OK here is somethink I do not understand. You wrote you have better grey detection in GAM2014.2
So I expect findings should be the same....
Will you please verify this link?
Using our productive proxy I receive: McAfeeGW: JS/Exploit-Blacole.lj
the new GAM does not find anything....
The file contains a link to http://79.96.228.215/!rodzinka/LZ6427Dm.php?id=13419783 and this is definetly a link you should not visit... 🙂
In the attachment you will find the file I received after visiting the link.
Regards
Frank
Hi Frank,
Afaict, the jsp is sane so far apart from the redirect to the malware.
the below is likely why you get no conviction now. Can you access the payload from your company?
thanks,
Michael
Thanks for the info, Thorsten!
New Question:
The following Link:
is detected as PUP by the current engine.
The new GAM detects nothing...
and virustotal.... (without any comment)
AVG | Generic.834 | 20150209 |
AVware | Trojan.Win32.Generic!BT | 20150209 |
Ad-Aware | Application.Generic.1105675 | 20150209 |
Antiy-AVL | GrayWare[WebToolbar:not-a-virus]/Win32.Agent.avw | 20150209 |
Avast | Win32:Adware-BRM [PUP] | 20150209 |
Baidu-International | PUA.Win32.ClientConnect.A | 20150209 |
BitDefender | Application.Generic.1105675 | 20150209 |
DrWeb | Adware.Conduit.87 | 20150209 |
ESET-NOD32 | a variant of Win32/ClientConnect.A potentially unwanted | 20150209 |
F-Secure | Application.Generic.1105675 | 20150209 |
GData | Application.Generic.1105675 | 20150209 |
K7AntiVirus | Trojan ( 0049ef011 ) | 20150209 |
K7GW | Trojan ( 0049ef011 ) | 20150209 |
Kaspersky | not-a-virus:WebToolbar.Win32.Agent.avw | 20150209 |
Malwarebytes | PUP.Optional.ClientConnect | 20150209 |
MicroWorld-eScan | Application.Generic.1105675 | 20150209 |
NANO-Antivirus | Trojan.Win32.ClientConnect.deinfe | 20150209 |
Qihoo-360 | Win32/Virus.WebToolbar.8f1 | 20150209 |
TrendMicro-HouseCall | Suspici.83CCD372 | 20150209 |
VIPRE | Trojan.Win32.Generic!BT | 20150209 |
Zillya | Adware.Agent.Win32.40487 | 20150209 |
McAfee | 20150209 | |
McAfee-GW-Edition | 20150209 |
Hi Frank,
The transferred file contained a virus and was therefore blocked. URL:
http://dde.s.bdirectdownload-about.com/36/942/ct9425736/9dd24fe94ffb4209b1f6d39e34f9bb38/Downloads/P... |
So we catch that with Artemis.
But why did not virtustotal detect the malware using the MWG Engine?
Now I can see the site is rated as malicious.... (I was unrated this morning). Also the GAM detect now the object....
Is there a process where MC checked virustotal findings? 🙂
This is with all objects I've tested here. I've tested a few untested findings a few minutes ago (also findings from yesterday), there I've the same result. GAM did not find anything. Virtustotal has findings with 5-8 different virusengines.
Ok here is the next one....
http://dl2.vip0installer.com/download/Base/450233/candide/java.exe
Site is uncategorized by McAfee
Using Virus Total
BitDefender | Malware site |
Trustwave | Malicious site |
Java.exe
ist PUP using Current Enging
Nothing using New GAM
(
URL: http://dl2.vip0installer.com/download/Base/450233/candide/java.exe
Media Type: application/executable /
WebSite Reputation: Unverified (16)
WebSite Category:
Avira Version: Avira-Engine=8.3.28.16|Avira-VDF=7.11.209.128|Avira-Savapi=1.5.0.34
McAfee Version: AM-DAT=3516|AM-Engine=7001.1402.1890|MFE-DAT=7708|MFE-Engine=5700|Avira-Engine=8.3.28.16|Avira-VDF=7.11.209.128|Avira-Savapi=1.5.0.34
MGAM VersionAM-DAT=3516|AM-Engine=7001.1402.1890|MFE-DAT=7708|MFE-Engine=5700
)
Chrome Browser said "Potential Malicious"
and Virus Total
AVG | Generic.742 | 20150211 |
AVware | InstallIQ Installer (fs) | 20150211 |
Antiy-AVL | RiskWare[Downloader:not-a-virus]/NSIS.Agent | 20150211 |
Avast | Win32:Adware-gen [Adw] | 20150211 |
Avira | APPL/InstallIQ.Gen4 | 20150211 |
Bkav | W32.HfsAdware.D906 | 20150210 |
Comodo | Application.Win32.InstallIQ.B | 20150211 |
DrWeb | Adware.Downware.9715 | 20150211 |
ESET-NOD32 | a variant of Win32/InstallIQ.A potentially unwanted | 20150211 |
Fortinet | Riskware/Agent | 20150211 |
GData | Win32.Application.InstallIQ.F | 20150211 |
K7AntiVirus | Unwanted-Program ( 0040f9a91 ) | 20150210 |
K7GW | Unwanted-Program ( 0040f9a91 ) | 20150211 |
Kaspersky | not-a-virus:Downloader.NSIS.Agent.ij | 20150211 |
Malwarebytes | PUP.Optional.SafeInstall.A | 20150211 |
McAfee | Artemis!63DFF2821B8E | 20150211 |
McAfee-GW-Edition | Artemis | 20150210 |
NANO-Antivirus | Riskware.Win32.Searcher.csnymk | 20150211 |
Panda | Generic Suspicious | 20150210 |
Qihoo-360 | HEUR/QVM41.1.Malware.Gen | 20150211 |
Sophos | InstallQ | 20150211 |
TrendMicro-HouseCall | Suspicious_GEN.F47V0209 | 20150211 |
VBA32 | suspected of Trojan.Downloader.gen.h | 20150210 |
VIPRE | InstallIQ Installer (fs) | 20150211 |
As you can see Mc detects also the file. But our Proxy says: CLEAN!!!
URL:
http://dl2.vip0installer.com/download/Base/450233/candide/java.exe |
I'll give you a call Frank, to check some options.
According to your screenshot - there is detection by GAM on VT.
I'm on the latest and greatest 7.5.1 btw.
Hello,
all the detection issues here are Artemis (Cloud Lookup) related. With the GAM v2014 the way the Artemis lookups are done has been changed and if you need to import a rule to activate those lookups in MWG. The ruleset is in the Rule Library, you can find it under the Common Rules. The name is "Set URL Filter Internal Settings".
Fresh MWG 7.4 (and higher) installation have this ruleset by default. If you upgraded from older MWG versions this ruleset might not exist and needs to be imported. This should be done, even if you still use the v2013 GAM engine version, as it will enable the engine to use Trusted Source reputation and categorization information for the detection. The v2014 GAM engine requires this rule also for the file reputation, the v2013 did the file reputation in a different way.
Regards,
Dirk
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA