cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 1 of 9

How Antimalware rule work with https

Jump to solution

I am trying to use Gateway Antimalware rule in webgateway,So when i try to download a file containing malware  through standard protocol http it is blocking it i.e. perfectly fine but try to do the same thing through https its not blocking......

So for that i enabled ssl scanner rule bt i dont know how to use it for malware detection  purpose????

I have attached screenshot showing the file which i m trying to download for testing malware..

1 Solution

Accepted Solutions
Highlighted

Re: How Antimalware rule work with https

Jump to solution

If my understanding is right, you would want to enable your SSL scanner for malware detection only and not for every traffic.

Enabling SSL scanner will do for your malware scanning of encrypted sites. But I guess you cannot do an SSL scanning only for malware detection alone as you would not know which secured sites or file are malware-infected.

The best way I think is to enable SSL scanning categorically. For categories that you think will most likely be infected with malwares/virus, enable the SSL scanner. These could be web storage, software/hardware, shareware/freeware, internet svcs, all the ctgies under 'Risk',etc.

The only effect I could see on this is with regards to certificates as the MWG would need to decrypt and re-encrypt the traffic when SSL scanner is enabled. It is either you could import a root CA to your MWG or you can use a self-signed cert and deploy these to your clients.

Regards,

philiprey

8 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: How Antimalware rule work with https

Jump to solution

In order for MWG to be able to scan HTTPS traffic the SSL scanner must be enabled. Do you have it fully enabled?

Best,

Jon

Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: How Antimalware rule work with https

Jump to solution

Ya, I made it fully enabled & it  works but i want to know 2 things:-

1) If i made it fully enabled will other rules in this ruleset might leads to some problem i.e.blochking a legitimate traffic

2) How can i enabled it only for my purpose as mentioned above i.e blocking ssl traffic only for the files containing malware

Re: How Antimalware rule work with https

Jump to solution

Enabling the SSL scanner ruleset simply allows the Webgateway to decrypt the SSL traffic going through it, before passing it to the other common rules (including the Anti-Malware ruleset)

If you are using the default SSL scanner ruleset and it works properly, the HTTPS eicar files you are downloading will be blocked.

If it doesn't block the files, your SSL Scanner ruleset is not working properly.

Best would be to show us what your ruleset looks like.

Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: How Antimalware rule work with https

Jump to solution

No actually I think u didnt fully got my point....

I enabled SSL scanner ruleset & its working fine with Anti-Malware ruleset buwt i just want 2 know that for using Anti-Malware Ruleset what are rules i need to enable within SSL ruleset & if i fully enable it how will it effect other ruleset..

Highlighted

Re: How Antimalware rule work with https

Jump to solution

If my understanding is right, you would want to enable your SSL scanner for malware detection only and not for every traffic.

Enabling SSL scanner will do for your malware scanning of encrypted sites. But I guess you cannot do an SSL scanning only for malware detection alone as you would not know which secured sites or file are malware-infected.

The best way I think is to enable SSL scanning categorically. For categories that you think will most likely be infected with malwares/virus, enable the SSL scanner. These could be web storage, software/hardware, shareware/freeware, internet svcs, all the ctgies under 'Risk',etc.

The only effect I could see on this is with regards to certificates as the MWG would need to decrypt and re-encrypt the traffic when SSL scanner is enabled. It is either you could import a root CA to your MWG or you can use a self-signed cert and deploy these to your clients.

Regards,

philiprey

Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: How Antimalware rule work with https

Jump to solution

Ya exactly,

Thanks for the update...

Re: How Antimalware rule work with https

Jump to solution

Philiprey's method is one way to do it, but it leaves your endpoints a bit more at risk than if you take the "scan everything with some exceptions" approach.

There are a lot of categories outside of "web storage, software/hardware, shareware/freeware, internet svcs" that would expose your endpoints to malicious attacks.

The only categories I wouldn't want to scan for privacy concerns would be 'banking' and 'stock trading', but I guess this all depends on your employer's internet usage rules etc.

Re: How Antimalware rule work with https

Jump to solution

I second malware-alerts' note. It is indeed a hole in your network security-wise if you leave some secured sites unscanned.

Since, you would be enabling SSL scanner, might as well apply to everything except for sites like banking.

What I was saying in my response above is more on a 'scan everything except' approach as well, exempting confidential sites like banking and health.

Regards,

philiprey

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community