4 Replies Latest reply on Sep 25, 2014 1:08 PM by malware-alerts

    High volume (bytes from client) from MWG to http://mwg_ip:port/crossdomain.xml

    malware-alerts

      We currently use MWG in a transparent router setup with version 7.4.2.2

       

      The appliance has 3 interfaces enabled:

      1 external (ETH0)

      1 internal that intercepts http/https/ftp traffic (ETH1)

      1 dedicated for accessing the GUI and for central management.(ETH3)

       

      When reporting on Web Usage in CSR (Sum of Bytes from client / per site) the top site (87% of 'all bytes from client' transferred) is always the MWG appliance itself, on eth3.

       

      When looking at the report details, all hits for this site are for the URL: http://MWG_ETH3_IP:proxy_port/crossdomain.xml

       

      I don't have the username since the appliances are currently in transparent router mode and don't authenticate.

       

      Looking at the browser information of each hit, it's always the same (Chrome on 64-bits windows) and I'm deducting that it's MY browser "causing" these hits since our standard browser is IE, only a subset of people actively use Chrome and only a subset of people using Chrome have 64-bits Windows and the users' browser traffic travels from ETH1 to ETH0.

       

      The CSR report I'm looking at is for the last 24hours and my browser was opened on the management GUI of MWG (ETH3) pretty much all day.

       

      I can see the same 'pattern' in the MWG dashboards: the top 2 "Source IPs by bytes transferred" are #1 the external interface IP (ETH0) and #2 the management interface IP (ETH3)

       

      Looking at the number of "bytes from client" transferred for each 'GET' request in the detailed CSR report, it varies from 2MB to over 341MB (no particular order or pattern)

       

      Here is the typical details page from the CSR report  (Edited to remove IP and hostname)

       

      Action taken:Allow
      Agent name:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
      Application name:-
      Application protocol:http
      Browse time:36 seconds
      Browser name:Chrome
      Browser name and version:Chrome 37.0
      Bytes:82.91 MB
      Bytes from client:82.83 MB
      Bytes from server:81.47 kB
      Cache result:Miss
      Cache result detailed:Miss:Other/Unknown
      Cache status:-
      Category name:-
      Content type:-
      Date and time:9/23/14 1:19:41 AM
      File extension:-
      HTTP status:502
      IP address:MWG_ETH3_IP
      Log source name:mwg_hostname
      Log source type:McAfee Web Gateway (Webwasher)
      Malware name:-
      Method:GET
      Protection area:-
      Reputation:Unverified
      Site:MWG_ETH3_IP
      URL:http://MWG_ETH3_IP:proxyport/crossdomain.xml

       

      Anyone has any idea what this is all about?