Difference between revisions of "WAF 360009"
m |
m |
||
Line 1: | Line 1: | ||
− | + | {{Infobox | |
+ | |header1= Rule 360009 | ||
+ | |label2 = Status | ||
+ | |data2 = Active | ||
+ | |label3 = Alert Message | ||
+ | |data3 = Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue. This means your system may be serving up malware. | ||
+ | }} | ||
− | + | = Description = | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain. | This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain. | ||
Line 15: | Line 15: | ||
This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware. When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system. The system is designed to detect known sources of malware, and to alert you to these. If you see this message, you should investigate the site immediately as it very likely the site is serving up malware. | This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware. When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system. The system is designed to detect known sources of malware, and to alert you to these. If you see this message, you should investigate the site immediately as it very likely the site is serving up malware. | ||
− | + | = Troubleshooting = | |
+ | |||
+ | == False Positives == | ||
+ | |||
A false positive can occur if the domain is not actually serving up malware (the domain may have been previously infected and no longer is and has not aged out of the blocklists), if the webpage is simply displaying the URL but is not serving up malware or if the link is a nonmalicious script. This can also happen if your system is in fact serving up malware so always check to make sure your system is not serving up malware first. This is a very serious condition and indicates your users are potentially currently exposed to malware. | A false positive can occur if the domain is not actually serving up malware (the domain may have been previously infected and no longer is and has not aged out of the blocklists), if the webpage is simply displaying the URL but is not serving up malware or if the link is a nonmalicious script. This can also happen if your system is in fact serving up malware so always check to make sure your system is not serving up malware first. This is a very serious condition and indicates your users are potentially currently exposed to malware. | ||
All domains on the blocklists are either currently or have very recently been serving up very dangerous malware and are being used actively in compromises on other systems. These domains are only collected from our honeypots and from real active malicious attacks. | All domains on the blocklists are either currently or have very recently been serving up very dangerous malware and are being used actively in compromises on other systems. These domains are only collected from our honeypots and from real active malicious attacks. | ||
+ | |||
+ | Check to make sure your rules are up to date, its possible the domain is no longer on the malware blocklists. Please do not report a false positive if the domain is no longer on the blocklists. | ||
Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. | Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. | ||
Line 27: | Line 32: | ||
Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. | Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page. | ||
− | + | == Tuning Guidance == | |
− | + | If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to domains. | |
− | + | Please see the [[Tuning the Atomicorp WAF Rules]] page for basic information. | |
+ | |||
+ | = Additional Information = | ||
+ | |||
+ | == Similar Rules == | ||
[[WAF_360000]] | [[WAF_360000]] | ||
Line 43: | Line 52: | ||
[[WAF_360005]] | [[WAF_360005]] | ||
+ | == Knowledge Base Articles== | ||
− | + | None. | |
+ | |||
+ | == Outside References == | ||
+ | |||
+ | None. | ||
+ | |||
+ | == Notes == | ||
+ | |||
+ | Known malware sites are domains that are currently actively serving malware or have recently been serving up malware. In some cases, shared upload sites have been known to allow the hosting of malware on their systems and they may be added when the rate of compromise of those providers is too high, or if the provider has a policy of allowing malware or no procedure for removing it. Please check with the domain owner to have malware removed from their sites. |
Revision as of 16:58, 25 September 2012
Rule 360009 | |
---|---|
Status | Active |
Alert Message | Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue. This means your system may be serving up malware. |
Contents |
Description
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain.
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule.
This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware. When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system. The system is designed to detect known sources of malware, and to alert you to these. If you see this message, you should investigate the site immediately as it very likely the site is serving up malware.
Troubleshooting
False Positives
A false positive can occur if the domain is not actually serving up malware (the domain may have been previously infected and no longer is and has not aged out of the blocklists), if the webpage is simply displaying the URL but is not serving up malware or if the link is a nonmalicious script. This can also happen if your system is in fact serving up malware so always check to make sure your system is not serving up malware first. This is a very serious condition and indicates your users are potentially currently exposed to malware.
All domains on the blocklists are either currently or have very recently been serving up very dangerous malware and are being used actively in compromises on other systems. These domains are only collected from our honeypots and from real active malicious attacks.
Check to make sure your rules are up to date, its possible the domain is no longer on the malware blocklists. Please do not report a false positive if the domain is no longer on the blocklists.
Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.
If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascript code from your web pages without blocking access to the web page. The redactor is not fool proof (nothing is), but it is reasonably effective against some types of hidden malware links and therefore we do not recommend you disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attack.
Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Tuning Guidance
If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to domains.
Please see the Tuning the Atomicorp WAF Rules page for basic information.
Additional Information
Similar Rules
Knowledge Base Articles
None.
Outside References
None.
Notes
Known malware sites are domains that are currently actively serving malware or have recently been serving up malware. In some cases, shared upload sites have been known to allow the hosting of malware on their systems and they may be added when the rate of compromise of those providers is too high, or if the provider has a policy of allowing malware or no procedure for removing it. Please check with the domain owner to have malware removed from their sites.