09 July 2012

Webspy Malware Aliases

One of the added features TMG added over ISA 2006 is malware scanning and the Network Intrusion System.  The additional fields are present in the TMG proxy and firewall logs. The awesome Webspy log analysing tool by default however does not contain aliases for them.

Here are the aliases I use.  Save these files as .alias files and drop then in them in the specifies Aliases folder.  Check Tools - Options - Path for the location.


Malware Inspection Action 

<stringAlias name="Malware Inspection Action" wildcards="False">
  <bindings>
    <aliasBinding schema="Forefront Threat Management Gateway 2010 Web" expression="[MalwareInspectionAction]" displayName="Malware Inspection Action" />
  </bindings>
  <entries>
    <entry name="None">
      <value>0</value>
    </entry>
    <entry name="Allowed">
      <value>1</value>
    </entry>
    <entry name="Cleaned">
      <value>2</value>
    </entry>
    <entry name="Blocked">
      <value>3</value>
    </entry>
  </entries>
</stringAlias>

Malware Inspection Result


<stringAlias name="Malware Inspectiob Result" wildcards="False">
  <bindings>
    <aliasBinding schema="Forefront Threat Management Gateway 2010 Web" expression="[MalwareInspectionResult]" displayName="Malware Inspection Result" />
  </bindings>
  <entries>
    <entry name="None">
      <value>0</value>
    </entry>
    <entry name="None Detected">
      <value>1</value>
    </entry>
    <entry name="Low &amp; Medium Threats Allowed">
      <value>2</value>
    </entry>
    <entry name="Infected">
      <value>3</value>
    </entry>
    <entry name="Suspicious File">
      <value>4</value>
    </entry>
    <entry name="Encrypted Files">
      <value>5</value>
    </entry>
    <entry name="Max Archive Nesting Exceeded">
      <value>6</value>
    </entry>
    <entry name="Max Size Exceeded">
      <value>7</value>
    </entry>
    <entry name="Mex Unpacked Size Exceeded">
      <value>8</value>
    </entry>
    <entry name="Unknown Encoding">
      <value>9</value>
    </entry>
    <entry name="Corrupted File">
      <value>10</value>
    </entry>
    <entry name="Timeout">
      <value>11</value>
    </entry>
    <entry name="Storage Limit Exceeded">
      <value>12</value>
    </entry>
    <entry name="Unsupported Format">
      <value>13</value>
    </entry>
    <entry name="Status Not Required">
      <value>14</value>
    </entry>
    <entry name="Other">
      <value>15</value>
    </entry>
    <entry name="Disabled">
      <value>16</value>
    </entry>
    <entry name="Disabled For Policy Rule">
      <value>17</value>
    </entry>
    <entry name="Disabled For Chaining Rule">
      <value>18</value>
    </entry>
    <entry name="Exception List">
      <value>19</value>
    </entry>
    <entry name="Proxy Originated Response">
      <value>20</value>
    </entry>
    <entry name="Served By Filter">
      <value>21</value>
    </entry>
    <entry name="Streaming">
      <value>22</value>
    </entry>
    <entry name="Response To Connect">
      <value>23</value>
    </entry>
    <entry name="Routed By CARP">
      <value>24</value>
    </entry>
    <entry name="Source Exeption List">
      <value>25</value>
    </entry>
    <entry name="Definition Folder Not Specified">
      <value>26</value>
    </entry>
    <entry name="Range Response">
      <value>27</value>
    </entry>
  </entries>
</stringAlias>

Malware Inspection Delivery Method

<stringAlias name="Malware Inspection Delivery Method" wildcards="False">
  <bindings>
    <aliasBinding schema="Forefront Threat Management Gateway 2010 Web" expression="[MalwareInspectionContentDeliveryMethod]" displayName="Malware Inspection Content Delivery Method" />
  </bindings>
  <entries>
    <entry name="Unchnaged">
      <value>0</value>
    </entry>
    <entry name="Standard Trickling">
      <value>1</value>
    </entry>
    <entry name="Fast Trickling">
      <value>2</value>
    </entry>
    <entry name="Progress Notification">
      <value>3</value>
    </entry>
  </entries>
</stringAlias>

Malware Inspection Threat Level


<stringAlias name="Malware Inspection Threat Level" wildcards="False">
  <bindings>
    <aliasBinding schema="Forefront Threat Management Gateway 2010 Web" expression="[MalwareInspectionThreatLevel]" displayName="Malware Inspection Threat Level" />
  </bindings>
  <entries>
    <entry name="None">
      <value>0</value>
    </entry>
    <entry name="Low">
      <value>1</value>
    </entry>
    <entry name="Medium">
      <value>2</value>
    </entry>
    <entry name="High">
      <value>3</value>
    </entry>
    <entry name="Severe">
      <value>4</value>
    </entry>
  </entries>
</stringAlias>


NIS Inspection Result


<stringAlias name="NIS Scan Result" wildcards="False">
  <bindings>
    <aliasBinding schema="Forefront Threat Management Gateway 2010 Web" expression="[IpsScanResult]" displayName="NIS Scan Result" />
  </bindings>
  <entries>
    <entry name="Unknown">
      <value>0</value>
    </entry>
    <entry name="Inspected">
      <value>1</value>
    </entry>
    <entry name="Blocked">
      <value>2</value>
    </entry>
    <entry name="Detected">
      <value>3</value>
    </entry>
  </entries>
</stringAlias>

These fields together with the other Malware fields will give you all the info you would want.  For more information as to what the different alies option mean check out MSDN  http://msdn.microsoft.com/en-us/library/ff827532(v=vs.85).aspx 


For a real-time view of these malware events you can use Fastvue TMG Reporter.  It will not only idicate these events, you can also enable email alerts for thresholds for these.  You can therefore rapidly apply corrective action should it be required.   Download a 30 day free trial from here http://fastvue.co/download?lrRef=dfzs4





No comments:

Post a Comment