; Version 1.4.1 -- Last Updated 30 Nov 2007 ;========================================================================= ; ; Blue Coat ProxySG Spyware control policy using Blue Coat Content Filter ; ; This policy file assumes the proxy is running SGOS version 3.2 or above ; ;========================================================================= ;;======================================================================= ;;======================================================================= ;; General Definitions used by the Blue Coat ProxySG Anti-Spyware policy ;; For consistency all defined conditions will be prefixed with ;; "BC_" to avoid naming conflicts with other policies. ;;======================================================================= ;;======================================================================= ;========================================================================= ; ; Trusted domains White-list - updated 27 Nov 2007 ; ; Sites in these domain names and IP ranges are exempt ; from all of the policy, including: the drive-by-install protection, ; executable file blocking, and active-content HTML cleaning. ; ; Additions may be made via the VPM with the policy ; category "Additional_Spyware_Trusted_Sites" ; ;========================================================================= define url.domain condition BC_Spyware_trusted_domains bluecoat.com ositis.com winproxy.com microsoft.com windowsupdate.com apple.com adobe.com macromedia.com cisco.com trendmicro.com mcafee.com sophos.com kaspersky.com pandasoftware.com pestscan.com symantec.com webex.com sun.com hp.com att.com pestpatrol.com lavasoft.de webroot.com intermute.com communicast.com motorola.com intel.com dell.com oracle.com siebel.com ;pestscan ip 69.44.122.156 ;communicast ip 66.119.37.165 66.119.37.167 66.119.37.169 216.109.75.10 end define subnet BC_Spyware_Internal_IP_Ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 end ; define condition BC_Spyware_trusted_sites ;================================================================ ;Include BlueCoat defined whitelist of trusted domains ;================================================================ condition=BC_Spyware_trusted_domains url.address=BC_Spyware_Internal_IP_Ranges ;================================================================ ;Include a customer defined whitelist category. ;================================================================= category="Additional_Spyware_Trusted_Sites" end ; Create the category, so it appears in the VPM and can be edited define category Additional_Spyware_Trusted_Sites end ;========================================================================= ; ; Javascript White-list - updated 01 Dec 2005 ; ; Starting in September 2005 the anti-spyware policy began removing ; javascript from susipicious web pages. This is necessary due to ; the prevalence of javascript injected drive-by downloads. ; However some sites behave adversely after Javascript removal. This ; list will exempt specific sites from script stripping. ; Active content is still blocked and object tags are still stripped. ; ; Additions may be made via the VPM with the policy ; category "Additional_Spyware_Javascript_Safe_Sites" ; ;========================================================================= define condition BC_Spyware_Javascript_Safe_Sites url.host.regex="(^|\.)google\." category="Search Engines/Portals" url.host.regex="(^|\.)yahoo\." category="Search Engines/Portals" ;================================================================ ;Include a customer defined Javascript_Safe_Sites category. ;================================================================= category="Additional_Spyware_Javascript_Safe_Sites" end ; Create the category, so it appears in the VPM and can be edited define category Additional_Spyware_Javascript_Safe_Sites end ;========================================================================= ; ; Virtual-Hostname White-list - updated 28 Feb 2005 ; ; So called "virtual hostnames" are used for certain types ; of authentication and advanced policies (ex: compliance and ; coaching pages). This condition is used to exempt requests for ; virtual-hostnames from response header testing, ; because no server exists. ; ; Additions may be made via the VPM with the policy ; category "Additional_Virtual_Hostnames" ; ;========================================================================= define condition BC_Spyware_virtual_hostnames url.domain=cfauth.com url.host=notify.bluecoat.com url.domain=policyexample.bluecoat.com ;================================================================ ;Include a customer defined virtual_hostname category. ;================================================================= category="Additional_Virtual_Hostnames" end ; ; Create the category, so it appears in the VPM and can be edited define category Additional_Virtual_Hostnames end ;========================================================================= ; Begin Blue Coat Content Filter groupings - updated 27 Nov 2007 ;========================================================================= ; ; Denied exe sites define condition BC_Spyware_exe_blocks category="Pornography" category="Adult/Mature