Enhanced Malware Protection

Thursday, May 16th, 2013

Wavecrest Computing is pleased to announce an enhancement that delivers a tenfold increase in CyBlock’s ability to protect computer networks from malware and Cyfin’s ability to identify increasing security threats. Here is some background information.

Malware is the scourge of the Internet. The term “malware” includes computer viruses, worms, Trojan horses, spyware, adware, and other malicious programs that can disrupt computer operations, gather sensitive information, or gain access to private computer systems. For Wavecrest’s purposes, malware also includes Web sites that support hacking. Most malware originates and is spread from particular Web sites. Unfortunately, many thousands of such sites exist today, and to make matters worse, the number is growing steadily every day at distressingly fast rates.

The malware problem is not new to Wavecrest. For a number of years, companies have been using CyBlock and Cyfin products to protect against and identify automated invasions of malicious scripts and software, and unauthorized access to their internal networks–the two major problems caused by malware. CyBlock provided protection–under customer control–by blocking and reporting on employees’ attempts to visit sites in 3 of more than 70 URL List categories: Hacking, Phishing/Fraud, and Spyware/Malicious.

While this methodology was effective, it was not perfect. The difficulty lay in keeping the URL List up to date in the face of the relentless and rapid increase in the number of malware-spreading sites. This issue has been addressed with an enhancement that significantly improves the ability to keep the list current.

At the same time, three related categories, Hacking, Phishing/Fraud, and Spyware/Malicious, have been consolidated into one called Malware. This consolidation increases the ease of administration for customers.

This enhancement with its improved URL List is included in the latest release of CyBlock v.6.8.0 and Cyfin v.8.8.0. To realize its benefits as soon as possible, it is recommended that you upgrade your CyBlock or Cyfin product as soon as you can. Wavecrest will continue to update the enhanced list daily and make it available for download by customers. The download process remains unchanged.

You can schedule the list to be downloaded automatically every day, or you can download it manually at any time. In any case, as soon as it is downloaded, you will immediately begin to receive the added protection and see a significant reduction in the number of security threats to which you may be exposed.

To download the latest release, go to the Administration – Product Update screen in your CyBlock or Cyfin product. For additional assistance, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Cyfin Release 8.8.0 and CyBlock Release 6.8.0 Now Available

Wednesday, April 17th, 2013

We are excited to announce the release of two major enhancements in the new version of Cyfin and CyBlock. The first major enhancement is the new SSL Inspection feature that allows our CyBlock products to decrypt, analyze, and fully inspect all HTTPS traffic. In order to defeat security threats facing companies today, SSL Inspection is essential. The second major enhancement is an innovative technique for protection against automated invasion of malicious scripts and software and/or unauthorized access to internal networks. Enhanced Malware Protection automates the process of identifying large numbers of new malware-spreading sites daily. To facilitate identifying and blocking malware traffic, three security threat categories have been consolidated into a new Malware category.

Other enhancements in this release include the rebranding of our products, new product icons displayed after installation, and new product Help. We also have a number of corrections in this release. The details of the enhancements include the following:

  • Product Rebranding.The Wavecrest products have been rebranded as follows:
    • The products offered are CyBlock and Cyfin (formerly Cyfin Reporter).
    • Three deployment options are available for CyBlock:
      • CyBlock Software (formerly CyBlock Proxy)
      • CyBlock Appliance
      • CyBlock ISA/TMG
    • These changes are reflected on the Wavecrest Web site and the Forum. They will eventually transition to the products and associated documentation.
  • SSL Inspection.This includes the following changes:
    • Ability to view the full URL including path, embedded URLs, and parameters.
    • Domain, path, and parameter matching.
    • Ability to filter detailed HTTPS traffic by Web categories and Web content types and display blocking messages for both.
    • Safe Search blocking (where applicable).
    • Ability to view full URLs in the Real-Time Web Monitor.
    • Ability to view full URLs in the following reports (where applicable), not just domains:
      • Category Audit Detail
      • Category Audit Summary
      • Site Audit Detail
      • User Audit Detail
      • User Audit Summary
    • A new SSL Inspection screen that allows you to select groups and/or IDs and standard and custom categories to be inspected. To access this screen, go to Advanced Settings – Proxy Settings – SSL Inspection. For inspection to occur, you must select a group and/or an ID, and set a category to Inspected. The Financial category is set to Tunneled by default for privacy reasons, but this can be changed to Inspected.

Note:  Before using SSL Inspection, the Wavecrest Certificate must be installed. Refer to the Wavecrest Certificate Installation Guide for instructions on how to install/distribute the certificate. For more information on this enhancement, see the SSL Inspection Tech Brief.

  • Enhanced Malware Protection in URL List.This includes the following changes:
    • Extensive malware site additions were made to the URL List. You will receive the enhanced protection when the list is downloaded manually or automatically.
    • The Hacking, Phishing/Fraud, and Spyware/Malicious categories were consolidated into a new Malware category.
    • Custom URL entries categorized as Hacking, Phishing/Fraud, and Spyware/Malicious are now categorized as Malware.
    • The Hacking, Phishing/Fraud, and Spyware/Malicious categories were replaced by the new Malware category on appropriate screens and in all category drop-down boxes.
    • For CyBlock, on the Block Web Categories screen, the Malware category is set to “Block” in the Default policy in new installations by default. In existing installations, previous settings will not change when the product is upgraded, that is, the Malware category will be set to the previous Spyware/Malicious category setting.
    • The Malware category is displayed on the Help – Reporting – Check URL screen under URL Category Match when there is a category match.
    • Scheduled reports now report on the Malware category if they were set up to report on the Hacking, Phishing/Fraud, and Spyware/Malicious categories.
  • Product Icons. The Wavecrest product icon has been replaced with new CyBlock and Cyfin product icons on the Start menu and on the browser tab (favicon).
  • Product Help. The QR pages in the product have been replaced by a new searchable Help system. The Help system has a similar TOC as the product manual, but also includes an Index and a Search box. If a search result indicates “Web site,” you can right-click the entry to open the page in a new tab or window. You can also print a displayed Help topic by clicking the Print button.

To see the full release notes for your product, visit the Support Forum. You can download the latest release by going to the Administration – Product Update screen in your Cyfin or CyBlock product.

For additional assistance, please contact us.

Detecting and Controlling Unauthorized Outbound Connections

Wednesday, September 15th, 2010

Do you have a good handle on all outbound connections from your network, and how do you know?  Many times legitimate programs and applications downloaded are creating outbound connections without your knowledge or approval.  This can cause a serious drain on an organization’s network resources.  This exact scenario recently happened to a Wavecrest customer, and with the help of Wavecrest’s reports and technical support specialists, they were able to locate a program that was making 1,400+ outbound connections a day without their knowledge.

Many times, a program like this can be running in the background without the organization’s knowledge and is not necessarily identifiable in the process table.  It can only be caught if an organization is monitoring outbound Web connections through reports such as the ones in Wavecrest’s Cyfin and CyBlock products.

In this particular scenario, the customer became knowledgeable of these unauthorized outbound connections because there were a couple of users being locked out of their computers.  To troubleshoot the issue, they along with Wavecrest technical support used the Authentication Manager in their CyBlock Proxy product to investigate.  They found that the users’ computers were creating some outbound traffic that was not authenticating with the proper credentials, thus eventually locking the users out due to an authentication security setting the organization had on their Active Directory configuration.  By using the Authentication Manager, Real-time Web Monitor and other reports, our technical support specialists were able to identify the file that was making these unauthorized outbound connections and remove it from the computers.

This scenario proves that it is important to be aware of what is going on in your network, and Wavecrest’s products can help IT administrators do that. There are several steps you can take to prevent and identify these types of problems in your network.

  1. Use reporting tools to spot unusual activity.
    1. Look for unusual patterns of Web activity.
      1. Review Dashboard trends to spot any unexpected spikes in activity.
      2. Review Dashboard top sites and top categories charts to find any unexpected sites or categories showing up in the top ten all of the sudden.
      3. Run a Site Analysis report at least once a week and be alert to changes in the volume and pattern of outbound Web activity. For example, if a single user is suddenly logging thousands of visits a day, chances are there’s an issue. That’s because “human” activity is usually more random.
    2. Watch the following categories: IP Address, Spyware/Malicious, Unsolicited or Push, Phishing/Fraud and Uncategorized “Other” Sites. High activity in these categories should raise a red flag for administrators. High traffic volume here warrants further investigation.
    3. Identify the source of the problem. Dig deeper by running a Category Audit Detail report to uncover both the site and the affected user. If your Category Audit Detail report shows an unusual number of hits to a specific Web site, that site is most likely the source of the issue.  You can also monitor the traffic in real time using the Real-Time Monitor to uncover the site causing the problem.
  2. Update your Web-use management tools.
    1. Update your Acceptable Use Policy. Employees need to understand the risks of Web surfing. Minimize risks of Internet abuse by implementing a policy to curtail at-work surfing and communicate it clearly to employees.
    2. Update your Wavecrest list. The Wavecrest control list is updated daily. We recommend downloading your Wavecrest control list daily to minimize the number of visits categorized as “Other” and ensure the best coverage possible. You can set Cyfin and CyBlock to do this automatically on the Administration – URL List – Schedule screen. (Note: If you spot a problem Web site that is uncategorized, email it to us at sites@wavecrest.net. Our site analysts will review the site and categorize it appropriately.)
  3. Contact Wavecrest Technical Support. Our support specialist are always eager to help you troubleshoot any issues you are having by helping you get the best out of the features and tools our products offer.

For more information on how Wavecrest’s products can help keep your network safe, we recommend you read our previous blog post on “Controlling Spyware” and “The Purpose of the IP Address Category.”

Note: The program in question that is addressed in this post is the Akamai NetSession Interface. It was hitting cn1.redswoosh.akadns.net and cn2.redswoosh.akadns.net 1400+ times a day. The program was located at C:\Program Files\Common Files\Akamai\AdminTool.exe. To remove the program with Wavecrest’s help, the customer:

  1. Opened the Command Prompt
  2. Went to the folder location by typing”Program Files\Common Files\Akamai”
  3. Then typed “admin uninstall-force” to remove it.

Remember: Our technical support specialists are here to help. If you ever need help with your product configuration or see something unusual in a report or on the real-time monitor that you are unsure about, please feel free to contact Wavecrest technical support, and they will be happy to help you.

Technical Support Contact Information
Direct: 321-953-5351, ext. 4
Toll-Free: 877-442-9346 ext. 4
Email: support@wavecrest.net

What Is the Purpose of the ‘IP Address’ Category?

Tuesday, November 17th, 2009

From time to time we are asked, “What is the purpose of the ‘IP Address’ category used by Wavecrest products?” The short answer is — it’s used to capture and segregate the IP addresses of Web sites that the product was unable to associate with ‘regular’ categories. Customers can then analyze them to identify network security threats, traffic to intranet sites, or other patterns of interest.

Here’s a bit more detail.

First note that our products identify many IP addresses and place them in content categories. The Wavecrest URL (control) list contains many such addresses.

Unfortunately though, initially unidentifiable IP addresses still appear from time to time. Generally speaking, we see three types, i.e., addresses associated with:

  1. Internal (and partner) Web pages
  2. Innocent links on Web sites
  3. Possible malware or virus servers

When the product encounters any of these three types, it places them in a special ‘IP Address’ category. Customers can then run reports on that category the same way they do on any other category. In addition, if the customer runs a Top Non-Categorized report, the uncategorized IP addresses will be listed along with uncategorized domain names.

Because the traffic associated with unidentified IP addresses can be important or even dangerous, it’s obviously desirable to pursue the matter further. So what can be done? Well, with a bit of work—and in some cases with some help from Wavecrest—it is possible to:

  • determine the source and purpose of most of the addresses
  • categorize the legitimate ones
  • isolate/neutralize the malicious ones

Let’s see how this is done. We’ll take it one ‘type’ at a time.

  1. Internal and Partner Web Pages. Some unidentified IP addresses may have resulted from users going to internal (intranet) or partner sites. (These normally would not be in the Wavecrest URL list.) To address this issue, start by running a Top Non-Categorized Sites Report or IP Address Category Report. Using your local knowledge, try to determine the IP addresses of those sites and then enter the information in one or more custom categories. (Instructions on how to create custom categories can be found in our manual.)
  2. Innocent links on Web Sites. These addresses could be associated with image or ad servers. If you want to address this issue, send a copy of a Top Non-Categorized Sites (“OtherWise”) Report to Wavecrest (sites@wavecrest.net). Our categorization team will then research and categorize the unidentified IPs for you the same way they categorize domains. If you would like to identify the IPs yourself, you can use IP address lookup tools such as the one available from https://www.networksolutions.com. This tool will provide you with information about the owner of the IP address(es) of interest. For example, the owner of the IP address could be a marketing company that serves ads, or it could be an image server. Once identified, if you desire, you can add the addresses to one or more custom categories.
  3. Possible Malware or Virus Servers. Some of the unidentified IP addresses could be associated with malware, spyware or virus servers. The clue here is very high around-the-clock traffic. This is an indication that the user’s computer has been infected or attacked. The solution in these cases is to isolate the internal computer(s) and remove the malware/spyware or virus. Here’s an approach you can use to help solve this problem.
  • Using the Dashboard, run a Trend report on the IP Address category and look for any unusual spikes. If you see anything suspicious then …
  • Run a category audit on the IP Address category and look for large amounts of activity coming from a particular PC(s). Make a note of the IP address(es) and then scan for infected files.

Summary. The IP address category was created to be a ‘red flag.’ Its purpose is to alert you that further action may be needed to resolve problems or to simply give you a more complete and comprehensive picture of all Web activity.

Controlling Spyware with Cyfin and CyBlock

Wednesday, April 23rd, 2008

Introduction
Spyware – software that tracks Web surfers’ activity without their knowledge and sends the information back to a third party – is a growing concern for IT administrators. Spyware can compromise security, consume bandwidth and slow networks to a crawl. The good news is you can help protect your network from spyware with Cyfin and CyBlock software.

Spyware Problems
Spyware can get into your computer(s) very easily, and it can be extremely hard to detect. Most employees never realize their computers are infected, and those that do have no idea how it happened.

Because spyware enters a user’s system with “legitimate” traffic through an open Internet port, firewalls are not an adequate defense. Spyware remains undetected by firewalls designed to block suspicious inbound traffic rather than monitor the heavy outbound activity spyware generates. (Inbound spyware doesn’t look suspicious.)

Wavecrest Solutions
Your Cyfin web monitoring software or CyBlock web filtering software can help identify spyware and reduce your risk of downloading it in the future.

1) Use reporting tools to spot spyware activity with Cyfin or CyBlock.

A. Look for unusual patterns of Web activity. Run a Site Analysis report at least once a week and be alert to changes in the volume and pattern of outbound Web activity. For example, if a single user is suddenly logging thousands of visits a day, chances are it’s a spyware issue. That’s because “human” activity is usually more random than spyware activity. Here’s another clue. If you notice that every morning at 3 a.m. a user appears to be accessing the same Web site repeatedly, most likely the activity is being automatically triggered by a spyware program.

B. Watch the IP Address category. High activity in this reporting category should raise a red flag for administrators. Most spyware programs send information back to an IP address, while actual user activity is almost always driven by a domain name. Wavecrest software will categorize all IP Address activity automatically. High traffic volume here warrants further investigation.

C. Identify the source of the problem. Dig deeper by running a Category Audit Detail report to uncover both the spyware site and the affected user. If your Category Audit Detail report shows an unusual number of hits to a specific Web site, that site is most likely the source.

2) Use CyBlock’s filtering tools to control surfing.

A. Create a strict “allow” list. One way to prevent spyware is to strictly control employee Internet access. With CyBlock, you can limit online access to only the Web sites you know to be trustworthy and automatically block access to any Web site not on your “allow” list.

B. Block access to social networks high-risk sites. Another less restrictive way to minimize exposure to spyware is to block user access to high-risk site categories. These include spyware/malicious, hacking, phishing/fraud, music downloads, download sites, social networks, games, chat and pornography.

3) Update your Web-use management tools.

A. Update your Acceptable Use Policy. Employees need to understand the risks of Web surfing. Minimize risks of Internet abuse by implementing a policy to curtail at-work surfing and communicate it clearly to employees.

B. Update your Wavecrest list. The Wavecrest control list is updated daily, adding Web sites known to host spyware. We recommend downloading your Wavecrest control list daily to minimize the number of visits categorized as “Other” and ensure the best coverage possible. You can set Cyfin and CyBlock to do this automatically on the Administration – URL List – Schedule screen.

(Note: If you spot a Web site you suspect may be spyware, email it to us at sites@wavecrest.net. Our OtherWise research team will review the site and categorize it appropriately.)

C. Update your operating system. Download updates to your operating system on a regular basis. Spyware multiplies on your network by exploiting weaknesses in OS software. Frequent updates will help plug these holes and minimize the damage if you become infected.

4) Work with your employees.

Counsel employees about the dangers of spyware. Brief your employees on the dangers and detrimental effects of malicious software, and tell them about the actions you’re taking as well as the actions they should take and the sites they should avoid.