8 Replies Latest reply on Jul 22, 2014 5:17 AM by sysec

    Payload Heuristic

    cryptochrome

      Hi,

       

      can anyone tell me what the Gateway AntiMalware "Payload Heuristic" rule does that is available from the rule library? It does some sort of URL Watermarkig but there is no further description.

       

      Thanks

        • 1. Re: Payload Heuristic

          If a HTML page has an <a href="file.exe">  link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">

           

          If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.

          If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.

           

          This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.

          1 of 1 people found this helpful
          • 2. Re: Payload Heuristic
            cryptochrome

            Awesome, thank you. Now that rule removes those watermarks again after processing I guess. Should I do that? I am just wondering because as it seems, this rule is not required for enabling the payload heuristic option.

             

            Thanks!

            • 3. Re: Payload Heuristic
              cryptochrome

              Hi again,

               

              one question about that rule that removes the watermarks again. When enabling the option, I get a notification that I should place the removal rule at the very top of the rulebase. Is that really necessary? Couldn't I put it near the Antimalware rules (or inside the antimalware ruleset)?

               

              Thanks

              • 4. Re: Payload Heuristic
                Regis

                eelsasser wrote:

                 

                If a HTML page has an <a href="file.exe">  link to a .dll or .exe, The payload heuristics modify that page to the client and add a parameter to the link like <a href="file.exe?specialwatermarkparameter=uniquevalue">

                 

                If a user clicks the link manually, the MWG knows that a user clicked it and the GAM engine scans it normally.

                If the request doesn't have the watermark, the GAM engine scans it more aggressively because the paramter wasn't included in the request.

                 

                This way, there is some indication that it was user-initiated vs. unsolicited download of an .exe or .dll, which could be an indication of a dropper.

                 

                This seems like a pretty slick feature that I first heard about at FOCUS last week.

                 

                I'm intrigued by it, but I'm curious to hear from anyone using it... how much legit stuff does it break?         It seems like something invasive enough to have a surprising amount of edge cases, especially with things like java, perhaps multimedia,  anything using wget legitimately, or the like.    Curious what others' experience has been with this outside of a test lab.

                • 5. Re: Payload Heuristic
                  sysec

                  Hi ,

                  I am trying to enable this feature on MWG 7.3.2.10 ,

                  checked the option in the antimalware settings , added the corresponding rule set,

                  how can i check it is functioning?

                  tried to browse to a site that has exe links and view the source that came wit this page and no watermark parameter was visible

                  any suggestions?

                   

                  thanks

                  • 6. Re: Payload Heuristic
                    asabban

                    Hello,

                     

                    the problem is that MWG does not watermark all links to executables as it would probably cost too much resources and impact performance. Instead a combination or Trusted Source results along with specific rules in the AV engine enable or disable this behaviour.

                     

                    Unfortunately I am not aware of a test web site which could be used to demonstrate the behaviour.

                     

                    best,

                    Andre

                    • 7. Re: Payload Heuristic
                      asabban

                      Hello again,

                       

                      I think I found a way to proof its working!

                       

                      Please go to:

                       

                      http://www.csm-testcenter.org/test?do=show&subdo=antimalware&test=archives

                       

                      You will notice that there are ".EXE" links. They point to:

                       

                      http://www.csm-testcenter.org/download/archives/zip/eicar.exe

                       

                      Once I enable payload heuristics they change to:

                       

                      http://www.csm-testcenter.org/download/archives/zip/eicar.exe?_mfx=8EQ3b/YFeER/w 0lkXgn/vA==

                       

                      Now you can see the watermark.

                       

                      Best,

                      Andre

                      • 8. Re: Payload Heuristic
                        sysec

                        Yes I can see it now,

                        nice rebound

                         

                        Thanks and take care ,

                        Shay