Posted by Tony Berning / January 10, 2015
Previously, we have discussed how Metadefender Core can be used to scan HTTP traffic that is being routed through a Blue Coat® proxy server. Routing traffic through a proxy allows an organization to be protected against any threats coming into the network as a result of people within the network accessing malicious files. In this case, potential malware is prevented from being ‘pulled’ into the organization unwittingly.
Another way that malware could enter a network is for it to be ‘pushed’ from the outside. If malware enters from the outside, attackers may be directly targeting an organization. Examples of this may take the form of malicious files being uploaded to file sharing sites, forms that are submitted to websites with malicious content, or threats embedded within uploaded documents or images.
To protect against this attack vector, all files that are getting pushed to a company’s site should be scanned for threats. There are several different ways that OPSWAT’s customers use Metadefender Core to accomplish this task, and the suitability of each depends on their specific needs.
If a website operator wants to capture and analyze potential malware for the purposes of evaluating whether it is dangerous, they probably want to initially allow the file into a demilitarized zone (DMZ), or a zone that does not have access to their internal network. While the file is in the DMZ, it can be analyzed with Metadefender Core and potentially other tools to determine if it poses a threat. If no threat is identified, it can then be allowed into the secure network. If it is flagged as a potential threat, it can be further examined in the DMZ without the need to bring it into the secure network.
Another approach is to check the file as it is going through a gateway, such as F5® BIG-IP® Load Traffic Manager™ (LTM®) application delivery controller (ADC), and block any file that is identified as a threat at that point. This approach works best if the desire is to block any files without necessarily having to examine them further. Some of OPSWAT’s customers use F5 BIG-IP LTM systems as an application delivery controller (ADC) that directs any incoming files to one of many servers. They can use Metadefender ICAP Server to scan all incoming files as they come through the BIG-IP server and block any files that are potential threats before they reach the servers in the cluster.
The best approach will depend on an organization’s specific needs, such as the risk tolerance for potential false positives versus that for a potential malware infection. Any organizations, however, that have sites that allow files or data to be uploaded from the public internet should have something in place to scan that incoming data for threats to prevent malicious files from being pushed into the organization.