24 November 2010

Malware Infected Website protection with TMG, IE and Sophos

More and more we are seeing a trend where malware authors compromise legitimate sites for the purpose of spreading malware.

A few years ago URL filtering or site blocking was a very effective way of preventing users from inadvertently being lured to a malicious site.  An updated list of malicious site was distributed and corporate web filtering product would prevent users from accessing these sites.  there are two big problem with this approach in today's world.
1. There are far to many sites being turned malicious to keep up, so a real time lookup is required.
2. If a site is not blocked, any malware on that is allowed to make it onto the client machine where the local malware scanner is required to clean it up.  If the definitions on the client machine do not detect the malware you are cooked.  It is therefore much better to scan content at proxy level for malware and either block or cleanup the content.  This should also have a live malicious code lookup to reduce the missed detection window.

Microsoft Forefront Threat Management Gateway (TMG)
One of the most exciting features added to this is the ability to not only do URL filtering but to also do inline malware scanning and cleanup.  By enabling URL filtering you can greatly reduce the threat from know malicous sites.  By enabling malware scanning you can catch infection attempt form legitimate sites.  Most of this happens without anyone knowing that this is going on.  I set up a custom report using Webspy to highlight malware action on my TMG environment.

Turning on the protection in the web access policy

Configure the malware detection behavior

My custom Webspy Malware report so that I can check what is happening




One of the increasing problems is that more users are working outside the corporate network on open public internet connections, so all the protection offered by TMG effectively falls away if the user connected to his home ADSL / 3G / Public Wifi etc.

Internet Explorer
IE has had many improvements over the years to protect users from malicious sites.  The latest incarnation of this is called smart screen filtering.  Sites are checked against the microsft reputation services database.  If a site is flagged as being malicous the site is blocked and you would have to manually override this.

Malicious site is detected and blocked

Determined user turns off SmartScreen
The user can now browse his redirected infected site in relative peace


If the user switches to another browse that does not offer a "Smart Screen" feature you have a problem.

Sophos Live Protection and Web protection
In the past malware products would only be able to prevent malware infection when it was all ready "knocking on the door."  Sophos live protection allows live lookup for any suspicious code, as another feature they also allow you to block access to malicious web sites.  Unlike Internet Explorer, the Sophos block cannot be turned off or bypassed by the user.  Another advantage I found is that a compromised legitimate site can still be accessed while only the malware redirects are blocked.  In my testing IE would block the whole site.

Configure the Antivirus and HIPS policy on the Sophos management server


The legitimate site opens up but Sophos prevent access to the redirected site.Notifications are displayed and recorded in the machine's log


 If I then manually attempt to access the malicious site I get the Sophos blocked screen


The advantage here is that unlike browser protection that is application specific, using a malware product makes it a system protection solution.

Conclusion
The constantly evolving malware landscape requires administrators to implement the new protection technologies as they become available. Using a combination of Security products, native Operating System features and a full featured Malware package helps you cover the bases whether the users are in our out of your corporate environment.

TMG, IE and Sophos are not the only products that offer these features, but this is the combination I use. :)

No comments:

Post a Comment