eS access blocked - Mal/HTMLGen-A (Sophos Endpoint Security and Control)

[ bttp @ 16.06.2013. 08:44 ] @

Evo loga a evo i kako mi izgleda elitesecurity.org naslovna (Madzone isto).

Citat:

****************** Sophos Anti-Virus Log - 16.6.2013 7.42.01 **************

...
20130614 213341 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20130614 233340 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130614 233353 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130614 233429 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org/t466129-1") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130614 233641 Blocked web request to "static.elitesecurity.org/strelica_gore.gif" (linked from "www.elitemadzone.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 102347 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20130615 102348 Using detection data version 4.90G (detection engine 3.43.0). This version can detect 5196539 items.
20130615 102348 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20130615 103819 Blocked web request to "static.elitesecurity.org/banner/housing-by-verat.jpg" (linked from "www.elitemadzone.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103822 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103826 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org/pp/inbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103841 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org/pp/outbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103848 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitemadzone.org/pp/citajsvoju/432499") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103917 Blocked web request to "static.elitesecurity.org/banner/housing-by-verat.jpg" (linked from "www.elitemadzone.org/pp/outbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 103919 Blocked web request to "static.elitesecurity.org/online.gif" (linked from "www.elitemadzone.org/pp/inbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130615 184142 Blocked web request to "static.elitesecurity.org/online.gif" (linked from "www.elitemadzone.org/pp/inbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 072635 User (NT AUTHORITY\SYSTEM) has stopped on-access scanning for this machine.
20130616 072636 Using detection data version 4.90G (detection engine 3.43.0). This version can detect 5196568 items.
20130616 072637 User (NT AUTHORITY\SYSTEM) has started on-access scanning for this machine.
20130616 073629 Blocked web request to "static.elitesecurity.org/online.gif" (linked from "www.elitemadzone.org/pp/inbox") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 073653 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitesecurity.org") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 073947 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitesecurity.org/f29-Predlozi-pitanja") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 074000 Blocked web request to "static.elitesecurity.org/css/stil1b.css" (linked from "www.elitesecurity.org/poruka/novatema/29") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 074003 Blocked web request to "static.elitesecurity.org/banner/uniwebhosting2.gif" (linked from "www.elitesecurity.org/poruka/novatema/29") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
20130616 074043 Blocked web request to "static.elitesecurity.org/progress_active.gif" (linked from "www.elitesecurity.org/poruka/novatema/29") for user ASPIRE\bttp. 'Mal/HTMLGen-A' has been found at this website, reference ID 27617682.
(25 items)

[ dlalic @ 25.06.2013. 12:58 ] @

Jos jedan slucaj

[ Gojko Vujovic @ 26.06.2013. 08:50 ] @

Prijavljeno Sophos supportu, posto je false positive u pitanju.

[ Gojko Vujovic @ 26.06.2013. 10:27 ] @

Sophos odgovorio da upucujemo korisnike na sledecu stranicu kako bi prijavili probleme sa pristupom sajtovima:

https://www.sophos.com/en-us/t...nter/reassessment-request.aspx

[ bttp @ 02.07.2013. 03:49 ] @

Znači mi sami treba da prijavljujemo? Jel to znači da ne uvažavaju prijave administratora?

Ne razumem zašto bih ja kao korisnik prijavljivao Sophosu svaki threat koji mi njihov softver prijavi.

[ Gojko Vujovic @ 02.07.2013. 17:25 ] @

Ne uvazavaju zato sto ja nisam njihov korisnik niti imam validnu licencu (trazili su mi serijski broj na uvid). Support pruzaju samo svojim korisnicima.

U pitanju je ocigledan "false positive" koji treba ispraviti i kome je uzrok Sophos i niko drugi, ne znam kome bi drugo mogao da prijavis to nego njima da isprave gresku. :/

[ X Files @ 02.07.2013. 20:13 ] @

Mene zanima da li Sophos ima dilemu u vezi samog ES/EM Web sajta ili je ta dilema u vezi sa nekom tehnologijom u okviru sajta?

Na poslu imamo mrežni Sophos, već nekih 10-tak godina. Posredno pratim njegov razvoj i performanse. Bilo je dana kada je bio lošiji i od najlošijeg Free rešenja. Em je propuštao uljeze, em je prijavljivao False pozitivne. Kada su se pojavili oni čuveni USB autorun uljezi, naravno da je među poslednjima odreagovao. Svojevremeno, valjda da ne bi ispali glupi u društvu, nisu pristali da se okušaju na http://virusscan.jotti.org . Sada ih ima, popravili su se zaista, ali i dalje prijavljuju ogroman broj False pozitivnih.

Konačno, o Sophosu mislim da je baš defanzivan. A možda mu je to i zaštitini znak.

Problem sa pristupom ES/EM-u sam naravno primetio i ja, ali sam mislio da je to samo Policy naše firme. Ukratko, kod nas u firmi ima dosta dokonih IT admina, koji su na crnu listu web sajtova postavili 100-tine domaćih sajtova, portala, foruma. Ne bi me čudilo da je među njima i ES/EM. Sad se pitam da li se ta crna lista nekako sinhronizuje sa matičnim serverom i tu nekako preispituje.

Srećom, moja mašina nije zaključana, pa pre pristupa netu uvek pogasim jedno 7-8 Sophos servisa, i tada je sve u redu. Inače, pristupam "svojim" internetom, jer kompanijski mi je neupotrebljiv.

[ Gojko Vujovic @ 03.07.2013. 13:52 ] @

U pitanju je njihova losa tehnologija. Nema veze sa sadrzajem sajta niti sa "tehnologijom" na sajtu posto sa tog dela sajta koji su blokirali serviramo staticki content koji se ne menja godinama i koji nema nista maliciozno u sebi.

Vidi, prilicno je jednostavno: firma koja prodaje softver koji gif fajl od 200 bajtova identifikuje kao "generic html malware" (sta god to bilo!!) treba da propadne i propasce. Njihova detekcija su md5 hashovi fajlova i neka nazovi heuristika za kategorizaciju linkova. Mislim i sada su samo na 6% av market share i to ce verovatno samo padati...

[ bttp @ 03.07.2013. 16:53 ] @

Sophos je u principu softver namenjen korporacijama da ne kažem firmama. Krajnji korisnici nisu njihova ciljna grupa, pa stoga verovatno i mali udeo, ali zato od tog udela verovatno 90% njih uredno plaćaju licencu. Dosta ljudi nije ni čulo za Sophos AV.

P.S. A što se tiče licence koju su ti tražili prilikom prijave "slučaja", ti možeš da im daš i trial licencu, koju dobiješ na sajtu prilikom downloada. Ona se dobije pre instalacije tako da ne moraš ni da ga instaliraš.

_{[Ovu poruku je menjao bttp dana 03.07.2013. u 18:27 GMT+1]}