InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)
-
Upload
eric-ramos -
Category
Documents
-
view
217 -
download
3
Transcript of InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)
![Page 1: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/1.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
InterScan AppletTrap
Zhang Hong
Trend Micro, AppletTrap Team
2001.09.18 (Nanjing)
![Page 2: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/2.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Trend Micro InterScan™ AppletTrap™ is a policy-based, centrally-managed enterprise solution at the Internet gateway that monitors the behavior of malicious applets, ActiveX, JavaScript and VBScript.
Where’s AppletTrap
![Page 3: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/3.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
SurfinShield: Client solution. Replace Java library in browsers• administration issue(deploy, upgrade)
SurfinGate: Server Solution. Static parsing at server.• Heavy load on server
The competitors
![Page 4: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/4.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Distribute work between client and server evenly
Balance between runtime monitoring and static scanning
Low administration cost Support resign for Jar file
AppletTrap
![Page 5: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/5.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
How AppletTrap works?
![Page 6: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/6.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
AppletTrap Proxy
AppletTrap stands as a HTTP proxy and not require any client-side modification
Implemented Cache Support Http, Https and Ftp
![Page 7: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/7.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Jar File Controls Check the block list firstly Check the certification Do instrument Repack the Jar file Resign with imported sign key
![Page 8: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/8.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Class File Controls Check the block list firstly Do instrument
![Page 9: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/9.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Instrument
Alter java code sequence during downloading• Server: static scan java code to find insecure
function• Server: insert monitoring instruction before and after
insecure function• Client: run original code and monitoring code• Client: send report back if malicious code found
![Page 10: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/10.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Certification checks Check the integrality of certification to prove that the
certification not be modified Check whether the CP are trusted with our CP list Check the integrality of software with the public key of
CP
![Page 11: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/11.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Certification A certificate is a set of data that identifies an entity. The data in a certificate includes the public
cryptographic key. A certification include CP and CA
![Page 12: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/12.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
CA & CP The trusted organization that issues the certificate is
a Certification Authority (CA) and is known as the certificate's issuer.
CP is some one who publish the software, as well as the certificate, and we can verify the authenticity of that CP by verifying the digital signature and the certificate
![Page 13: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/13.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Re-Sign Break the integrity of digitally signed Applets
• Re-sign by specified signer• Client: only accept specified signer
![Page 14: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/14.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
ActiveX Signature Scanning AppletTrap can check the certification and block
unsafe PE (Portable Executable) formats (for example, .exe, .ocx etc.) and cabinet (.cab) files with hash list.
![Page 15: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/15.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
HTML Script Filtering AppletTrap just gets out all the script from the html
file. AppletTrap only filter scripts from Hypertext
Markup Language file and will not do script filter for a normal script file.
![Page 16: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/16.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
URL Blocking AppletTrap provides the ability to forbid all the
clients access the given URLs Administrator can add a remote folder and set
recursive to forbid access all the files and all subfolders in it.
![Page 17: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/17.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
TVCS compatible
InterScan AppletTrap comes fully compatible with the Trend Virus Control System
TVCS registration supports through a proxy and supports
![Page 18: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/18.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Update Block Lists Upload all blocked java,URL and ActiveX to server
and download trend identified block list
![Page 19: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/19.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Configure Controls Support remote configure
InterScan AppletTrap comes with a web-based administrator console for central management on the network.
![Page 20: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/20.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Q & A
![Page 21: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/21.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #1 UTF8 name file can't exact correctly and report
error in server log
![Page 22: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/22.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #2
If cached file quantity is large and shut down the PC abnormal, restart the applettrap service will take long time.
![Page 23: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/23.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #3 Can’t access some website chat room or
forum with Applettrap. For example, chat rooms in http://newchat.sina.com.cn/
![Page 24: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/24.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #4 We only support digital ID which is for
Netscape Object signing purpose and can export to .p12 format by Netscape browser.Digital ID from Verisign is recommended.
![Page 25: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/25.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #5 If the disk space is near to full, the all ActiveX can
pass through, AppletTrap can’t block it.
![Page 26: InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)](https://reader036.fdocuments.in/reader036/viewer/2022070305/5513ef2f55034674748b5b2e/html5/thumbnails/26.jpg)
http://www.antivirus.com http://www.antivirus.com http://www.nj.trendmicro.comhttp://www.nj.trendmicro.com
htt
p:/
/ww
w.n
j.tr
end
mic
ro.c
omh
ttp
://w
ww
.nj.
tren
dm
icro
.com InterScan AppletTrap
Known issues #6 If update licensed version 2.0 to Version 2.5, it
is still trial run version, user must input the license key again