9 Replies Latest reply on Feb 11, 2014 7:58 AM by feickholt

    AV Question: How handle JS finding?

    feickholt

      Since we use AV we found several Heuristic findings in JavaScript.

      If we block them the HTML Page might no longer work as it should work.

      Is there any way to inform the User that there might be a security whole in the embedded JS and the proxy blocked such element?

      The only way i found was to send an email to the user about the issue.

      I like to prefere a popup or a warning page to inform the user.

      Any ideas?

       

      Frank

        • 1. Re: AV Question: How handle JS finding?
          Jon Scholten

          Hi Frank,

           

          Webwasher version 6.6.x (old Web Gateway) used to do something like this where it would replace the perpitrating script with an empty muted script. It was not very fun because it would usually end up breaking something else on the page.

           

          The email alert is a really good idea because it at least gives them a clue that they were blocked for some embedded content.

           

          Best,

          Jon

          • 2. Re: AV Question: How handle JS finding?

            I find that you get much better results and fewer false positives if you have 2 different GAM settings based on the site's reputation.

            Have one setting that is lighter for URL.IsMinimalRisk == true, and one that's a little heavier for == false.

             

            In the config I use, the MinimalRisk sites have the classification slider up to 95 and the Enable removal of disinfectable content (which replaces the offending javascript function with a void() so as not to break the whole page).

            The settings for !MinimalRisk have the slider down to 80 and do a block for the whole page if the javascript is detected.

             

            It's worked pretty well for the most part.

            • 3. Re: AV Question: How handle JS finding?
              feickholt

              This sound good, but how do you block the whole page if you detect a behaves like JS? In most cases the JS will be downloaded seperatly from the html site. (include)....

              • 4. Re: AV Question: How handle JS finding?
                jspanitz

                To implment what Eric said, we split our "Block If Virus is Found" rule under "Gateway Anti-Malware" into two like this:

                MWG-AntiMalware.PNG

                Would that be the correct way to do it?

                • 5. Re: AV Question: How handle JS finding?

                  Yes, that would be what i have as well:

                  Capture.png

                  • 6. Re: AV Question: How handle JS finding?
                    jspanitz

                    Thanks again Erik.  One last question.   Would changing the settings below for trusted sites have any appreciable benefit or cause any real concern?   Specifically the Common Files settings.  The goal here is to prevent the myriad of issues we have with business critical web sites that do not display properly.  I am assuming most of them are code and JavaScript issues, so not sure changing these settings would help or hurt.

                    MWG-AVPrescan.JPG

                    • 7. Re: AV Question: How handle JS finding?

                      Personally, i have the bottom dot on fort he trusted sites and top dot on for the untrusted sites.

                      I run all my home traffic through MWG and honestly, i find very little, if any false positives using that configuration.

                      • 8. Re: AV Question: How handle JS finding?
                        feickholt

                        Again. Is there a way to open a popup window if there is an AV Found in an JS script file?

                        I tried to add a js code opening a new window in the blocking page. This works for EICAR. But not for

                        an infected JS code. example http://www.faz.net contains http://www.faz.net/4.8.5/js/all_scripts.min.js.

                        MC will detect with heuristic engine: McAfeeGW: Heuristic.BehavesLike.JS.Exploit.M!89 (Mobile Code Behaviour 85 and enable removal of desinfected content is disabled)

                        • 9. Re: AV Question: How handle JS finding?
                          feickholt

                          OK!

                          No answer?

                          I tried myself to find a solution - and I got it!

                          Currently only for JS findings :-) I think that's the mainly reason to inform the user why an object was blocked by AV engine.

                           

                          What does the rule?

                          If the AV engine find a malware the body will be deleted and replaced with a little JS opening a new window.

                           

                          Currently this is only proof of concept. Maybe someone will enhance the functionality :-)

                           

                          Thanks MC for the great flexibel rule engine.

                           

                          Regards

                          Frank