Been using Astaro at home for a while, nice bit of software, running 7.503.
Today, at a clients, an ids triggered on scareware.
The client had done a search for "american country music awards 2010"
The browser showed the 'virus scan' and gave a popup to repair, so they left it for me to look at without following through.
That office and the ids sit behind Untangle, and the Untangle install didn't even notice.
Later I spent some time with these sites and downloading these installers from behind untangle, occasionally the Untangle Phishing module would throw a block page, since it's block db comes from google, those would correlate with the search links in the google results that were marked with "this site may harm your computer".
Not real impressed with the Untangle solution.
Went home, and ran the same 'test' from behind my Astaro install.
Downloaded over a dozen of these installers, Astaro didn't even notice, just happily passed along every single request and downloaded installer.
2010:04:19-18:58:18 astaro httpproxy[12865]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.1.115" user="" statuscode="200" cached="0"
profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter
action)" size="535" time="211 ms" request="0xad561060" url="www2.secyresyscare2.com/build9_195.php
cmd=sendFile&counter=1&=p52dcWltbV%2FCj8bYbnOCdVik12qbVp%2FZatrauJ%2BCoKXcz4mbm5h2lpd6fl%2FVodCjZGGRaGRvll7IaWGMoNfF16aqb1zWnomtm6ilmXVanqLNkqGMp5mSq29ezZ2fZmiUX5aVkWVlY2ebh9WemHGhqKykcmiQpNvdX5eco5mkyVv
Fn52VoMjF1ZSfcaeiwtCepJ2claZfm6jWm9jYqluaqaWhx1jDp5HYkdaPlWFoYlzGztN0lKine3WHnZrTkMyMkp2db5qkoZLQVpHTnZ7Hz5qcoKqix8
yrl5qorGWVXprOnZ%2FOpG1moIBexZrSa6LSoKDH0p5lp5jaz9euV2d6maZhjYyGYKXVl5aWl5uZ0FPDnaChoMShlVerpXOWk5pqaWZxanBoXq3UX6GXY2dea2RwmmWWVpPJari3iaiglnOdk5U" exceptions="" error="" category="9998" reputation="neutral" categoryname="Uncategorized" content-type="text/html"
The only current tools I have running at home or these offices that do trigger are the snort installations with emerging-virus.rules, as well as the desktop av's NOD32 and Prevx3.
Since Untangle uses Clam and Kaspersky, and Astaro uses Clam and Antivir?, it's no wonder that neither of their AV catch these installers, but nothing in Astaro content filter or ips triggers either. Of the three installer I uploaded to virustotal, only 7 of 41 av would trigger, additionally, neither do the other two desktop AV's I use here and there, MSE and Norton 2010, as verified by virustotal.com.
This entire business is lame, they shouldn't be clicking through these stupid links but these gateway solutions ought to be doing something, from everything I read on the net this is becoming the most prevalent attack vector and has been for some time.
When are security solutions going to actually start catching up with these attack methods?
This thread was automatically locked due to age.
