Difference between revisions of "WAF 360009"

From Atomicorp Wiki
Jump to: navigation, search
m (Description)
 
(9 intermediate revisions by one user not shown)
Line 1: Line 1:
'''Rule ID'''
+
{{Infobox
 +
|header1= Rule 360009
 +
|label2 = Status
 +
|data2 = Active
 +
|label3 = Alert Message
 +
|data3 = Atomicorp.com Malware Blacklist:  Malware domain detected in webserver output - this is a CRITICAL security issue.  This means your system may be serving up malware.
 +
}}
  
360009
+
= Description =
  
'''Alert Message'''  
+
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware).  This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain.  
  
Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue.  This means your system may be serving up malware.
+
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklistIf this alert is occuring on your system your site may have been compromised.  '''This is a critical alert and should be investigated before disabling this rule.''' 
  
'''Description'''  
+
This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware.  When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system.  The system is designed to detect known sources of malware, and to alert you to these.  If you see this message, you should investigate the site immediately as it very likely the site is serving up malware.
  
This rules detects that your system is displaying a URL with a known malware site.  This can happen if your system is in fact serving up malware, or if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up malware).  Known malware sites are domains that are currently actively serving malware.  In some cases, large cloud providers and shared upload sites have been known to allow the hosting of malware on their systems.
+
= Troubleshooting =
  
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist.  If this alert is occuring on your system your site may have been compromised.  This is a critical alert and should be investigated before disabling this rule.  ASL is protecting your users from possible compromise by your site.
+
== False Positives ==
  
'''False Positives'''
 
  
A false positive can occur if the domain is not actually serving up malware (the domain may have been infected and no longer is) or if the webpage is simply displaying the URL but is not serving up malware.  If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.   
+
A false positive can occur if the domain is not actually serving up malware (the domain may have been previously infected and no longer is and has not aged out of the blocklists), if the webpage is simply displaying the URL but is not serving up malware or if the link is a nonmalicious scriptThis can also happen if your system is in fact serving up malware so always check to make sure your system is not serving up malware first.  This is a very serious condition and indicates your users are potentially currently exposed to malware.   
  
If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascri[t code from your web pages without blocking access to the web page.   
+
All domains on the blocklists are either currently or have very recently been serving up very dangerous malware and are being used actively in compromises on other systems.  These domains are only collected from our honeypots and from real active malicious attacks.   
  
We do not recommend you not disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attackInstructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.
+
Check to make sure your rules are up to date, its possible the domain is no longer on the malware blocklistsPlease do not report a false positive if the domain is no longer on the blocklists.
  
'''Similar Rules'''
+
Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware).  If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. 
 +
 
 +
If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascript code from your web pages without blocking access to the web page.  The redactor is not fool proof (nothing is), but it is reasonably effective against some types of hidden malware links and therefore we do not recommend you disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attack. 
 +
 
 +
Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.
 +
 
 +
== Tuning Guidance ==
 +
 
 +
If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to domains.
 +
 
 +
Please see the [[Tuning the Atomicorp WAF Rules]] page for basic information.
 +
 
 +
= Additional Information =
 +
 
 +
== Similar Rules ==
  
 
[[WAF_360000]]
 
[[WAF_360000]]
Line 33: Line 52:
 
[[WAF_360005]]
 
[[WAF_360005]]
  
 +
== Knowledge Base Articles==
 +
 +
None.
 +
 +
== Outside References ==
 +
 +
None.
 +
 +
== Notes ==
  
'''Outside References'''
+
Known malware sites are domains that are currently actively serving malware or have recently been serving up malware.  In some cases, shared upload sites have been known to allow the hosting of malware on their systems and they may be added when the rate of compromise of those providers is too high, or if the provider has a policy of allowing malware or no procedure for removing it.  Please check with the domain owner to have malware removed from their sites.

Latest revision as of 16:59, 25 September 2012

Rule 360009
Status Active
Alert Message Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue. This means your system may be serving up malware.

Contents

[edit] Description

This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website domain that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be to a piece of malware, it could be just a link to the domain or it could be a script or executable that a users browser will automatically load or execute malware from the domain.

Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule.

This alert does not mean that your system is serving up malware, it simply means you have a URL that contains the domain of a website that is currently (or was very recently) serving up malware and that you should investigate further. Due to the rapidly changing state of malware, it is not always possible to say with certainty that the link is to a piece of malware. When this occurs, ASL will alert you that a known malware sites domain has been detected in the output of your system. The system is designed to detect known sources of malware, and to alert you to these. If you see this message, you should investigate the site immediately as it very likely the site is serving up malware.

[edit] Troubleshooting

[edit] False Positives

A false positive can occur if the domain is not actually serving up malware (the domain may have been previously infected and no longer is and has not aged out of the blocklists), if the webpage is simply displaying the URL but is not serving up malware or if the link is a nonmalicious script. This can also happen if your system is in fact serving up malware so always check to make sure your system is not serving up malware first. This is a very serious condition and indicates your users are potentially currently exposed to malware.

All domains on the blocklists are either currently or have very recently been serving up very dangerous malware and are being used actively in compromises on other systems. These domains are only collected from our honeypots and from real active malicious attacks.

Check to make sure your rules are up to date, its possible the domain is no longer on the malware blocklists. Please do not report a false positive if the domain is no longer on the blocklists.

Lastly, a false positive can occur if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.

If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascript code from your web pages without blocking access to the web page. The redactor is not fool proof (nothing is), but it is reasonably effective against some types of hidden malware links and therefore we do not recommend you disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attack.

Instructions to report false positives are detailed on the Reporting False Positives wiki page.

[edit] Tuning Guidance

If you know that this behavior is acceptable for your application, you can either disable the rule for the server, or you can disable it for the application. Because this type of request is to the systems IP address, you can not disable this type of rule for a domain, as these types of requests are to domains.

Please see the Tuning the Atomicorp WAF Rules page for basic information.

[edit] Additional Information

[edit] Similar Rules

WAF_360000

WAF_360002

WAF_360003

WAF_360004

WAF_360005

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

Known malware sites are domains that are currently actively serving malware or have recently been serving up malware. In some cases, shared upload sites have been known to allow the hosting of malware on their systems and they may be added when the rate of compromise of those providers is too high, or if the provider has a policy of allowing malware or no procedure for removing it. Please check with the domain owner to have malware removed from their sites.

Personal tools