Content" category="Personals/Dating" category="Nudity" category="Gambling" category="Illegal/Questionable" category="Hacking" category="Proxy Avoidance" category="Peer-to-Peer (P2P)" category="Streaming Media/MP3s" category="Humor/Jokes" category="Pay to Surf" category="Search Engines/Portals" category="Open Image/Media Servers" category="Phishing" category="Spyware/Malware Sources" category="Spyware Effects/Privacy Concerns" category="Suspicious" category="Web Advertisements" category="Web Hosting" category="Placeholders" ; ================== ; The category "Software Downloads" statistically should be included ; however it is commented out in the basic policy so that ProxyAV ; scanning can be used instead. ; ================== ;category="Software Downloads" ; Special category "none" matches non-categorized sites category="none" end ; ; Denied active content sites define condition BC_Spyware_active_content_blocks ; Include the categories from exe blocks condition=BC_Spyware_exe_blocks ; Categories where exe files are fine, but other active content suspicous category="Games" category="Intimate Apparel/Swimsuit" category="Chat/Instant Messaging" category="Email" category="Newsgroups/Forums" category="Alternative Spirituality/Occult" category="Violence/Hate/Racism" category="Illegal Drugs" category="Sex Education" end ; define condition BC_Spyware_phone_home category="Spyware Effects/Privacy Concerns" end ;========================================================================= ; End Blue Coat Content Filter groupings ;========================================================================= ;======================================================================= ; Active-Content patterns - updated 31 Mar 2007 ; ; These define what content types are dangerous. ; ;======================================================================= ; active-content extensions - those a user doesn't manually select to download define condition BC_Spyware_active_content_extensions url.extension=cab url.extension=ocx url.extension=dll url.extension=bat url.extension=cmd url.extension=vbs url.extension=vb url.extension=pif url.extension=hlp url.extension=msi url.extension=scr url.extension=wsc url.extension=wsh url.extension=wsf url.extension=hta url.extension=class url.extension=jar url.extension=ani url.extension=reg url.extension=chm url.extension=cpl url.extension=wmf end ; ; active-content mime types define condition BC_Spyware_active_content condition=BC_Spyware_active_content_type ; ;The following rules require SGv4.2 features #if release.version=4.2.. condition=BC_Spyware_active_content_data_types #endif end define condition BC_Spyware_active_content_type response.header.Content-Type="application/cab" response.header.Content-Type="application/x-compress" response.header.Content-Type="application/x-compressed" response.header.Content-Type="zz-application/zz-winassoc-cab" response.header.Content-Type="application/x-cab-compressed" response.header.Content-Type="application/(x-|)java[^s]" response.header.Content-Type="(application|image)/(x-|x-ms|x-win-|)(metafile|wmf)" end ; ; executable extensions - those a user might manually download define condition BC_Spyware_exe_extensions url.extension=exe url.extension=com url.extension=zip url.extension=rar url.extension=gz url.extension=bz2 end ; ; executable and active content transfered with content-disposition headers define condition BC_Spyware_exe_active_content_disposition ; block obfuscated Mime encoding that could disguise a ".exe" ; see: http://seclists.org/lists/bugtraq/2002/Jun/0012.html response.x_header.Content-Disposition = "\*[0-9]+=" ; block executable and active-content file extensions in Content-Disposition headers response.x_header.Content-Disposition = "\.(exe|com|dll|cab|ocx|bat|cmd|vbs|vb|pif|hlp|msi|scr|wsc|wsh|wsf|hta|class|jar|ani|reg|chm|cpl|zip|wmf)($|[^a-z0-9])" end ; ; executable mime types define condition BC_Spyware_exe_content condition=BC_Spyware_exe_content_type ; ;The following rules require SGv4.2 features #if release.version=4.2.. condition=BC_Spyware_exe_content_data_types #endif end ; define condition BC_Spyware_exe_content_type response.header.Content-Type="application/octet-stream" response.header.Content-Type="application/x-msdownload" response.header.Content-Type="application/x-msdos-program" response.header.Content-Type="application/rar" response.header.Content-Type="application/x-rar" end ; ; The following set of conditions require SGv4.2 features ; These data patterns will be used to enhance the policy's ; ability to detect the nature of the object being requested. ; #if release.version=4.2.. ;High level patterns ; define condition BC_Spyware_active_content_data_types condition=BC_Response_Data_Type_java_files condition=BC_Response_Data_Pattern_cab condition=BC_Response_Data_Pattern_windows_hlp condition=BC_Response_Data_Pattern_windows_compiled_help_chm condition=BC_Response_Data_Pattern_windows_scripting_host_wsh condition=BC_Response_Data_Pattern_HypertextApplication_hta condition=BC_Response_Data_Pattern_wmf condition=BC_Response_Data_Pattern_ani end ; define condition BC_Spyware_exe_content_data_types