We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda Web Security Gateway

What are some ways in which ransomware viruses have been able to bypass virus checking on the web filter and what are the ways to mitigate against them?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007529

Scope:

All Barracuda Web Filters.  All Firmware Versions
 
Answer:
 
Currently definitions used on Barracuda products are blocking over 15,000 variations of the cryptolocker virus and other virus/malware variants. We are adding new signatures every day as they are discovered. We also have blocks in place for the domain names associated with the virus and malware campaigns to help prevent mutated variants. As with any virus new variations can make it through the service until discovered and a new signature developed.
 
If left at the defaults, definitions are checked and if needed updated every 15 minutes, 24 hours a day on all products.
 
There are several ways in which cryptolocker and other ransomware viruses are able to bypass virus checking of the web filter.
 
1. Some infections occur when the user is redirected to a proxy site. If the user has high level rights on the web filter this traffic would be allowed. Once the traffic is sent to a proxy site it could be redirected anywhere and the web filter would not see the traffic.  Some examples of proxy sites can be found at the following link:
 
http://www.alltechbuzz.net/top-best-free-proxy-sites-servers-2015/

++ To mitigate this, ensure you are blocking "Proxy sites" in custom categories or a custom category can be created on the web filter to block proxy and proxy utilities categories and this rule can be applied in an exception to block all users to the newly created custom category. This rule should then be moved close to the top of the exception list above any All Web Traffic Rules.  For information on creating custom categories, please refer to the following link:
 


2. Some infections occur when a user is redirected to a foreign site. Most foreign sites are un-categorized. If un-categorized sites are allowed the user could be redirected to a foreign site and become infected.

++ A url pattern rule can be created to block traffic to websites in specific countries known for causing these infections. These countries include Spain, Russia, China and others. These rules should then be moved to the top of the exception list above any All Web Traffic Rules.
 
Here are the url pattern examples to block this traffic:
 
http(s|)://.*\.cn/                     (block anything ending in .cn (China sites))
http(s|)://.*\.ru/                     (block anything ending in .ru (Russian sites))
http(s|)://.*\.es/                     (block anything ending in .es (Spanish sites))
http(s|)://.*\.io/                      (block anything ending in .io (Indian Ocean Sites))
http(s|)://.*\.tk/                      (block anything ending in .tk (Territory of New Zealand Sites))
 
etc...

 3. Some infections occur by users clicking FTP links in an email. The web filter does not filter FTP by default. However rules can be added to the web filter to block the previously mentioned attack vectors. 

++ Our engine supports passive FTP proxying.  For this to work, the browser needs to be configured to use an FTP proxy which is the webfilter even if they are inline. This will cause the browser to communicate to the proxy via HTTP for FTP requests. 

If using an actual FTP client such as FileZilla -  It needs to use "HTTP/1.1 using CONNECT method"  or something similar if using other clients.


Past this -  FTP traffic can be blocked globally for authenticated or unauthenticated users under Block/Accept, Applications.  If you would like to create more granular rules for blocking and allowing FTP, this should be done on the corporate firewall.
No one solution is designed to catch all malware infections.  Using multiple layers of protection is the best approach.


4. Email medium containing a password archive. 

++To mitigate against these we recommend utilizing our Barracuda Spam Firewall or Barracuda Email Security Service where you can secure your companies email  via blocking Password protected archives containing data we may not be able to see and analyze otherwise. 

 
5. Other threats may arrive via TOR networks, Torrents, or other mediums that may be better blocked by utilizing our NG firewall product with deep packet inspection and our Advanced Threat Detection engine (ATD) more details can be found here: https://www.barracuda.com/products/nextgenfirewall-f/advancedthreatdetection