cancel
Showing results for 
Search instead for 
Did you mean: 

Filtering (multiple) ActiveX object instantiations embedded in HTML javascript and included .js files

Hi,

I'm evaluating migrating to MWG 7 - and am trying to remove all references to ActiveX objects in javascript - whether within HTML embedded javascript, or .js files that are included into HTML page (as MWG v6 has done for me previously).

I have the "HTML Filtering" library ruleset in my demo policy - and also its sibling ruleset "Script Filtering" - with the ActiveX Filter sub-rulesets enabled under each.

Both are in the root of the policy (i.e. I don't have Script Filtering under the HTML Filtering ruleset - but alongside at the same level). This feels instinctively right - and seems to work - but just letting you know in case wrong.

The rulesets are clearly doing some work - and removing the first ActiveX references they see - but unfortunately only the first references in any object being parsed.

Here's an example from a .js script:

...pre-MWG

function() {return new XMLHttpRequest()},

function() {return new ActiveXObject('Msxml2.XMLHTTP')},

function() {return new ActiveXObject('Microsoft.XMLHTTP')}

...

                                    ->

...post-MWG

function() {return new XMLHttpRequest()},

function() {return nothing},

function() {return new ActiveXObject('Microsoft.XMLHTTP')}

...

You can see one object instantiation has been replaced with the string "nothing" - but the second (and I guess all others) get through unscathed (experimentation shows this is the case for both the HTML Filtering ActiveX rules and the Script Filtering ActiveX rules - common problem).

It feels like I'm missing some form of iteration to replace all matching objects.

I'm pretty sure that the product is capable of replacing all matching references (as I've read lots of forum entries here talking of replacing things with gifs, where there are likely multiple things per page - as implied by the Ad replacement rulesets - someone would have noticed if only one advert per page was being replaced - when often there are three or four!).

Only problem is I can't see what I am missing which should be causing the ruleset iteration over multiple matches within an object - and the ActiveX rulesets themselves look phrased to be only concerned with one match at a time.

Q1: Can you confirm rulesets normally can replace multiple instances of the things they match on? i.e. that I'm not totally mad!

Q2: Is it the Openers that cause the iteration of subsequent rulesets? Any ideas what I might have misconfigured? [+ which opener works on included .js files?]

Many thanks in advance for any pointers you can give - been tearing my hair out for a day! James

3 Replies
McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Filtering (multiple) ActiveX object instantiations embedded in HTML javascript and included .js files

We are working on a rule set template to make this working.

Will post here once finalized.

thanks,

MIchael

Michael Schneider
Lead Product Manager for Web Protection
(•‿•)
zlob
Level 7
Report Inappropriate Content
Message 3 of 4

Re: Filtering (multiple) ActiveX object instantiations embedded in HTML javascript and included .js files

Any news?

Now 2017 September

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Filtering (multiple) ActiveX object instantiations embedded in HTML javascript and included .js files

Hi zlob,

This ruleset ended up in the ruleset library under HTML/Script filtering.

Best Regards,

Jon

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community