condition=BC_Response_Data_Pattern_exe_dll_ocx_scr condition=BC_Response_Data_Pattern_msi condition=BC_Response_Data_Type_compressed_archive condition=BC_Response_Data_Pattern_xpi end ; ; Medium level patterns define condition BC_Response_Data_Type_java_files condition=BC_Response_Data_Pattern_class condition=BC_Response_Data_Pattern_jar end define condition BC_Response_Data_Pattern_exe_dll_ocx_scr http.response.data.2.case_sensitive="MZ" end define condition BC_Response_Data_Pattern_msi http.response.data.8.regex="^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" end define condition BC_Response_Data_Pattern_cab http.response.data.4.case_sensitive="MSCF" end define condition BC_Response_Data_Pattern_xpi url.extension=xpi condition=BC_Response_Data_Type_compressed_archive response.header.Content-Type="application/x-xpinstall" \ condition=BC_Response_Data_Type_compressed_archive end ; ;supporting patterns used as part of the high/medium level conditions ; define condition BC_Response_Data_Pattern_class http.response.data.4.regex="^\xCA\xFE\xBA\xBE" end define condition BC_Response_Data_Pattern_jar url.extension=jar condition=BC_Response_Data_Type_compressed_archive response.header.Content-Type="application/(x-)?java($|[^A-Za-z])" \ condition=BC_Response_Data_Type_compressed_archive end ; define condition BC_Response_Data_Type_compressed_archive condition=BC_Response_Data_Pattern_zip condition=BC_Response_Data_Pattern_rar condition=BC_Response_Data_Pattern_ace condition=BC_Response_Data_Pattern_gz condition=BC_Response_Data_Pattern_bz2 end define condition BC_Response_Data_Pattern_zip http.response.data.4.regex.case_sensitive="PK\003\004" end define condition BC_Response_Data_Pattern_rar http.response.data.4.case_sensitive="Rar!" end define condition BC_Response_Data_Pattern_ace http.response.data.7.case_sensitive="**ACE**" end define condition BC_Response_Data_Pattern_gz http.response.data.2.regex="^\x1f\x8b" end define condition BC_Response_Data_Pattern_bz2 http.response.data.10.case_sensitive="BZh91AY&SY" end ; define condition BC_Response_Data_Pattern_windows_hlp http.response.data.4.regex.case_sensitive="^\?_\x03\x00" end define condition BC_Response_Data_Pattern_windows_compiled_help_chm http.response.data.4.case_sensitive="ITSF" end define condition BC_Response_Data_Pattern_windows_scripting_host_wsh http.response.data.12.case_sensitive="[ScriptFile]" end define condition BC_Response_Data_Pattern_HypertextApplication_hta http.response.data.15.case_sensitive="HTA:APPLICATION" end define condition BC_Response_Data_Pattern_wmf http.response.data.4.regex.case_sensitive="^\xD7\xCD\xC6\x9A" http.response.data.6.regex.case_sensitive="^.\x00\x09\x00\x00\x03" end define condition BC_Response_Data_Pattern_ani http.response.data.4.regex.case_sensitive="^RIFF" end define condition BC_Response_Data_Pattern_compressed_flash http.response.data.4.regex.case_sensitive="^CWS[0-9]" end define condition BC_Response_Data_Pattern_flash http.response.data.4.regex.case_sensitive="^FWS[0-9]" end #endif ;======================================================================= ; Spyware Agent Patterns - updated 6 Dec 2005 ; ; This is intended to enhance spyware detection via request patterns ; eg: user agent in requests ; ; For efficency this condition uses OR symbols in the pattern match. ; It is equally valid to replace "aaa|bbb" with two lines, ; one testing "aaa" and the other testing "bbb". ; Matching is case-insensitive ;======================================================================= define condition BC_Spyware_policy_spyware_request request.header.User-Agent="Gator|FunWebProducts|BigBadProducts" request.header.User-Agent="ISEARCHTECH|IOKernel|MyWay" request.header.User-Agent="\.exe\|1, 0, 0,|3a|404search" request.header.User-Agent="Apropos|Browser Adv|Bundle" request.header.User-Agent="EnvoloAutoUpdater|ESB{|ezula" request.header.User-Agent="FunWebSearch" request.header.User-Agent="Godzilla|HelperH|Hotbar" request.header.User-Agent="iefeatsl|IST" request.header.User-Agent="istsvc|Kontiki|mez" request.header.User-Agent="MGS-Internal-Web-Manager|MyApp" request.header.User-Agent="MyTotalSearch|MyTotalSearchSearchAssistant" request.header.User-Agent="MyWebSearch|MyWebSearchSearchAssistant|NSISDL" request.header.User-Agent="OSSProxy|Peer Points Manager|PeerEnabler" request.header.User-Agent="SAH Agent|searchengine2000\.com" request.header.User-Agent="Secret Agent|sureseeker\.com|Sidesearch" request.header.User-Agent="SideStep Client|SurferPlugin|TIBS Loader" request.header.User-Agent="TIBSBrowser|Topconvertingagent|TSA/" request.header.User-Agent="UCmore|Visicom Toolbar|Wildtangent" request.header.User-Agent="Wildtangent Kernel|Wise" end condition BC_Spyware_policy_spyware_request ;======================================================================= ; Active-Content stripping - updated 27 Sept 2004 ; ; This defines the policy action which removes potentially dangerous ; HTML tags. ; ;======================================================================= ; active content stripper define active_content transform_BC_Spyware_StripActiveContent tag_replace object <'; else { s += ''+h.charAt(i)+''; hasIDN = true; } } if (hasIDN) { s += ' Warning: '; s += 'red '; s += 'characters are non-English and may indicate a falsified site name.'; } return s; } function bluecoat_phishGuardDisable(days) { var ExpireDate = new Date(); ExpireDate.setTime(ExpireDate.getTime() + (days * 86400 * 1000)); cookie_text="BC_Policy_No_PhishGuard=1; path=/;expires="+ ExpireDate+";" document.cookie = cookie_text; document.location.reload(); } if (bluecoat_hasTextEntryForm()) { var p = document.createElement("p"); p.innerHTML = '
