McAfee Support Community - Re: Payload Heuristic

cryptochrome · ‎09-26-2013

Hi,

can anyone tell me what the Gateway AntiMalware "Payload Heuristic" rule does that is available from the rule library? It does some sort of URL Watermarkig but there is no further description.

Thanks

eelsasser · ‎09-26-2013

If a HTML page has an <a href="file.exe"> link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">

If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.

If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.

This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.

cryptochrome · ‎09-26-2013

Awesome, thank you. Now that rule removes those watermarks again after processing I guess. Should I do that? I am just wondering because as it seems, this rule is not required for enabling the payload heuristic option.

Thanks!

cryptochrome · ‎10-09-2013

Hi again,

one question about that rule that removes the watermarks again. When enabling the option, I get a notification that I should place the removal rule at the very top of the rulebase. Is that really necessary? Couldn't I put it near the Antimalware rules (or inside the antimalware ruleset)?

Thanks

Regis · ‎10-09-2013

eelsasser wrote:

If a HTML page has an <a href="file.exe"> link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">

If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.

If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.

This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.

This seems like a pretty slick feature that I first heard about at FOCUS last week.

I'm intrigued by it, but I'm curious to hear from anyone using it... how much legit stuff does it break? It seems like something invasive enough to have a surprising amount of edge cases, especially with things like java, perhaps multimedia, anything using wget legitimately, or the like. Curious what others' experience has been with this outside of a test lab.

sysec · ‎07-21-2014

Hi ,

I am trying to enable this feature on MWG 7.3.2.10 ,

checked the option in the antimalware settings , added the corresponding rule set,

how can i check it is functioning?

tried to browse to a site that has exe links and view the source that came wit this page and no watermark parameter was visible

any suggestions?

thanks

asabban · ‎07-22-2014

Hello,

the problem is that MWG does not watermark all links to executables as it would probably cost too much resources and impact performance. Instead a combination or Trusted Source results along with specific rules in the AV engine enable or disable this behaviour.

Unfortunately I am not aware of a test web site which could be used to demonstrate the behaviour.

best,

Andre

asabban · ‎07-22-2014

Hello again,

I think I found a way to proof its working!

Please go to:

http://www.csm-testcenter.org/test?do=show&subdo=antimalware&test=archives

You will notice that there are ".EXE" links. They point to:

http://www.csm-testcenter.org/download/archives/zip/eicar.exe

Once I enable payload heuristics they change to:

http://www.csm-testcenter.org/download/archives/zip/eicar.exe?_mfx=8EQ3b/YFeER/w0lkXgn/vA==

Now you can see the watermark.

Best,

Andre

sysec · ‎07-22-2014

Yes I can see it now,

nice rebound

Thanks and take care ,

Shay