APM 12.1.2 EHF 271 OPSWAT Mac File Check Issues
I have an access policy that I'm having issues with. I had to update APM to 12.1.2 with engineering hotfix 271. When I updated it, OPSWAT v4 was installed inadvertently. As soon as it was installed, any user in my company with McAfee Endpoint Encryption v6.x could not get past the HD Encryption check. I ran the OESIS Diagnostic tool on their computers and it did not detect any HD Encryption software. Users that have Bitlocker work just fine. I was able to get around this by setting up a process check coming off of the fallback branch of the HD Encryption macro, and everything is fine for Safeboot/Endpoint Encryption 6.x users (about 1500). I have some other users with Mac OS 10.12.5 that are unable to pass the client check. This is a bug in the version of the OPSWAT SDK that is installed (4.2.1067.0). There's also an issue with Mac Endpoint Security 10.x. I was going to try to get around the issue for now by checking that the files exist for the endpoint encryption and the endpoint security processes. I put the files in a Mac file check but it is still failing to see them. The files are: /Library/Application Support/JAMF/JAMF.keychain for JAMF, and /Library/Application Support/JAMF/status.0 for Filevault. Does anyone out there with Mac experience have the ability to check to see if that is correct? The only thing I can think of is that it needs a ~ in front of /Library. If I remove the check altogether it works. The other issue Mac users are having is that they keep getting disconnected right when they log in. Their log files show this: 1106,1106,edge, 48, , 143, TunnelController, Tunnel Server, Connecting state 1106,1106,edge, 2, , 171, TunnelController, Disconnected state, Error code, Routing table cannot be patched 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en5 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, en0 1106,1106,edge, 48, , 183, ConnectivityService, activeServices, Service is active, awdl0 1106,1106,edge, 48, , 84, DoRequest, DoRequest, cancel 1106,1106,edge, 48, , 165, TimerController, TimerController, Captive Network Not Detected 1106,1106,edge, 48, , 77, TimerController, Timer Controller, Activated 1106,1106,edge, 48, , 80, TimerController, Timer Controller, Timer Activated (interval: 10 secs) 1106,1106,edge, 48, , 124, TimerController, Timer Controller, Deactivated 1106,1106,edge, 48, , 330, SvpnHandler::StopSvpn, TunnelService, Cannot open pid file, svpn already closed Does anyone know why this would be happening? F5 support suggested adding a split tunnel entry of 0.0.0.0/0.0.0.0 to their network access profile, but I don't know if that will help.Integrating OPSWAT MetaDefender With F5 SSL Orchestrator
In the age of digital economy, applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Most applications render services via the Web, and privacy and data protection concerns have fueled growth in encryption use. Whileencryption provides protection for data in transit, it also presents an opportunity for nefarious actors to encrypt their ownpayloads to bypass detection by anti-malware engines and conceal device infections, hide data exfiltration, and obfuscate (Steganography) botnet communications with command and control servers. Moreover, most Anti-Virus vendors don't intercept HTTPS traffic and allow for potential attackers to compromise files. Once inside the SSL/TLS chain of trust, malware can use a variety of tools like TOR to evade security controls and transform encryption tunnels into infection chains. Layered security approaches like daisy-chaining devices and continuous monitoring of activities not only cannot scale but also add to complexity, latency and loss of productivity. But, there's hope...Internet Content Adaptation Protocol (ICAP)services giveus a way to solve these issues.ICAP services use the RFC3507 ICAP protocol to refer HTTP traffic to one or more content adaptation devices to inspect or modify the data. You can add an ICAP service to any TCP service chain, but only HTTP traffic is sent to the chain. Additionally, you can configure up to ten ICAP services using the configuration utility to load-balance across them. To address these challenges, F5 has teamed up with OPSWAT to allow for comprehensive content analysis without compromises. All F5 productsthat expose ICAP interfaces (like BIG-IP ASM and SSL Orchestrator) can take full advantage of OPSWAT’s MetaDefender capabilities. These capabilities include thorough malware scanning using over 30 leading antivirus engines, as well as Content Disarm and Reconstruction (CDR) services for content sanitization and file vulnerability assessment. OPSWAT Deployment In F5 Ecosystem MetaDefender Integration With F5 BIG-IP OPSWAT’s independently deployable MetaDefenderis built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of malware from fileswithout impacting usability or performance. MetaDefender CDR detects and disables malicious Active Content like embedded Macros.Furthermore, MetaDefender has an application-centric perspective whereby it detects unresolved vulnerabilities in files pertaining to over 20,000 software applications. MetaDefender integrates seamlessly with both reverse and forward proxies for total protection in file uploads and file downloads. Abstraction Of MetaDefender Platform ICAP performs content manipulation as a servicefor the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade iApp templates in MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is defined and ICAP virtual servers and pools are established. ICAP clients (clients on F5 side) communicate in reverse or forward proxy modes with the BIG-IP ASM or SSLO which sends HTTP messages to ICAP servers (MetaDefender) to support business-critical use cases such as file upload/downloads. The ICAP server executes its transformation service on messages and sends back responses to the F5 proxy with results on TCP port 1334. MetaDefender performs malware detection and data sanitization through CDR andeither returns the payload untouched, modifiesthe data (removes the sensitive information and/or malware payload), or simply indicates that the examined file(s) are free of malicious content. Typically, the adapted messages are either HTTP requests or HTTP responses. Content Disarm and Reconstruction (CDR) In Action One of the greatest benefits of using the Metadefender ICAP Server is the"one-step configuration" in the beginning of the integration. All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services. F5 SSL Orchestrator and OPSWAT MetaDefender File Upload/Download Security SSL Orchestrator (SSLO) eases the creation and maintenance of such custody chains by determining whether traffic should bypass or be decrypted and sent to one service or another. MetaDefender inspects files using content metanalysis for integrity monitoring and verification of malware-free payload. Through Dynamic Service Chaining -- decrypt once, inspect often, re-encrypt once --operational efficiency is attainable. F5 SSLO provides high-performance decryption of inbound and outbound SSL/TLS traffic, enabling security inspection to expose threats and stop attacks using contextual classification engines. Provisioning and deployment is straightforward and requires configuring MetaDefender. The below screenshots showthe ICAP Server and SSL Orchestrator Management Console interface which accomplishes this configuration. To test the setup, simply use a test file such as eicar over HTTPS.Last,you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis (screenshot below). Viewing File Upload/Download History In MetaDefender User Interface Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps. This can apply to both request (client-to-server) and response (server-to-client) payloads.Integrating OPSWAT MetaDefender with F5 Advanced WAF & BIG-IP ASM
In the age of digital economy, web applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Many web servers which allow file uploadsare prime targets for malware attackson the client side, server side or both. The uploaded file could contain malicious code in the form of an exploit, virus, Trojan, or malware, and these could be used to gain control of the web server. For example, it is possible to hide PHP code inside an image file and still have it appear to be an ordinary image. When the image is opened, it also executes the code hidden in the file. The file could contain scripts or tags that exploit other well-known web application vulnerabilities, such as Cross-Site Scripting (XSS). A misconfigured web application can also be compromised by uploading a file, executing a web-shell, and moving laterally within the web server to get access to sensitive information and exfiltrate data. In the case of client-side attacks, uploading malicious files can make the website vulnerable to Cross-Site Scripting or Cross-Site Content Hijacking. However, the attack can also be malicious for the client itself while simply using theweb applicationas a distribution channel/vector. Furthermore, advanced attacks can leverage productivity files distributed by your web application. These files areseemingly innocent, however on execution, malware will try to download the malicious payload which will run only in memory (with no trace/residue on disk). This is hard to track, and during the incident response analysis, the typical conclusion may point the finger at the web application even though the traffic was seemingly legitimate. Aworrying trend is the useof PowerShell as an attack vector by using macros as the onboarding mechanism. As an example, in the past two years,attackers have used PowerShell to deploy Trojan.Kotver obfuscated in the registry as a fileless infection to steal financial data. Attackers often use multiple vectors for distributing malicious code.One worrying example is the installation of application backdoors that communicate with their Command and Control (C&C) serversand proceed to exfiltrate data. Moreover, malware in some cases can use application servers to directly communicate with the C&C and thereby bypass the firewall rules. Typical security controls cannot understand and block such clever means of data theft, and, even if they occasionally do, threat actors can establish a foothold behind the firewall, steal credentials, conduct lateral movement and finally exfiltrate data. Without thorough inspection of files(including verification of file type, examination of embedded active objects and ability to verify malware-free content)other security mitigation approaches fall short. To address the challenges posed by file uploads and files attached to emails, F5 has teamed up with OPSWATto allow for comprehensive content analysis andsanitization. All F5 products such as BIG-IP LTM, BIG-IP ASM, Advanced WAF, and SSL Orchestrator that expose ICAP interface can take full Advantage of OPSWAT’s MetaDefendercapabilities.Thesecapabilities include thorough malware scanning using over 30 leading anti-malware enginesas well as Content Disarm and Reconstruction (CDR) services for file sanitization and vulnerability assessment. OPSWAT Deployment In F5 Ecosystem MetaDefender Integration With F5 BIG-IP OPSWAT’s independently-deployable MetaDefender is built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of detected malware from files without impacting usability or productivity. MetaDefender CDR detects and disables malicious active objects like