Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | eric-ramos |
View: | 217 times |
Download: | 3 times |
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
InterScan AppletTrap
Zhang Hong
Trend Micro, AppletTrap Team
2001.09.18 (Nanjing)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Trend Micro InterScan™ AppletTrap™ is a policy-based, centrally-managed enterprise solution at the Internet gateway that monitors the behavior of malicious applets, ActiveX, JavaScript and VBScript.
Where’s AppletTrap
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
SurfinShield: Client solution. Replace Java library in browsers• administration issue(deploy, upgrade)
SurfinGate: Server Solution. Static parsing at server.• Heavy load on server
The competitors
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Distribute work between client and server evenly
Balance between runtime monitoring and static scanning
Low administration cost Support resign for Jar file
AppletTrap
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
How AppletTrap works?
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
AppletTrap Proxy
AppletTrap stands as a HTTP proxy and not require any client-side modification
Implemented Cache Support Http, Https and Ftp
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Jar File Controls Check the block list firstly Check the certification Do instrument Repack the Jar file Resign with imported sign key
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Class File Controls Check the block list firstly Do instrument
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Instrument
Alter java code sequence during downloading• Server: static scan java code to find insecure
function• Server: insert monitoring instruction before and after
insecure function• Client: run original code and monitoring code• Client: send report back if malicious code found
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Certification checks Check the integrality of certification to prove that the
certification not be modified Check whether the CP are trusted with our CP list Check the integrality of software with the public key of
CP
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Certification A certificate is a set of data that identifies an entity. The data in a certificate includes the public
cryptographic key. A certification include CP and CA
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
CA & CP The trusted organization that issues the certificate is
a Certification Authority (CA) and is known as the certificate's issuer.
CP is some one who publish the software, as well as the certificate, and we can verify the authenticity of that CP by verifying the digital signature and the certificate
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Re-Sign Break the integrity of digitally signed Applets
• Re-sign by specified signer• Client: only accept specified signer
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
ActiveX Signature Scanning AppletTrap can check the certification and block
unsafe PE (Portable Executable) formats (for example, .exe, .ocx etc.) and cabinet (.cab) files with hash list.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
HTML Script Filtering AppletTrap just gets out all the script from the html
file. AppletTrap only filter scripts from Hypertext
Markup Language file and will not do script filter for a normal script file.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
URL Blocking AppletTrap provides the ability to forbid all the
clients access the given URLs Administrator can add a remote folder and set
recursive to forbid access all the files and all subfolders in it.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
TVCS compatible
InterScan AppletTrap comes fully compatible with the Trend Virus Control System
TVCS registration supports through a proxy and supports
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Update Block Lists Upload all blocked java,URL and ActiveX to server
and download trend identified block list
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Configure Controls Support remote configure
InterScan AppletTrap comes with a web-based administrator console for central management on the network.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Q & A
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #1 UTF8 name file can't exact correctly and report
error in server log
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #2
If cached file quantity is large and shut down the PC abnormal, restart the applettrap service will take long time.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #3 Can’t access some website chat room or
forum with Applettrap. For example, chat rooms in http://newchat.sina.com.cn/
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #4 We only support digital ID which is for
Netscape Object signing purpose and can export to .p12 format by Netscape browser.Digital ID from Verisign is recommended.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #5 If the disk space is near to full, the all ActiveX can
pass through, AppletTrap can’t block it.
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #6 If update licensed version 2.0 to Version 2.5, it
is still trial run version, user must input the license key again