Just want to discuss how to make Astaro defend us to the MAX.
Other than us manually adding the known bad domains via network definitions.
Want to better understand how those build in features work without additional manual modification.
1) HTTP Proxy turn on Block Spyware Communication, would this help prevent going to those "bad" domains? Does that vendor pro actively add the following / known domains?
2) IDS / IPS, would it currently Block this attack assuming a client indeed is loading the Bad website. ( I only checked all the OS / Client related stuff, Unchecked all the Server stuff)
3) Anyone seeing the Antivirus catching it?
Ever since Kaspersky had been removed replaced with the Authentium.
I have to say detection is not that good and eventually detected on the machine by F-Secure.
When submitted to Virustotal, often I see Kaspersky catching it but not that AUthentium.
The ThreatCon is currently at Level 2: Elevated.
The DeepSight ThreatCon currently at Level 2 in response to the discovery of in-the-wild exploitation of a vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. Originally it was believed that this issue was unpatched and unknown, however further technical analysis has revealed that it is very similar to the previously reported Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability (BID 28695), discovered by Mark Dowd of IBM. However, we are working with Adobe to identify the precise details, due to the fact that we have observed the malicious files affecting patched versions of Flash, suggesting it may be a variant or incorrectly patched. We have begun to observe numerous attacks. The original attacks observed involve two Chinese sites, which are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. Further analysis into these attacks, specifically the woai117.cn attack, uncovered another domain involved: dota11.cn. We have discovered that this site is being actively injected into sites through what is likely SQL-injection vulnerabilities. A Google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site. Other reports are suggesting upwards of 250,000 affected pages. A new attack, involving the play0nlnie.com domain, was recently reported which works slightly differently and appears to be more sophisticated. The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox. Symantec currently detects the SWF files as Downloader.Swif.C, and the malware associated with these attacks as Infostealer.Gamepass, and Trojan, respectively. Network administrators are also advised to blacklist the offending domains to prevent clients from inadvertently being redirected to them. Additionally the following actions are advised. Avoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed. This vulnerability is currently being tracked as: Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability (http://www.securityfocus.com/bid/29386)
[H]
This thread was automatically locked due to age.