API Testing - Trend Micro
Download
Report
Transcript API Testing - Trend Micro
http://www.nj.trendmicro.com
InterScan AppletTrap
InterScan AppletTrap
Zhang Hong
Trend Micro, AppletTrap Team
2001.09.18 (Nanjing)
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Where’s AppletTrap
Trend Micro InterScan™ AppletTrap™ is
a policy-based, centrally-managed enterprise
solution at the Internet gateway that monitors
the behavior of malicious applets, ActiveX,
JavaScript and VBScript.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
The competitors
SurfinShield: Client solution. Replace Java
library in browsers
• administration issue(deploy, upgrade)
SurfinGate: Server Solution. Static parsing at
server.
• Heavy load on server
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
AppletTrap
Distribute work between client and server
evenly
Balance between runtime monitoring and static
scanning
Low administration cost
Support resign for Jar file
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
How AppletTrap works?
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
AppletTrap Proxy
AppletTrap stands as a HTTP proxy and not
require any client-side modification
Implemented Cache
Support Http, Https and Ftp
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Jar File Controls
Check the block list firstly
Check the certification
Do instrument
Repack the Jar file
Resign with imported sign key
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Class File Controls
Check the block list firstly
Do instrument
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Instrument
Alter java code sequence during downloading
• Server: static scan java code to find insecure
function
• Server: insert monitoring instruction before and after
insecure function
• Client: run original code and monitoring code
• Client: send report back if malicious code found
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Certification checks
Check the integrality of certification to prove that the
certification not be modified
Check whether the CP are trusted with our CP list
Check the integrality of software with the public key of
CP
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Certification
A certificate is a set of data that identifies an entity.
The data in a certificate includes the public
cryptographic key.
A certification include CP and CA
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
CA & CP
The trusted organization that issues the certificate is
a Certification Authority (CA) and is known as the
certificate's issuer.
CP is some one who publish the software, as well as
the certificate, and we can verify the authenticity of
that CP by verifying the digital signature and the
certificate
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Re-Sign
Break the integrity of digitally signed Applets
• Re-sign by specified signer
• Client: only accept specified signer
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
ActiveX Signature Scanning
AppletTrap can check the certification and block
unsafe PE (Portable Executable) formats (for
example, .exe, .ocx etc.) and cabinet (.cab) files with
hash list.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
HTML Script Filtering
AppletTrap just gets out all the script from the html
file.
AppletTrap only filter scripts from Hypertext
Markup Language file and will not do script filter
for a normal script file.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
URL Blocking
AppletTrap provides the ability to forbid all the
clients access the given URLs
Administrator can add a remote folder and set
recursive to forbid access all the files and all
subfolders in it.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
TVCS compatible
InterScan AppletTrap comes fully compatible with
the Trend Virus Control System
TVCS registration supports through a proxy and
supports
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Update Block Lists
Upload all blocked java,URL and ActiveX to server
and download trend identified block list
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Configure Controls
Support remote configure
InterScan AppletTrap comes with a web-based
administrator console for central management on the
network.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Q&A
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #1
UTF8 name file can't exact correctly and report
error in server log
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #2
If cached file quantity is large and shut down
the PC abnormal, restart the applettrap service
will take long time.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #3
Can’t access some website chat room or
forum with Applettrap. For example, chat
rooms in http://newchat.sina.com.cn/
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #4
We only support digital ID which is for
Netscape Object signing purpose and can
export to .p12 format by Netscape
browser.Digital ID from Verisign is
recommended.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #5
If the disk space is near to full, the all ActiveX can
pass through, AppletTrap can’t block it.
http://www.antivirus.com
http://www.nj.trendmicro.com
http://www.nj.trendmicro.com
InterScan AppletTrap
Known issues #6
If update licensed version 2.0 to Version 2.5, it
is still trial run version, user must input the
license key again
http://www.antivirus.com
http://www.nj.trendmicro.com