1 2 Previous Next 10 Replies Latest reply on Dec 23, 2014 5:34 AM by timode

    Coaching for potentially malicious files

    timode

      Hi,

       

      I'm trying to create a security check for potentially malicious downloads.

       

      What I like to achieve:

      If a user tries to downloads a ZIP file which includes an executable, web gateway should present a warning page with a button to proceed anyway.

      I created a rule which works nearly perfect. But there is a problem in case the download progress page is used.

       

      The rule I built is the following:

      ruleset.png

      (Ignore the first one "Skip warning if progress page has been shown". This is only my workaround for the problem.)

       

      So at the moment I try do download a malicious ZIP file, web gateway shows a coaching page with a button. As soon as I click on the button, the download starts. Perfect so far.

       

      Problem is:

      In case the download is big and web gatway shows the progress page. In this case the download page shows up and after that automatically the coaching page. But a click on the button does not result in any effect this time (no download).

       

      I guesst this is because of the redirect. Normally the redirect goes to the last page which is the download. But this time the last page is the progress bar.

       

      Any ideas??

       

      cheers

      Timo

        • 1. Re: Coaching for potentially malicious files
          M Bagheryan M

          can you send me the rule?

          • 2. Re: Coaching for potentially malicious files
            timode

            You will find the basic rule in the library within web gateway. When I have a solution for the problem I will built a general rule an upload to the ubb.

            • 3. Re: Coaching for potentially malicious files
              M Bagheryan M

              Are you using MCP (Client Proxy) ?

              • 4. Re: Coaching for potentially malicious files
                timode

                No.

                Only zentral Proxy (Web Gateway) in Proxy-Mode.

                • 5. Re: Coaching for potentially malicious files
                  M Bagheryan M

                  It is a little strange to me and I suggest you to open a service request with mcafee gold support.

                  • 6. Re: Coaching for potentially malicious files
                    asabban

                    Hello,

                     

                    I am not sure if this is something support is able to help with as there is nothing wrong but this is a matter of coaching is supposed to work.

                     

                    Usually for coaching we are in request cycle and what happens is:

                     

                    - Request a URL

                    - Show coaching page

                    - Accept coaching, redirect to previous URL

                    - Requst the URL again

                    - Show content

                     

                    One issue is that you have completely turned off the coaching rules for the "request cycle" and I think unlocking a coaching session is only possible in request cycle. The second issue is that MWG points back to the progress page URL instead of the originally requested URL. Even if you manage to point the redirect back to the originally requested URL the problem is that MWG will download the archive two times, which is not a clean solution as it may fail for larger downloads and is inconvenient.

                     

                    What you want to do is getting the (temporary) URL where you can access the file from MWG directly, as it is stored locally for a while after progress pages completed. Theoretically it should be able to extract the required information and passed it along to the error templates, but it is not trivial.

                     

                    What I wonder is the user experience that you are trying to achieve.

                     

                    You described the use case as follows:

                     

                    - User requests file

                    - MWG downloads the file using progress pages

                    - A message appears the user has to "agree"

                    - File is downloaded

                     

                    MWGs default behaviour using the progress pages is similar:

                     

                    - User requests file

                    - MWG downloads the file using progress pages

                    - A message says "download finished, click here to download"

                    - File is downloaded

                     

                    May be it is much easier to extend the progress page to add some sort of disclaimer about potentially infected files. Maybe we could change the content of the "Download Finished" page based on if the archive is potentially dangerous or not?

                     

                    Best,

                    Andre

                    • 7. Re: Re: Coaching for potentially malicious files
                      M Bagheryan M

                      Dear Andre,

                       

                      I am agree with what you are offering. Actually I am a little confused after mentioning the file size. I am totally self educated and may be I missed some article.

                      BTW Would you please to give me an Article which is mentioned your post specially below mentioned part:

                      Even if you manage to point the redirect back to the originally requested URL the problem is that MWG will download the archive two times, which is not a clean solution as it may fail for larger downloads and is inconvenient.



                      Thanks

                      M. Bagheryan

                      • 8. Re: Re: Coaching for potentially malicious files
                        timode

                        Hello Andre,

                         

                        that you for your support. I already tried to get the internal download url from the download page. But had no luck so far. Maybe I will investigate into this a bit more.

                        Good idea to extend the progress page. But there is one problem. For small files there will be no progress page. I like to have the additional warning page for potentially malicious files. Most of them are linked within an email and contain a very small zip file with an exe file inside. For those there normally is no progress page because of the small file size. (I can not show the progress page depending on the file content, because without downloading the file there is no file content). What I did so far is to disable the progress page for files smaller a few megabytes (using content lenght header). But you never know maybe in the future there is someone using a big file with a virus. Those people are very imaginative.

                         

                        I'm also going to try to rebuild the function by using PDStorage instead of coaching. Coaching seems to overwrite the redirect URL no matter what I set "Redirect.URL" to. I will keep you updated.

                         

                        cheers

                        Timo

                        • 9. Re: Re: Coaching for potentially malicious files
                          timode

                          I don't find a way to receive the download ID. The ID seems to be a special function only available within the progress bare html template. Has anyone an idea how to store the download ID within a variable?

                          1 2 Previous Next