jsp     

2)  Next, heuristic gateway anti-malware detections...a bit of a bane of my existence.    Oh my god are these false positive prone.  I need ways to quickly report these, and I haven't yet figured out how most surgically to whitelist certain flavors of detection or turn them off without ditching Heuristics entirely (I'm welcome to others' advice here).  

Returning to the reporting of potential false positives though... your URL categorization people won't deal with these requests. They say, report to Avert.   Now here's what's great--if you want to report a false positive heuristic gateway anti-malware detect to Avert, you know what they require?  A sample.  A file sample.   Zipped and encrypted with the password "infected."  Guess what I can't do if I'm behind a mcafee web gateway that's got a false positive heuristic detection on a URL I am pretty darned sure is clean?  That's right... I can't exactly get the file sample downloaded because the freaking gateway has blocked it as a heuristic malware detection.  *face palm*       So... how bout someone asking the Avert gateway antimalware folks to accept a URL as valid input to their submission process?  Please?  Pretty please?   Save me the fun of using curl and a competitor's proxy that doesn't have a false positive to gather a sample in a cygwin window then jumping to a DOS window to run infozip  with a -e and then going to an email client and attaching the file to email and hoping my DLP enabled email gateway might let me send that out to you even though DLP won't be able to inspect the encrypted zip?     And while we're at it, maybe have a way right in the email submission to automagically generate a support ticket or prioritize the issue if I provide my grant number, so I get  higher priority than randoms submitting samples?   And spare me this tremendously inefficient process of  submit sample to Avert, wait for some sort of confirmation mail back that doesn't always come,  then open a support ticket and ask support to escalate the Avert case? 

Because, honestly, I have more than enough administration to do on your products as well as other vendors than to pat my head rub my tummy, and zip encrypt things when me emailing you a URL and a description of where it came from  really outta be sufficient information for Avert ot review a  false on a heuristic detection.

Sincerely,

Regis.

Message was edited by: Regis on 8/22/12 11:32:09 PM CDT
9 Replies
McAfee Employee

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

Regis,

thanks for sharing your perception and experience on the sample submission process. Please contact me via PIM and include your personal contact details. I'll follow up with you on this topic.

thanks for raising this,

Michael

0 Kudos
Regis
Level 12

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

Wow. Extremely impressed to find the product manager so quickly and enjoy a response.  PM sent.   

0 Kudos
jspanitz
Level 7

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

I've got to say we've struggled with the same issues as well.  I never understood why there were two different process to go through or why there were so many steps involved.  With repect to the malware problem, we just stopped reporting them as it's way to painful a process.

Honestly, I think MWG should have a section in the GUI to select and report UN/MISS categorized URLs and Malware flase positives.

We love the product and the support team behind it, but streamlining some of the mundane and time consuming process would go a long way to improving customer satisfaction.

Regis
Level 12

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

That would be awesome actually.   Hell, ePO needs this too. 

THat way, authenticated in a licensed web gateway portal, the submission could happen very easily, over an encrypted channel, and be tied to a grant number, etc.

Being able to submit feature requests on mcafee products without a soul crushingly broken FMR process that involves both a third party site AND an activeX control from that relatively unknown third party site  would surely make customers more likely to submit them, but that's a rant for another day. 

0 Kudos
McAfee Employee

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

Hey Ya'll,

Just one comment on the virus samples, have ya'll seen the ruleset I created for collecting samples? It makes things super easy (you still have to zip and compress them) but at least you dont have to worry about finding the sample yourself.

You can find it in the ruleset library here:
Hope this helps,
Jon
vinoo
Level 13

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

>> what I can't do if I'm behind a mcafee web gatewaythat's got a false positive heuristic detection on a URL I am pretty darnedsure is clean?

Please take a moment to read the steps to submit a GW False as described in https://kc.mcafee.com/corporate/index?page=content&id=KB62662

For all MWG versions, use thefollowing steps to collect a sample:

  1. Connect     to your Web Gateway appliance via SSH as root.
  2. From     command line, use the wget command to download the file or URL     sample. You can obtain the file or URL address on the McAfee Web Gateway     virus detection block page. If a file name is not specified on the block     page, download a sample using the detected URL.
         Example wget command:
    • File: wget www.domain.com/infected.aspx
    • URL: wget www.domain.com
  3. Use     the zip command to place the sample in a compressed and encrypted     ZIP file, using the word "infected" (lowercase, without quotes)     as the encryption password.
         Example zip command:
    • File: zip -e sample.zip infected.aspx
    • URL: zip -e sample.zip index.html
  4. Transfer     the file off the appliance using SCP or FTP.


>> how bout someone asking theAvert gateway antimalware folks to accept a URL as valid input to theirsubmission process?

We currently support URL submissions via email. If a user were to submit the URL of the falsely detected file to McAfee, a human researcher will attempt to download the file (provided it is still available on the site).One can submit the URL in question via email to Virus_research_gateway@avertlabs.com. I’ve requested the Labs team to update KB62662 to state this.

Best,

Vinoo

0 Kudos
Regis
Level 12

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

Thanks Vinoo.   Knowing that this email address exists and accepts URL's is a good thing, and having the KB updated to reflect that is also a good thing.

