Hi,
can anyone tell me what the Gateway AntiMalware "Payload Heuristic" rule does that is available from the rule library? It does some sort of URL Watermarkig but there is no further description.
Thanks
If a HTML page has an <a href="file.exe"> link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">
If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.
If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.
This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.
Awesome, thank you. Now that rule removes those watermarks again after processing I guess. Should I do that? I am just wondering because as it seems, this rule is not required for enabling the payload heuristic option.
Thanks!
Hi again,
one question about that rule that removes the watermarks again. When enabling the option, I get a notification that I should place the removal rule at the very top of the rulebase. Is that really necessary? Couldn't I put it near the Antimalware rules (or inside the antimalware ruleset)?
Thanks
eelsasser wrote:
If a HTML page has an <a href="file.exe"> link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">
If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.
If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.
This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.
This seems like a pretty slick feature that I first heard about at FOCUS last week.
I'm intrigued by it, but I'm curious to hear from anyone using it... how much legit stuff does it break? It seems like something invasive enough to have a surprising amount of edge cases, especially with things like java, perhaps multimedia, anything using wget legitimately, or the like. Curious what others' experience has been with this outside of a test lab.
Hi ,
I am trying to enable this feature on MWG 7.3.2.10 ,
checked the option in the antimalware settings , added the corresponding rule set,
how can i check it is functioning?
tried to browse to a site that has exe links and view the source that came wit this page and no watermark parameter was visible
any suggestions?
thanks
Hello,
the problem is that MWG does not watermark all links to executables as it would probably cost too much resources and impact performance. Instead a combination or Trusted Source results along with specific rules in the AV engine enable or disable this behaviour.
Unfortunately I am not aware of a test web site which could be used to demonstrate the behaviour.
best,
Andre
Hello again,
I think I found a way to proof its working!
Please go to:
http://www.csm-testcenter.org/test?do=show&subdo=antimalware&test=archives
You will notice that there are ".EXE" links. They point to:
http://www.csm-testcenter.org/download/archives/zip/eicar.exe
Once I enable payload heuristics they change to:
http://www.csm-testcenter.org/download/archives/zip/eicar.exe?_mfx=8EQ3b/YFeER/w0lkXgn/vA==
Now you can see the watermark.
Best,
Andre
Yes I can see it now,
nice rebound
Thanks and take care ,
Shay