'+ 'You are at '+ bluecoat_hostname()+ "
"+ ''+ '
'; document.body.insertBefore(p, document.body.firstChild); } EOF end ; ; define phishing action define action BC_Spyware_aDisplayDest transform BC_Spyware_jDisplayDest end ; define delete_phishguard_disable action define action BC_spyware_delete_phishguard_disable delete_matching(request.header.cookie, "BC_Policy_No_PhishGuard"); end ;======================================================================= ; "Cookie Persistence Modification" action define - updated 07 Sept 2005 ;======================================================================= ; define action BC_Spyware_Downgrade_SetCookie rewrite(response.header.set-cookie, "(.*)expires=[^;$]+(.*)", "$(1)$(2)") end ;;======================================================================= ;;======================================================================= ;;End of deinitions ;;Beginning of policy rules to block spyware or prevent known exploits ;; ;; To convert this policy into a single rule for easy ;; user/source/user-agent triggering ;; uncomment the following define: ; ;define proxy policy BC_Spyare_policy_module ; ;; and uncomment the "end" immediately before the closing ;; comments. Then reference the entire spyware/exploit blocking ;; policy from a layer such as (adding other tests as desited): ;; ;; ;; policy.BC_Spyare_policy_module ;; ;;======================================================================= ;;======================================================================= ;======================================================================= ; Spyware "Phone Home" requests - updated 5 May 2005 ; ; Deny all requests for known spyware "mothership" destinations using the ; provided content-filtering catagories. Also populate the log appropriately. ; ;======================================================================= ; condition=BC_Spyware_phone_home FORCE_DENY("This request blocked as spyware phoning home.") log.rewrite.sc-filter-result("SPYWARE_PHONE_HOME") ;======================================================================= ; Spyware active-content and executable blocking - updated 28 Mar 2006 ; ; This policy uses previously defined conditions to matck all non-whitelist ; sites against three types of policy: ; 1. Is the file extension or content-type of the request a drive-by install type -> Deny ; 2. Is the file extenstion, content-disposition or content-type an executable file ; and the category is in the not trusted for executables catagories -> Deny ; 3. Is the content a web-page from the non-whitelist sites -> strip risky tags ; ;======================================================================= condition=!BC_Spyware_trusted_sites \ condition=BC_Spyware_active_content_blocks \ condition=!BC_Spyware_virtual_hostnames ; 1a. DENY known active content extensions condition=BC_Spyware_active_content_extensions \ http.response.code=(200..299) \ FORCE_DENY("This request blocked as a spyware $(quot)Drive-by Install$(quot)") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Drive-by%20Install") ; 1b. DENY known active content file types condition=BC_Spyware_active_content \ FORCE_DENY("This request blocked as a spyware $(quot)Drive-by Install$(quot)") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Drive-by%20Install") ; 2a. DENY known executable file extensions from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_extensions \ http.response.code=(200..299) \ http.method=GET url.query.regex=!"" \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") ; 2b. DENY executable file extensions in content-dispositions from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_active_content_disposition \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") ; 2c. DENY known executable file types from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_content \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") [rule] condition=BC_Spyware_webpage ;all further rules in the layer must match ;; 3. Remove object references from HTML in suspect categories ;; [Uncomment the next line to only strip object tags, the pre-v1.2.13 behavior] ; action.BC_Spyware_StripActiveContent(yes) ;; ;; 3a. Remove only object references from HTML instead of all risky tags condition=BC_Spyware_Javascript_Safe_Sites action.BC_Spyware_StripActiveContent(yes) ;; 3b. Remove risky tags from HTML in suspect categories action.BC_Spyware_StripRiskyContent(yes) ;======================================================================= ; Block Internet Explorer location bar exploit - updated 11 Nov 2005 ; ; This policy will prevent downloading of active content via exploit ; ;======================================================================= ; ; if not on trusted site list, protect IE condition=!BC_Spyware_trusted_sites condition=BC_Spyware_active_content_blocks ; Do not insert protective javascript for non-graphical browsers request.header.user-agent=!"