Symantec WebPulse
White Paper
If the URL is also not in the central master database in
the cloud, Dynamic Real-Time Rating (DRTR) will be
used to analyze and categorize it in real time if possible.
Any resulting URL category will be sent back to the
requesting WebPulse client and can be used to allow or
block the request.
Independent of the real-time categorization result, the
URLs will be sent to several background processes
in parallel. Some of the background processes are
focused on providing new content categorizations
for the database. Others are focused on hunting for
evidence of malware activity. DRTR is primarily a
content categorizer, but it is also used to log a large
amount of metadata about each URL it analyzes, and it
is this metadata that feeds many WebPulse background
processes. Many URLs are not web pages and are not
suitable for DRTR categorizing, but WebPulse still
gathers as much information about the URL as possible
to feed the background processes.
WebPulse uses several methods, including exploit
detection techniques, to analyze scripts and detect
malicious payloads and referenced domains. When
a user accesses a binary file through a URL that
WebPulse has not seen before, WebPulse will also
download that file and run it through a bank of up to
ten dierent AV scanners with full heuristics, script
analyzers (for example, malicious java scripts with
heap sprays), exploit detection modules, and other
malware- detection mechanisms. New threats are
identified within minutes and automatically added to
the master URL database to protect other customers.
This is one way in which WebPulse cloud users benefit
from the network eect of working together to provide
broad real-time protection and receive a strong zero-
day response to new web threats—when only a few
antivirus vendors have even been able to detect them.
In addition to Symantec analysis, several third-party
URL feeds covering malware and phishing sites are
considered for inclusion in the master database.
Further, when used with Symantec Content Analysis,
the Edge Gateway can send any URLs that Content
Analysis identifies as malware sources to the WebPulse
service for verification. It’s important to know that
malware feeds are quality-checked before being
integrated into the Intelligence Services database,
preventing false positives.
For security-related categories, incremental database
updates are pushed to the proxy every five minutes.
This enables the local defense to maintain performance
by responding to as many requests as possible from
the local databases. If any URLs discovered cannot be
matched against an entry in the local database, the
proxy will check with WebPulse.
Recommended Features for Malware
Protection
Symantec Secure Web Gateway solutions have a broad
feature set. The following section provides a brief
overview of useful—and recommended—features for
malware protection.
URL Filtering
This is the first point at which requests to known
malware sources can be blocked. For URLs that are not
known or not included in the local database, the Cloud
or Edge SWG connects to WebPulse collaborative
defense. Uncategorized URLs are then analyzed in real
time.
Authentication
The most secure way to authenticate users is to
authenticate each new session. If the desktop is
infected with malware but is not authenticated, it
cannot communicate with systems on the Internet,
blocking any potential loss of confidential and private
data.
Controlling Data Types
If users have no right to install software on their
desktops, why should they be able to download
executable files from the Internet? Blocking executable
files is another step in protecting against malware.
Often malware tries to download software to add
malicious content on the infected desktop.
Another reason for blocking executable files is that
malicious dynamic links could point to an executable
malware file that would be installed on the desktop.
Blocking executable files prevents this threat.
File-type blocking can be done based on true file-
type detection. Symantec best practice recommends
blocking executable files in general for regular Internet
users. If this is not acceptable, they should at least be
blocked for sites that are uncategorized and/or have a
high Threat Risk Level. Threat Risk Level is an extremely
useful tool for fine-tuning and customizing web security
when file type and categorization alone cannot meet
your business needs. For more information, read the
Symantec Threat Risk Levels white paper.
Protocol Compliance
Symantec Edge and Cloud Secure Web Gateways use
application proxies for several protocols. Because there
are two connections—one between client and proxy
and one between proxy and server—threats such as
buer overflow attacks on the protocol level can be
filtered out. The proxy changes protocol behavior (from
server to proxy) to RFC-conforming behavior (from
proxy to client).