Difference between revisions of "WAF 360009"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 9: Line 9:
 
'''Description'''   
 
'''Description'''   
  
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware).  This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute which contains malware from the domain.   
+
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware).  This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain.   
  
 
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist.  If this alert is occuring on your system your site may have been compromised.  This is a critical alert and should be investigated before disabling this rule.  ASL is protecting your users from possible compromise by your site.
 
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist.  If this alert is occuring on your system your site may have been compromised.  This is a critical alert and should be investigated before disabling this rule.  ASL is protecting your users from possible compromise by your site.

Revision as of 12:16, 6 October 2011

Rule ID

360009

Alert Message

Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue. This means your system may be serving up malware.

Description

This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain.

Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule. ASL is protecting your users from possible compromise by your site.

This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware. When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system. The system is designed to detect known sources of malware, and to alert you to these. If you see this message, you should investigate the site immediately as it very likely the site is serving up malware.

False Positives

A false positive can occur if the domain is not actually serving up malware (the domain may have been infected and no longer is) or if the webpage is simply displaying the URL but is not serving up malware. This can also happen if your system is in fact serving up malware so always check to make sure it is not first. This is a very serious condition. All domains on these lists are either currently or have very recently been serving up very dangeous malware. Known malware sites are domains that are currently actively serving malware. In some cases, large cloud providers and shared upload sites have been known to allow the hosting of malware on their systems.

Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascript code from your web pages without blocking access to the web page. The redactor is not fool proof (nothing is), but it is reasonably effective against some types of hidden malware links and therefore we do not recommend you disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attack.

Instructions to report false positives are detailed on the Reporting False Positives wiki page.

Similar Rules

WAF_360000

WAF_360002

WAF_360003

WAF_360004

WAF_360005


Outside References

Personal tools