• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

File download bypassing Malware Inspection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> File download bypassing Malware Inspection Page: [1]
Login
Message << Older Topic   Newer Topic >>
File download bypassing Malware Inspection - 10.Aug.2010 5:54:00 AM   
mushtash

 

Posts: 43
Joined: 25.Feb.2009
Status: offline
Hi
I have enabled malware inspection for HTTP traffic. Tested to download eicar file it blocks. But for many sites TMG is not serving the download for example downloading RealPlayer, 7zip from the main site doesn't show TMG page, it directly downloads through IE and Firefox browser.

Only Microsoft sites are under exception list.

This behavior is risky, if the files are not scanned then there are chances of downloading malicious files to clients PC. We do not block any extensions right now.

Does anyone have the same problem? Any solutions

Thanks
Post #: 1
RE: File download bypassing Malware Inspection - 13.Aug.2010 9:05:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mushtash,

Are you sure the file isn't being scanned?

Check the log file on the firewall and confirm that.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mushtash)
Post #: 2
RE: File download bypassing Malware Inspection - 15.Aug.2010 4:27:35 AM   
mushtash

 

Posts: 43
Joined: 25.Feb.2009
Status: offline
Hi Tom,
Thanks for the reply. I have tried download.cnet.com and filehippo.com none of the file download showing TMG download serving page. Also same with Real Player download. In the log it shows as
87.248.217.254    80    http    Allowed Connection        Inspected            Allow Web Access for All Users        200 OK.    anonymous    Internal    External    http://realplayer.vo.llnwd.net/e1/free/windows/installer/stubinst/stub/rp12/R51UKD/RealPlayerSPGold.exe?e=1281866812&h=45dce26c4b6dacaf90e38a4dd915d0d4&ext=.exe    TMG01    Technical Information    Web Proxy Filter    Allowed   
Malware Inspection Result : No Violation Detected       

While the files downloaded from sourceforge.net are served from TMG and in the logs it shows as
Malware Inspection Result : Request Served by Malware Inspection Web Filter   

One of my test machine  has already infected by testing links from malwaredomainlist.com

I don't see any reason for some sites files are served  from Malware Inspection Web Filter  and for some it shows as No Violation Detected, thus directly downloading the file to the clients machine.

Is there effectiveness in TMG Malware Inspection engine?


(in reply to mushtash)
Post #: 3
RE: File download bypassing Malware Inspection - 16.Aug.2010 9:49:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Those log file entries indicate that the files are being inspected.

You might need to tune the anti-malware feature. Be aware that only HTTP downloads are inspected, so if you are using other protocols they can bypass inspection. Also, if you haven't enabled outbound SSL inspection, SSL connections won't be inspective either.

Do you have log file entries for the malware that bypassed the scanning?

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mushtash)
Post #: 4
RE: File download bypassing Malware Inspection - 16.Aug.2010 3:51:46 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
In my personal experience, the malware inspection is pretty slick, if configured appropriately.
This fresh test seems to confirm this(MS did not miss a single one):
http://spookerlabs.blogspot.com/2010/08/set-social-engineer-toolkit-pdfs-x.html

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 5
RE: File download bypassing Malware Inspection - 17.Aug.2010 4:51:27 AM   
mushtash

 

Posts: 43
Joined: 25.Feb.2009
Status: offline
Hi Tom,
Right now I did not enabled HTTPS Inspection and I'm aware that scanning will be performed only on HTTP traffic. The sites under test are HTTP only.
I have default malware inspection settings, i'm not sure what might be needed to tweak anti-malware feature, could you point out what tweaking will help?

I have tested Trojan  link from malwaredomainlist.com the exe file could be downloadable  directly through Firefox
Logs
URL Destination Host Name 91.193.192.153 URL link smsdzsd.co.cc/x/l.php

NIS Scan Result Inspected
URL http://91.193.192.153/x/l.php
URL Category Unknown
Malware Inspection Action Allowed
Malware Inspection Result No Violation Detected
Another malicious exe file is downloadable from
www.psbprzedborz.pl/extract_cert.exe

Similarly i tried many random links from malwaredomainlist.com some got through and some didn't.

What i am concerned is that why not all files are served from TMG rather than directly downloading through clients browser. Also I'm not sure how TMG will intercept download managers?

Thanks

(in reply to tshinder)
Post #: 6
RE: File download bypassing Malware Inspection - 17.Aug.2010 5:49:37 AM   
mushtash

 

Posts: 43
Joined: 25.Feb.2009
Status: offline
Hi Adrian,
Thanks for providing the link. I really don't agree with your comment that TMG malware inspection will be effective if configured properly. For example, if you see my earlier post then TMG couldn't detect malicious exe file downloaded from http://91.193.192.153/x/l.php I have also tested with MS Security Essential didn't detect, then i uploaded file to virus total and also scanned with Malwarebytes anti-malware see the results below

