ASM and OPSWAT Metadefender Blank Page after file upload
Hi, I am trying to integrate F5 ASM WAF with OPSWAT metadefender but when I try and upload and EICAR file browser just shows a blank white page. I am using a default security policy in blocking mode and have configured the settings according to the F5 BIG IP ASM (WAF) OPSAWT guide. I have configured the ICAP server under Security>Options>Application Security>Integrated Services>Anti-Virus Protection. I have configured the antivirus block settings under Security>Application Security>Policy Building>Learning and Blocking Settings>Advanced Configuration. I have antivirus scanning for HTTP file uploads and SOAP attachments Security>Application Security>Integrated Services>Anti-Virus Protection. When I try to upload the test file I get a blank browser and if I check the source code in the browser I see the following: window["bobcmn"] = "101110101010102000000022ffffffff2ffffffff20000000220156c0ea200000000200000000200000000300000044multipart%2fform%2ddata%3b%20boundary%3d%2d%2d%2d%2dWebKitFormBounda300000000300000000300000000300000000300000007httpsc3000000b008a59e5661ab20000adb568196d38950bf7928e988d64266cafbda4956605335d523cb0c44e211db089aede8158b2800a5d271c7e2a6f9d94d8c4ad7cd49022d5f72b236f5ca5943b07c111a9484727f3b29e542d2d2302b300000002TS300000165%2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz Content%2dDisposition%3a%20form%2ddata%3b%20name%3d%22filename%22%3b%20filename%3d%22eicar.com%22 Content%2dType%3a%20application%2foctet%2dstream X5O!P%25@AP[4%5cPZX54(P%5e)7CC)7}%24EICAR%2dSTANDARD%2dANTIVIRUS%2dTEST%2dFILE!%24H%2bH%2a %2d%2d%2d%2d%2d%2dWebKitFormBoundaryxbm3Qt79jKjmxoOz%2d%2d 200000000"; "</script> </APM_DO_NOT_TOUCH> <script type="text/javascript" src="/TSbd/08a59e5661ab2000a21cb91986bc897b6b354965ec350caba4c8ca55a7b089798844a4727e8dc553?type=5"></script><noscript>Please enable JavaScript to view the page content.<br/>Your support ID is:8648386876400468880.</noscript> </head><body> </body></html>" Is there something in the ASM policy that needs to be changed?Integrating OPSWAT MetaDefender with F5 Advanced WAF & BIG-IP ASM
In the age of digital economy, web applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Many web servers which allow file uploadsare prime targets for malware attackson the client side, server side or both. The uploaded file could contain malicious code in the form of an exploit, virus, Trojan, or malware, and these could be used to gain control of the web server. For example, it is possible to hide PHP code inside an image file and still have it appear to be an ordinary image. When the image is opened, it also executes the code hidden in the file. The file could contain scripts or tags that exploit other well-known web application vulnerabilities, such as Cross-Site Scripting (XSS). A misconfigured web application can also be compromised by uploading a file, executing a web-shell, and moving laterally within the web server to get access to sensitive information and exfiltrate data. In the case of client-side attacks, uploading malicious files can make the website vulnerable to Cross-Site Scripting or Cross-Site Content Hijacking. However, the attack can also be malicious for the client itself while simply using theweb applicationas a distribution channel/vector. Furthermore, advanced attacks can leverage productivity files distributed by your web application. These files areseemingly innocent, however on execution, malware will try to download the malicious payload which will run only in memory (with no trace/residue on disk). This is hard to track, and during the incident response analysis, the typical conclusion may point the finger at the web application even though the traffic was seemingly legitimate. Aworrying trend is the useof PowerShell as an attack vector by using macros as the onboarding mechanism. As an example, in the past two years,attackers have used PowerShell to deploy Trojan.Kotver obfuscated in the registry as a fileless infection to steal financial data. Attackers often use multiple vectors for distributing malicious code.One worrying example is the installation of application backdoors that communicate with their Command and Control (C&C) serversand proceed to exfiltrate data. Moreover, malware in some cases can use application servers to directly communicate with the C&C and thereby bypass the firewall rules. Typical security controls cannot understand and block such clever means of data theft, and, even if they occasionally do, threat actors can establish a foothold behind the firewall, steal credentials, conduct lateral movement and finally exfiltrate data. Without thorough inspection of files(including verification of file