8 Replies Latest reply on Jun 8, 2014 10:44 PM by philiprey

    How Antimalware rule work with https

    Haaris Faizan

      I am trying to use Gateway Antimalware rule in webgateway,So when i try to download a file containing malware  through standard protocol http it is blocking it i.e. perfectly fine but try to do the same thing through https its not blocking......

      So for that i enabled ssl scanner rule bt i dont know how to use it for malware detection  purpose????

       

      I have attached screenshot showing the file which i m trying to download for testing malware..

        • 1. Re: How Antimalware rule work with https
          Jon Scholten

          In order for MWG to be able to scan HTTPS traffic the SSL scanner must be enabled. Do you have it fully enabled?

           

          Best,

          Jon

          • 2. Re: How Antimalware rule work with https
            Haaris Faizan

            Ya, I made it fully enabled & it  works but i want to know 2 things:-

             

            1) If i made it fully enabled will other rules in this ruleset might leads to some problem i.e.blochking a legitimate traffic

             

            2) How can i enabled it only for my purpose as mentioned above i.e blocking ssl traffic only for the files containing malware

            • 3. Re: How Antimalware rule work with https
              malware-alerts

              Enabling the SSL scanner ruleset simply allows the Webgateway to decrypt the SSL traffic going through it, before passing it to the other common rules (including the Anti-Malware ruleset)

               

              If you are using the default SSL scanner ruleset and it works properly, the HTTPS eicar files you are downloading will be blocked.

               

              If it doesn't block the files, your SSL Scanner ruleset is not working properly.

               

              Best would be to show us what your ruleset looks like.

              • 4. Re: How Antimalware rule work with https
                Haaris Faizan

                No actually I think u didnt fully got my point....

                 

                I enabled SSL scanner ruleset & its working fine with Anti-Malware ruleset buwt i just want 2 know that for using Anti-Malware Ruleset what are rules i need to enable within SSL ruleset & if i fully enable it how will it effect other ruleset..

                • 5. Re: How Antimalware rule work with https
                  philiprey

                  If my understanding is right, you would want to enable your SSL scanner for malware detection only and not for every traffic.

                   

                  Enabling SSL scanner will do for your malware scanning of encrypted sites. But I guess you cannot do an SSL scanning only for malware detection alone as you would not know which secured sites or file are malware-infected.

                   

                  The best way I think is to enable SSL scanning categorically. For categories that you think will most likely be infected with malwares/virus, enable the SSL scanner. These could be web storage, software/hardware, shareware/freeware, internet svcs, all the ctgies under 'Risk',etc.

                   

                  The only effect I could see on this is with regards to certificates as the MWG would need to decrypt and re-encrypt the traffic when SSL scanner is enabled. It is either you could import a root CA to your MWG or you can use a self-signed cert and deploy these to your clients.

                   

                  Regards,

                  philiprey

                  • 6. Re: How Antimalware rule work with https
                    Haaris Faizan

                    Ya exactly,

                     

                    Thanks for the update...

                    • 7. Re: How Antimalware rule work with https
                      malware-alerts

                      Philiprey's method is one way to do it, but it leaves your endpoints a bit more at risk than if you take the "scan everything with some exceptions" approach.

                       

                      There are a lot of categories outside of "web storage, software/hardware, shareware/freeware, internet svcs" that would expose your endpoints to malicious attacks.

                       

                      The only categories I wouldn't want to scan for privacy concerns would be 'banking' and 'stock trading', but I guess this all depends on your employer's internet usage rules etc.

                      • 8. Re: How Antimalware rule work with https
                        philiprey

                        I second malware-alerts' note. It is indeed a hole in your network security-wise if you leave some secured sites unscanned.

                        Since, you would be enabling SSL scanner, might as well apply to everything except for sites like banking.

                         

                        What I was saying in my response above is more on a 'scan everything except' approach as well, exempting confidential sites like banking and health.

                         

                        Regards,

                        philiprey