^(Mozilla|Opera)" ; Insert protective javascript into HTML pages for IE browsers condition=BC_Spyware_IE_UserAgents action.BC_Spyware_Protect_IE(yes) ;======================================================================= ; Attack definition - this blocks a collection of known attacks ; ; To use this definition create a policy based on the trigger: ; condition=bc_spyware_policy_attacks ; The suggestion action for such a policy is "force_deny("Denial details")", ; thus placing the following lines (without the preceeding semi-colons ; will deny all requests/responses that match recognized attacks: ; ; ; condition=bc_spyware_policy_attacks force_deny("Request/Response denied as potential attack") ;======================================================================= ; condition=!BC_Spyware_virtual_hostnames condition=bc_spyware_policy_attacks FORCE_DENY("Request/Response denied as potential attack") ;;======================================================================= ;;======================================================================= ;;End of rules that might block or prevent spyware by technical means. ;;Beginning of the policy rules to enhance logging, provide additional ;; warnings, decrease data collection by suspicious sites. ;;======================================================================= ;;======================================================================= ;======================================================================= ; Spyware Agent communications - updated 30 Jan 2005 ; ; Populate the access logging for recognized spyware agents, communicating ; to destinations other than known "phone home" locations. ; ; Optionally these communications could be blocked, but some spyware modifies ; the browser's user-agent header for all requests, for now the policy simply ; labels all such requests. ; Another rule will deny "phone home" requests. ; ;======================================================================= ; ; recognized spyware requests - ignoring those destine for phone_home sites condition=!BC_Spyware_phone_home condition=bc_spyware_policy_spyware_request log.rewrite.sc-filter-result("SPYWARE_CLIENT") ;======================================================================= ; Alert users of possible Phishing attacks - updated 22 Apr 2005 ; ; This policy will insert a banner advising the client of the current ; URL on web pages that contain forms that might submit personal data. ; Included with this warning is a button to disable the display of this ; warning for 30 days. ; ; The javascript insertion only occurs for "active categories" listed ; above which are not in the "trusted sites" list. ; ;======================================================================= ; ; If active category list and not on the trusted list, insert phishing javascript condition=!BC_Spyware_trusted_sites condition=BC_Spyware_active_content_blocks ; Do not insert PhishGuard for non-graphical browsers request.header.user-agent=!"^(Mozilla|Opera)" ; Do not insert PhishGuard if the user requested it disabled request.header.cookie="BC_Policy_No_PhishGuard=1" action.BC_spyware_delete_phishguard_disable(yes) ; Insert PhishGuard javascript into HTML pages action.BC_Spyware_aDisplayDest(yes) ;======================================================================= ; Cookie Persistence Modification - updated 07 Sept 2005 ; ; Downgrade set-cookie headers from suspicious sites to be non-persistent. ; ;======================================================================= ; condition=!BC_Spyware_trusted_sites \ condition=BC_Spyware_active_content_blocks \ condition=!BC_Spyware_virtual_hostnames action.BC_Spyware_Downgrade_SetCookie(yes) ;;======================================================================= ;;======================================================================= ;; The following "end" terminates the "define proxy policy..." line ;; found just after all definitions, documentation/explanation is ;; provided in comments there. ; ;end ;;======================================================================= ;;======================================================================= ;========================================================================= ; ; End of Blue Coat ProxySG Spyware control policy using Blue Coat Content Filter ; ;========================================================================= ;======================================================================= ; Disallow transfer-encoding on pre-SGv4 systems - updated 31 Mar 2006 ; ; Required for policy notification (Phishing, security advisory ...) ; This layer now OS version dependent, SGv4 includes compression support. ; ;======================================================================= #if release.version=2..3 define action bc_spyware_policy_ForceUncompressedResponse delete(request.header.Accept-Encoding) end action bc_spyware_policy_ForceUncompressedResponse action.bc_spyware_policy_ForceUncompressedResponse(yes) #endif