embedded Macros, scripts (e.g. JavaScript), OLE objects, ActiveX controls and other potentially harmful elements. MetaDefender integrates seamlessly for total protection in file uploads (REQMOD) and file downloads (RESPMOD) while capable of deploying on-premises in cases where secure data workflow is of critical importance. Abstraction Of MetaDefender Platform ICAP performs content manipulation as a servicefor the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade F5 iApp templates available for MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is established and MetaDefender ICAP pool is defined. All that remains is to enable the profiles in the relevant field on the Virtual Server(s). F5 Advanced WAF/BIG-IP ASM act as anICAP client, which forwards the traffic to the ICAP server (MetaDefender) to support business-critical use cases such as file upload. The ICAP server executes its transformation service on messages and sends back responses to the F5 Advanced WAF/BIG-IP ASM. MetaDefender performs malware detection, data sanitization through CDR and either returns: A blocking page, showing that the content is either malicious or not in accordance withdefined policies Modifieddata (remove the sensitive information and/or potentially malicious payload through CDR) A clean bill of health to examined files Content Disarm and Reconstruction (CDR) In Action One of the greatest benefits of using Metadafender ICAP Server is one-step configuration in the beginning of the integration. All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services. F5 Advanced WAF and OPSWAT MetaDefender file content security To enable comprehensive malware checking and data sanitization capability in Advanced WAF/BIG-IP ASM, you should configure the system to connect with the OPSWAT MetaDefender ICAP Server. First, import the iApp Template from OPSWAT’s Github account. OPSWAT iApp Template List Second, create an Application by using the newly imported template: opswat_metadefender_icap OPSWAT Template Import This will generate the ICAP profiles and the MetaDefender ICAP Virtual Server (shown in screenshot below): Then, once the previous steps are completed, just apply the new profiles in the web app Virtual Server (Select Advanced) and choose Metadefender ICAP Request and/or Response Adapt Profile, as deemed appropriate (REQMOD or RESPMOD). Application Security Setting MetaDefender ICAP Server works with the default (virus header and URI) values out of the box so that you dont' need toconfigure internal system variables in the Configuration utility. After the above steps are completed, your web applications are protected against malicious files. To test the setup, simply use a test file such as eicar. Last,you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis. Viewing File Upload/Download History In MetaDefender User Interface Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps. This can apply to both request (client-to-server) and response (server-to-client) payloads.Lightboard Lessons: F5 BIG-IP and OPSWAT MetaDefender Integration
The OPSWAT MetaDefender advanced threat prevention technologies work seamlessly with F5 BIG-IP reverse proxy to scan file uploads for threats prior to web upload. MetaDefender technology scans files with 30 or more leading anti-malware enginesin addition to data sanitization (Content Disarm and Reconstruction) and vulnerability assessment technologies for protection against known and unknown threats. In this video, John outlines the power of combining the BIG-IP with MetaDefender to keep web applications safe. Enjoy! Related Resources: Installing an OPSWAT Endpoint Security update on BIG-IP iApp to configure LTM and OPSWAT MetaDefender
APM :: EPSEC / OPSWAT :: Dealing with Unsupported Antivirus Applications
How do folks deal with unsupported antivirus applications when requiring passing of this check prior to logging in? For example, some users have repackaged applications from their ISPs, and it is typically something they either pay for or comes with their subscription. They generally aren't too keen on moving to something else because of that. I would entertain the idea of a bypass... but EPSEC doesn't even see it. Removing the troublesome AV suite and enabling/updating Defender would work and get them in... but again, they're generally not too keen on removing something they pay for. And giving the ISP-specific nature of it... I doubt OPSWAT is going to accommodate an update in that regard? Anyway... Does anybody have any tricks for this in their environment? Thanks!
APM Antivirus (EPSEC/OPSWAT) checking
Hi all, First post, long-time crawler. We are currently doing a proof of concept using the built-in APM client-side antivirus checking (EPSEC/OPSWAT) for compliance. I've got everything setup and working as I would expect, but there's one thing I can't quite figure out. We are specifying the antivirus age to be no older than 7 days and are not seeing any resultant session variables set that would indicate database ages out of compliance. Does this function look at the session.check_av.last.item_x.db_time variable? If so, I don't understand the value that is set for this variable (ie. a Kaspersky database dated Apr 20, 2014 gives db_time=1405626209, SEP database dated Jul 17, 2014 gives db_time=1405569600). The end result for both AV checks is check_av.last.result=1, check_av.last.state=1, and check_av.last.error=0, which is a PASS/SUCCESS. If anyone can even shed light on the db_time variable value, then I can just write an iRule and set a custom flag for database age myself. That said, I know that would require the db_time to be consistent across all AV platforms. Thanks for any help that can be provided on this. James
