Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 20150 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to safely check if a website is malicious

Matt928

Hi guys,

After watching the following video of CNN how easy it is to hack companies I forwarded it to my IT administration team.

They all had a good laugh on how stupid these guys were and continued with their job.

During my daily check of the SOPHOS central alerts I found one which was caused by one of my IT colleagues who tested a website which was blocked by intercept X on another colleagues computer.

I highly thank Sophos for protecting us against this threat but how can my IT admin check if a website is malicious or not in a safe way?

There are several websites who pretend to check websites safely but in my paranoid IT world I’m not sure if I can trust these sites. Is there a SOPHOS way to perform such a test safely?

Thanks a lot and best regards

Matt



This thread was automatically locked due to age.
  • 0

    I'm pretty sure the web applicance had a lookup page to test urls.  That said, I think there are safe ways to test URLs using the endpoint software without the risk of the browser rendering content.

    There are URL lookups made by web protection (swi_service), and there is local content scanning of HTTP traffic before it hits the browser - no lookup required.  This is all performed by the proxy and forms the web protection feature.  The same components provide the features for endpoint web control also. 

    The web browsers are clients of this local proxy (swi_fc.exe) on Windows 8.1+ but you could put other processes traffic through it.  One method would be to take a copy of PowerShell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\) and make a copy of it called "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe". 
    Any HTTP requests made by this process would also be proxied.  So you could run:

    "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe" -command "Invoke-WebRequest http://www.sophostest.com/malware"

    The get request, here will also trigger a SXL3 lookup to the Sophos infastructure to check that URL and the site in this occassion would be blocked and you'd get the injected block page instead. You will also get the same desktop popup and the current log under: "C:\ProgramData\Sophos\Web Intelligence\Logs\" will also log the detection.  E.g.:

    2019-03-17T09:46:11.745Z action=block why=risk threat=Mal/HTMLGen-A fileclass=- category=6 url=hxxp://www.sophostest.com/malware

    If interested, you can configure this log file to log all requests, not just blocks by creating a DWORD reg value called DecisionLogChannels under: 
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\
    Other DWORD values include:
    DecisionLogMaxBytes
    DecisionLogMaxDays
    If you wait 15 seconds, swi_service, will pick up on this and you should see all sites referenced.

    There is also reputation checks of downloaded files but that workflow does involve an actual browser.

    Maybe you can use this knowledge to make a check.

    Regards,

    Jak

  • 0 in reply to jak

    Hi Jak,

    Thanks a lot for your detailed answer and all the ideas to safely check URLs and downloaded files.

    I’ll check this right away because a way to check these URLs in the web appliance is exactly the way I was hoping for - but couldn’t work it out yet :).

    Thanks a lot

    Matt

    Cheers,

    Matt

  • 0

    Another way is to simply pay for another internet drop, my last job we had one, when you think about it the cost is not much.  Basically we had a 60.00 dollar a month internet cost, on a desktop that had our OS Image & AV Running.  It did not have our firewall but the goal was to test the AV, but it also did provide a nice setup to test potentially malicious links, emails & other stuff.  It also gave the us a great way to pentest our own setup since we were essentially coming from the outside in this way.  Worked great for setting up FTP's or anything else, honestly it was probably the most used piece of tech we had for the cost we spent on it.

    Depending on the size of your company you could also buy a smaller version of a Sophos firewall for the test drop as well, especially if you tell your Sophos Rep what its for, I worked closely with ours and got a good deal on one for my home use, I know I could have installed home for free but honestly for 3 years and what I paid it was comparable to a new router for home anyway.

     

     

     

    Respectfully, 

     

    Badrobot

     

  • +1 in reply to Badrobot

    Since Sophos doesn't really have a way or a kind of test program in its portfolio to separately test URLs we used our friend Google.

    There we found a website called https://rescan.pro/. They offer a free version where you can check up to 3 URLs per day on malicious code or other threats.

    We tested several websites the past two days to see if it's able to detect issues like Sophos and it looks pretty good so far.

    Maybe this helps other guys here out, too.
    And hopefully there will be a new feature in Sophos Central to test URLs, soon :)

    Cheers,

    Matt

  • 0 in reply to Matt928

    Yes these are great too!  Really there are a lot of testing methods out there, it all comes down to budget in my book, I would encourage you to try multiple paths, thanks for the link!

     

    I should also add Alien Vault is a good one- www.alienvault.com/open-threat-exchange

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Fully agree!
    The good thing is, that budget is not really a big issue as long as it helps to get our enterprise network more secure.

    Thanks for the alienvault link! 

    Cheers,

    Matt

Unfiltered HTML