Difference between revisions of "WAF 360009"
m |
|||
Line 9: | Line 9: | ||
'''Description''' | '''Description''' | ||
− | This rules detects that your system is displaying a URL | + | This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be just a link or it could be a link to a script or executable that a users browser will automatically load or execute. |
+ | |||
+ | This can happen if your system is in fact serving up malware, or if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). Known malware sites are domains that are currently actively serving malware. In some cases, large cloud providers and shared upload sites have been known to allow the hosting of malware on their systems. | ||
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule. ASL is protecting your users from possible compromise by your site. | Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule. ASL is protecting your users from possible compromise by your site. |
Revision as of 12:46, 6 October 2011
Rule ID
360009
Alert Message
Atomicorp.com Malware Blacklist: Malware domain detected in webserver output - this is a CRITICAL security issue. This means your system may be serving up malware.
Description
This rules detects that your system is displaying a URL on a webpage (or from a web application) from a website that is either currently or has previously been hosting malware or has been compromised (and is serving up malware). This URL could be just a link or it could be a link to a script or executable that a users browser will automatically load or execute.
This can happen if your system is in fact serving up malware, or if you have some kind of trusted application that is displaying known malware sites (but is not in fact serving up links to malware, or is not serving up malware). Known malware sites are domains that are currently actively serving malware. In some cases, large cloud providers and shared upload sites have been known to allow the hosting of malware on their systems.
Serving up malware can comprise your users systems and can (and probably will) get your domain added to other malware blacklists, such as the google blacklist. If this alert is occuring on your system your site may have been compromised. This is a critical alert and should be investigated before disabling this rule. ASL is protecting your users from possible compromise by your site.
False Positives
A false positive can occur if the domain is not actually serving up malware (the domain may have been infected and no longer is) or if the webpage is simply displaying the URL but is not serving up malware. If you believe this is a false positive, it is recommended that you report this to our security team to determine if this is a legitimate case, or if its clever attack on your system.
If you do disable this rule, we recommend you enable the [ASL real time redactor] which can safely remove some malicious iframes and javascri[t code from your web pages without blocking access to the web page.
We do not recommend you not disable this rule without the [ASL real time redactor] enabled until our security team has reviewed the attack. Instructions to report false positives are detailed on the Reporting False Positives wiki page.
Similar Rules
Outside References