Is there a support method of creating non-root users on the web gateway?   My commitment to defense in depth keeps me rather hesitant to handle potentially malicious samples as root on a web gateway appliance.   (Imagine the lulz for attackers if an apparent false positive turned around an excercised some potential 0day in zip or wget.  )

Is there a way to pull samples out of web gateway cache?   One of my remaining false positive PITA are for video streams.   I'm not sure exactly which video platform provider is involved, among the very likely falses I'm seeing are  from stream URL's that you can't really go back and grab samples out of as the links expire.   For example:

"McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.EBL" "http://50.97.96.166/-25764/796926759/read/232"

"McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.EIL" "http://4.27.250.141:443/send/STDmVWkoMU1u9LY0/2"

"McAfeeGW:Heuristic.BehavesLike.Exploit.CodeExec.EBB" "http://216.156.242.125:443/send/GzYmdz02wSLOag1P/1"

Any way to fish these out of a cache to submit for "potential false" analysis?  


0 Kudos
shellprompt
Level 7

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

7.2 does have a feature to store samples. See KB62662.

eelsasser
Level 15

Re: Dear MWG Product Manager: reporting gateway antimalware falses is a pain in my [redacted]

As Jon mentioned, the Body.file(filename) method that allows you to capture samples on the gateway is a useful method.

In conjunction with that, I also usually put a ruleset  surrounding just a special set of Antimalware rules that will listen on a special proxy port (7890, for example) and are restricted to a workstation's IP address.

You can also setup a seperate VMware that your test workstation can go to, so it doesn't interferer with your production, if you want.

And finally, I always use FileInsight to actually get the request.

Here's what I mean.

I turn on a listening proxy on port 7890 and Have a set of rules near the top of the policy:

Anti-Malware: AVOnly (Port 7890)
[This is a convenient way to use only the Antimalware engine and no other filtering. Used primarily in the lab for security teams to analyze a web site or file. Setup a listening proxy port on 7890 and point your browser to it. Warning: This opens up the proxy for all unauthenticated traffic with no category blocks. So restrict it down by the Client IP in the Antimalware: Quarantine IPRange list]
Enabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: Proxy.Port equals 7890
2: AND Client.IP is in range list Anti-Malware: Quarantine IPRange
EnabledRuleActionEventsComments
EnabledEnable Composite Opener
Always
ContinueComposite Opener<Default>
EnabledStreaming: Bypass Detected Stream
1: Cycle.Name equals "Response"
2: AND StreamDetector.IsMediaStream<Default Streaming Detection> equals true
Stop Cycle
EnabledAnti-Malware: Quarantine IPRange
1: Antimalware.Infected<Anti-Malware: Quarantine Setting> equals true
Block<Virus Found>Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>
Set User-Defined.Quarantine.FileName = String.ReplaceIfEquals(Body.FullFileName,"",URL.FileName)
Set User-Defined.Quarantine.FileName =
     "QUARANTINE." +
     URL.Host +
     "." +
     User-Defined.Quarantine.FileName +
     ".(" +
     List.OfString.ToString(Antimalware.VirusNames<Anti-Malware: Quarantine Setting>) +
     ")." +
     Number.ToString(DateTime.ToNumber)
Set User-Defined.Quarantine.FileName = String.ReplaceAll(User-Defined.Quarantine.FileName,"NamelessFile|","")
Set User-Defined.Quarantine.FileName = String.ReplaceAll(User-Defined.Quarantine.FileName,"McAfeeGW: ","")
Set User-Defined.Quarantine.FileName = String.ReplaceAll(User-Defined.Quarantine.FileName,"Avira: ","")
Set User-Defined.Quarantine.FileName = String.ReplaceAllMatches(User-Defined.Quarantine.FileName,regex([\/?:*""><|]),"#")
Body.ToFile(User-Defined.Quarantine.FileName)
Should only be used by the Security Team for research. Put the IP address of the dedicated workstation into the IP Range list. All detected malware will be written to /opt/mwg/log/debug/BodyFilterDumps/*
EnabledAnti-Malware: Scan Completed
Always
ContinueSet User-Defined.Body.Modified = Body.Modified
Set User-Defined.Antimalware.Scanned = true
Validate that Antimalware scanning occured for logs. If it gets to here, it passed the Antimalware rules and is clean. Body.Modified indicates if a page was cleaned of mobile code.
EnabledStop Cycle
Always
Stop Cycle


Then, from that special workstation, I use FileInsight to go to the URL. It will not render the results and exploit anytthing if the actual malware gets through.

If it's blocked, all you see is the HTML of the block page:

Capture.jpg

If something gets through, you see the code that you can save and submit:

Capture2.jpg

For blocked files, they now reside in Quarantine that you can download:

Capture3.jpg

So now i can get samples from a quarantine or directly from an isolated workstation without getting accidently infected. And I didn't have to logon to a shell once or use wget or curl.

FileInsight can be found at:

http://www.webwasher.de/download/fileinsight/

Message was edited by: eelsasser on 9/10/12 10:29:57 PM EDT

Added rules to the message on 9/10/12 10:31:00 PM EDT
0 Kudos