Virus Total
Antivirus    Version       Last update                    Result
AhnLab-V3 2010.08.17.00              2010.08.16                    -
AntiVir        8.2.4.34      2010.08.17                    TR/Crypt.XPACK.Gen
Antiy-AVL   2.0.3.7        2010.08.16                    -
Authentium                   5.2.0.5        2010.08.17                    -
Avast           4.8.1351.0 2010.08.17                    -
Avast5        5.0.332.0   2010.08.17                    -
AVG             9.0.0.851   2010.08.17                    -
BitDefender                   7.2               2010.08.17                    Trojan.Generic.KD.27206
CAT-QuickHeal              11.00          2010.08.16                    (Suspicious) - DNAScan
ClamAV       0.96.2.0-git                    2010.08.17                    -
Comodo     5765           2010.08.17                    Heur.Packed.Unknown
DrWeb       5.0.2.03300                   2010.08.17                    -
Emsisoft      5.0.0.37      2010.08.17                    Packed.Win32.Krap!IK
eSafe          7.0.17.0      2010.08.16                    -
eTrust-Vet  36.1.7794  2010.08.16                    -
F-Prot         4.6.1.107   2010.08.17                    -
F-Secure    9.0.15370.0                   2010.08.17                    Trojan.Generic.KD.27206
Fortinet      4.1.143.0   2010.08.16                    -
GData          21                2010.08.17                    Trojan.Generic.KD.27206
Ikarus          T3.1.1.88.0                     2010.08.17                    Packed.Win32.Krap
Jiangmin     13.0.900    2010.08.17                    -
Kaspersky  7.0.0.125   2010.08.17                    Packed.Win32.Krap.ai
McAfee      5.400.0.1158                 2010.08.17                    -
McAfee-GW-Edition     2010.1B     2010.08.17                    -
Microsoft   1.6004        2010.08.17                    -
NOD32       5372           2010.08.17                    Win32/Delf.NVX
Norman      6.05.11       2010.08.17                    W32/Crypt.APBI
nProtect     2010-08-17.01              2010.08.17                    Trojan.Generic.KD.27206
Panda         10.0.2.7      2010.08.16                    Suspicious file
PCTools      7.0.3.5        2010.08.17                    -
Prevx          3.0               2010.08.17                    -
Rising          22.61.01.04                   2010.08.17                    Trojan.Win32.Generic.5228261E
Sophos       4.56.0         2010.08.17                    Sus/UnkPack-C
Sunbelt       6744           2010.08.17                    Trojan.Win32.Generic!BT
SUPERAntiSpyware       4.40.0.1006                   2010.08.17                    -
Symantec   20101.1.1.7                   2010.08.17                    -
TheHacker 6.5.2.1.349                    2010.08.16                    -
TrendMicro                   9.120.0.1004                 2010.08.17                    -
TrendMicro-HouseCall                     9.120.0.1004                 2010.08.17                    -
VBA32        3.12.14.0   2010.08.17                    Trojan.Win32.Buzus
ViRobot      2010.8.16.3990            2010.08.17                    -
VirusBuster                    5.0.27.0      2010.08.16                    -
MD5: 67c80394303dc57500ca156565128fa0
SHA1: 385cf1d381cb98f07c9469ddddcc2a804f10ec24
SHA256: db01a7db1b4e4bdf2d292f0b6c231cff3fad12c071fb6f80ca75188c79661734
File size: 46602 bytes
Scan date: 2010-08-17 09:25:16 (UTC)


Malwarebytes Anti-Malware


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4435

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/17/2010 12:41:03 PM
mbam-log-2010-08-17 (12-41-03).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Testuser\Downloads\svchost.exe (Trojan.Agent.Gen) -> No action taken.


So if Microsoft malware engine misses the detection then we there are chance of infection, until and unless there is dual AV scanning either on client side or at gateway level.
Does TMG using same Forefront client security antivirus engine. I'm not sure if we can add another  AV engine in TMG


Thanks

(in reply to adimcev)
Post #: 7
RE: File download bypassing Malware Inspection - 17.Aug.2010 9:12:39 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
You can't get 100% with a single AV engine and even with 20 or so AV engines.

It's true that more AV engines will be better in terms of detection rate, unfortunately I don't think the malware inspection from TMG currently includes support for multiple AV engines, which I too believe would be very useful. I know it kinda sucks to have an AV and get infected,, but that is not very unusual.

Looks like the file you've submitted was detected by 17 from 42 AV engines, so you could have 5 AV engines simultaneously that could not detect it(actually is not very unusual to see 0 from 42 detected some sample). From my previous link you could had simultaneously McAfee+Symantec+Kaspersky+Trend and get zero detection.
Or a few slight modifications to a file and the detection rate on virus total can go drop very fast(here: http://www.carbonwind.net/blog/post/Exercising-TMG-Beta-2-NIS-with-PoC.aspx I've made a silly modification to a file and 10 AV engines were missing it after that, including kaspersky).

Again for effectiveness, for example MS was the very first to detect the exploit version leaked used in the Aurora attack:
http://www.carbonwind.net/blog/post/Forefront-TMG-2010-and-the-e2809cAurorae2809d-Exploit.aspx

Usually when I've tested new malware found, they were among the first to detect it according to virus total(of course not always).
They can even detect Metasploit payloads.

If your malicious file was not detected, you can try to send it to Microsoft:
https://www.microsoft.com/security/portal/Submission/Submit.aspx

Also keep in mind that even if the AV engine can detect per se the malware, this can be served in such a way to bypass the malware inspection at the gateway level:
http://www.carbonwind.net/blog/post/Forefront-TMG-2010-RC-Malware-Inspection-and-NIS-a-few-HTTP-compression-security-considerations-for-outbound-HTTP-connections.aspx

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mushtash)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> File download bypassing Malware Inspection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts