InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)

http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com

htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro

.com InterScan AppletTrap

InterScan AppletTrap

Zhang Hong

Trend Micro, AppletTrap Team

2001.09.18 (Nanjing)


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Trend Micro InterScan™ AppletTrap™ is a policy-based, centrally-managed enterprise solution at the Internet gateway that monitors the behavior of malicious applets, ActiveX, JavaScript and VBScript.

Where’s AppletTrap


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


SurfinShield: Client solution. Replace Java library in browsers• administration issue(deploy, upgrade)

SurfinGate: Server Solution. Static parsing at server.• Heavy load on server

The competitors


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Distribute work between client and server evenly

Balance between runtime monitoring and static scanning

Low administration cost Support resign for Jar file

AppletTrap


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


How AppletTrap works?


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


AppletTrap Proxy

AppletTrap stands as a HTTP proxy and not require any client-side modification

Implemented Cache Support Http, Https and Ftp


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Jar File Controls Check the block list firstly Check the certification Do instrument Repack the Jar file Resign with imported sign key


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Class File Controls Check the block list firstly Do instrument


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Instrument

Alter java code sequence during downloading• Server: static scan java code to find insecure

function• Server: insert monitoring instruction before and after

insecure function• Client: run original code and monitoring code• Client: send report back if malicious code found


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Certification checks Check the integrality of certification to prove that the

certification not be modified Check whether the CP are trusted with our CP list Check the integrality of software with the public key of

CP


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Certification A certificate is a set of data that identifies an entity. The data in a certificate includes the public

cryptographic key. A certification include CP and CA


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


CA & CP The trusted organization that issues the certificate is

a Certification Authority (CA) and is known as the certificate's issuer.

CP is some one who publish the software, as well as the certificate, and we can verify the authenticity of that CP by verifying the digital signature and the certificate


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Re-Sign Break the integrity of digitally signed Applets

• Re-sign by specified signer• Client: only accept specified signer


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


ActiveX Signature Scanning AppletTrap can check the certification and block

unsafe PE (Portable Executable) formats (for example, .exe, .ocx etc.) and cabinet (.cab) files with hash list.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


HTML Script Filtering AppletTrap just gets out all the script from the html

file. AppletTrap only filter scripts from Hypertext

Markup Language file and will not do script filter for a normal script file.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


URL Blocking AppletTrap provides the ability to forbid all the

clients access the given URLs Administrator can add a remote folder and set

recursive to forbid access all the files and all subfolders in it.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


TVCS compatible

InterScan AppletTrap comes fully compatible with the Trend Virus Control System

TVCS registration supports through a proxy and supports


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Update Block Lists Upload all blocked java,URL and ActiveX to server

and download trend identified block list


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Configure Controls Support remote configure

InterScan AppletTrap comes with a web-based administrator console for central management on the network.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Q & A


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #1 UTF8 name file can't exact correctly and report

error in server log


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #2

If cached file quantity is large and shut down the PC abnormal, restart the applettrap service will take long time.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #3 Can’t access some website chat room or

forum with Applettrap. For example, chat rooms in http://newchat.sina.com.cn/


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #4 We only support digital ID which is for

Netscape Object signing purpose and can export to .p12 format by Netscape browser.Digital ID from Verisign is recommended.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #5 If the disk space is near to full, the all ActiveX can

pass through, AppletTrap can’t block it.


htt

p:/

/ww

w.n

j.tr

end

mic

ro.c

omh

ttp

://w

ww

.nj.

tren

dm

icro


Known issues #6 If update licensed version 2.0 to Version 2.5, it

is still trial run version, user must input the license key again

Documents

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)