type, examination of embedded active objects and ability to verify malware-free content)other security mitigation approaches fall short. To address the challenges posed by file uploads and files attached to emails, F5 has teamed up with OPSWATto allow for comprehensive content analysis andsanitization. All F5 products such as BIG-IP LTM, BIG-IP ASM, Advanced WAF, and SSL Orchestrator that expose ICAP interface can take full Advantage of OPSWAT’s MetaDefendercapabilities.Thesecapabilities include thorough malware scanning using over 30 leading anti-malware enginesas well as Content Disarm and Reconstruction (CDR) services for file sanitization and vulnerability assessment. OPSWAT Deployment In F5 Ecosystem MetaDefender Integration With F5 BIG-IP OPSWAT’s independently-deployable MetaDefender is built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of detected malware from files without impacting usability or productivity. MetaDefender CDR detects and disables malicious active objects like embedded Macros, scripts (e.g. JavaScript), OLE objects, ActiveX controls and other potentially harmful elements. MetaDefender integrates seamlessly for total protection in file uploads (REQMOD) and file downloads (RESPMOD) while capable of deploying on-premises in cases where secure data workflow is of critical importance. Abstraction Of MetaDefender Platform ICAP performs content manipulation as a servicefor the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade F5 iApp templates available for MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is established and MetaDefender ICAP pool is defined. All that remains is to enable the profiles in the relevant field on the Virtual Server(s). F5 Advanced WAF/BIG-IP ASM act as anICAP client, which forwards the traffic to the ICAP server (MetaDefender) to support business-critical use cases such as file upload. The ICAP server executes its transformation service on messages and sends back responses to the F5 Advanced WAF/BIG-IP ASM. MetaDefender performs malware detection, data sanitization through CDR and either returns: A blocking page, showing that the content is either malicious or not in accordance withdefined policies Modifieddata (remove the sensitive information and/or potentially malicious payload through CDR) A clean bill of health to examined files Content Disarm and Reconstruction (CDR) In Action One of the greatest benefits of using Metadafender ICAP Server is one-step configuration in the beginning of the integration. All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services. F5 Advanced WAF and OPSWAT MetaDefender file content security To enable comprehensive malware checking and data sanitization capability in Advanced WAF/BIG-IP ASM, you should configure the system to connect with the OPSWAT MetaDefender ICAP Server. First, import the iApp Template from OPSWAT’s Github account. OPSWAT iApp Template List Second, create an Application by using the newly imported template: opswat_metadefender_icap OPSWAT Template Import This will generate the ICAP profiles and the MetaDefender ICAP Virtual Server (shown in screenshot below): Then, once the previous steps are completed, just apply the new profiles in the web app Virtual Server (Select Advanced) and choose Metadefender ICAP Request and/or Response Adapt Profile, as deemed appropriate (REQMOD or RESPMOD). Application Security Setting MetaDefender ICAP Server works with the default (virus header and URI) values out of the box so that you dont' need toconfigure internal system variables in the Configuration utility. After the above steps are completed, your web applications are protected against malicious files. To test the setup, simply use a test file such as eicar. Last,you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis. Viewing File Upload/Download History In MetaDefender User Interface Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps. This can apply to both request (client-to-server) and response (server-to-client) payloads.Lightboard Lessons: F5 BIG-IP and OPSWAT MetaDefender Integration
The OPSWAT MetaDefender advanced threat prevention technologies work seamlessly with F5 BIG-IP reverse proxy to scan file uploads for threats prior to web upload. MetaDefender technology scans files with 30 or more leading anti-malware enginesin addition to data sanitization (Content Disarm and Reconstruction) and vulnerability assessment technologies for protection against known and unknown threats. In this video, John outlines the power of combining the BIG-IP with MetaDefender to keep web applications safe. Enjoy! Related Resources: Installing an OPSWAT Endpoint Security update on BIG-IP iApp to configure LTM and OPSWAT MetaDefender
