• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

malicious exe making it through TMG

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> malicious exe making it through TMG Page: [1]
Login
Message << Older Topic   Newer Topic >>
malicious exe making it through TMG - 21.May2010 11:51:19 AM   
isa8080

 

Posts: 4
Joined: 21.May2010
Status: offline
Hello, we have a new TMG server acting as a proxy. Our users are configured to use the proxy on port 8080 and so far everything is working well.

As a rule, we deny all exe from being downloaded. When users need access to a certain site, we will approve and white list.
In the recent days, we have seen the TMG allow certain malicious exe through and actually download to the client computer.
To confirm we have performed the following test.

Go to google.com and do a search on Baltimore aquarium address. In the result page, you will find a bunch of results with the following string
quote:

(php?go=baltimore%20aquarium%20address).
If you click on this site, you will be directed to a fake AV website.

As we look at the TMG logs, we can see it block several executable from being downloaded but eventually, we will see a save as dialogue page with a request to save a file called packupdate_build107_195.exe (or a variant).

On the TMG logs we see the following
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Allow Web Access for All Users(1)
Source: Internal (173.10.190.185:2303)
Destination: Internal (217.23.10.138:80)
Request: GET http://www2.ubersavezo11.xorg.pl/pdbepm9_195.php?p=p52dcWltbV%2FCj8bYbn2AeVik12qbVp%2FZatralZxqWJjOxaCbkX1%2Bal6orKWekJWcZZFkmWdolJGIo6THodjXoFeob1zZytell3FfmqGgnXaHo83LqG1TnaJ1ll6YXmKZXZGVlGRlZGaL08ifb5ytqKhuZ2jYpNuUmJ%2Bcm56dkpDRnV%2FZksTWxpl2mqKixtFfk6Gpb6lxmprNoc3ToKKSX5Op2Y7UmaXTWMTIx6OcpamLwtCpbZWqcZ5amabRaMXXmm2bZZlplFPDnaChjtTQoFeYn6ag0NR2WJWmpHObq5jTk8XPblahp29plmSWZGWcY5uUiaWqZHOWk5ptZmlvanBkXpzEarm5V6eWmG9wll%2BIo6XIcNDIoKScoJqrys%2Be Filter information: Req ID: 0c88195c; Compression: client=No, server=Yes, compress rate=0% decompress rate=0% Protocol: http User: goapps\dhoule
javascript:ToggleList('AddInfoNode')Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x43110000 (Response includes the CACHE-CONTROL: PUBLIC header. Response includes either the CACHE-CONTROL: MUST-REVALIDATE or CACHE-CONTROL: PROXY-REVALIDATE header. Response includes the EXPIRES header. Response includes the SET-COOKIE header. Response should not be cached.)
Processing time: 281 MIME type: application/octetstream

My question is, how can TMG be allowing this? How are these hackers making it through the proxy.

Thanks
Post #: 1
RE: malicious exe making it through TMG - 24.May2010 3:12:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Was it even scanned? I didn't see that column in your log file entry.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to isa8080)
Post #: 2
RE: malicious exe making it through TMG - 25.May2010 9:56:39 AM   
isa8080

 

Posts: 4
Joined: 21.May2010
Status: offline
Hello and thank you for your reply. I kept on playing with TMG and also local AV, and after definitions were updated on TMG, the file was blocked.

So to answer your question, yes the file was scanned, but the TMG malware protection was slow to pick it up.

Actually, I believe that the site was flagged as malicious before the file was ever trapped as a threat.

Sort of un settling.

(in reply to tshinder)
Post #: 3
RE: malicious exe making it through TMG - 10.Oct.2010 11:20:20 AM   
ravendawson

 

Posts: 2
Joined: 10.Oct.2010
Status: offline
Hello, actually TMG just has a slow anti-malware response, it was flagged as malicious before because during that time, it hasn't blocked the malicious exe yet. But now that the threat has already been blocked, I guess there's no more need to worry about having TMG as a proxy server.

(in reply to isa8080)
Post #: 4
RE: malicious exe making it through TMG - 11.Oct.2010 7:56:38 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Great! So the update hadn't come in yet?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ravendawson)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> malicious exe making it through TMG Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts