; Version 1.3.1 -- Last Updated 18 Jan 2006 ;========================================================================= ; ; Blue Coat ProxySG Spyware control policy using SmartFilter4 ; ; This policy file assumes the proxy is running SGOS version 3.2 or above ; ;========================================================================= ;========================================================================= ; ; Definitions ; ;========================================================================= ;========================================================================= ; ; Trusted domains White-list - updated 04 Apr 2005 ; ; Sites in these domain names and IP ranges are exempt ; from all of the policy, including: the drive-by-install protection, ; executable file blocking, and active-content HTML cleaning. ; ; Additions may be made via the VPM with the policy ; category "Additional_Spyware_Trusted_Sites" ; ;========================================================================= define url.domain condition BC_Spyware_trusted_domains bluecoat.com ositis.com winproxy.com microsoft.com windowsupdate.com macromedia.com cisco.com trendmicro.com mcafee.com sophos.com kaspersky.com pandasoftware.com pestscan.com symantec.com webex.com sun.com hp.com att.com pestpatrol.com lavasoft.de webroot.com intermute.com communicast.com motorola.com intel.com dell.com oracle.com siebel.com ;pestscan ip 69.44.122.156 ;communicast ip 66.119.37.165 66.119.37.167 66.119.37.169 216.109.75.10 end define subnet BC_Spyware_Internal_IP_Ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 end define condition BC_Spyware_trusted_sites ;================================================================ ;Include BlueCoat defined whitelist of trusted domains ;================================================================ condition=BC_Spyware_trusted_domains url.address=BC_Spyware_Internal_IP_Ranges ;================================================================ ;Include a customer defined whitelist category. ;================================================================= category="Additional_Spyware_Trusted_Sites" end ; Create the category, so it appears in the VPM and can be edited define category Additional_Spyware_Trusted_Sites end ;========================================================================= ; ; Javascript White-list - updated 01 Dec 2005 ; ; Starting in September 2005 the anti-spyware policy began removing ; javascript from susipicious web pages. This is necessary due to ; the prevalence of javascript injected drive-by downloads. ; However some sites behave adversely after Javascript removal. This ; list will exempt specific sites from script stripping. ; Active content is still blocked and object tags are still stripped. ; ; Additions may be made via the VPM with the policy ; category "Additional_Spyware_Javascript_Safe_Sites" ; ;========================================================================= define condition BC_Spyware_Javascript_Safe_Sites ;================================================================ ;Include a customer defined Javascript_Safe_Sites category. ;================================================================= category="Additional_Spyware_Javascript_Safe_Sites" end ; Create the category, so it appears in the VPM and can be edited define category Additional_Spyware_Javascript_Safe_Sites end ;========================================================================= ; ; Virtual-Hostname White-list - updated 28 Feb 2005 ; ; So called "virtual hostnames" are used for certain types ; of authentication and advanced policies (ex: compliance and ; coaching pages). This condition is used to exempt requests for ; virtual-hostnames from response header testing, ; because no server exists. ; ; Additions may be made via the VPM with the policy ; category "Additional_Virtual_Hostnames" ; ;========================================================================= define condition BC_Spyware_virtual_hostnames url.domain=cfauth.com url.host=notify.bluecoat.com url.domain=policyexample.bluecoat.com ;================================================================ ;Include a customer defined virtual_hostname category. ;================================================================= category="Additional_Virtual_Hostnames" end ; Create the category, so it appears in the VPM and can be edited define category Additional_Virtual_Hostnames end ;========================================================================= ; Begin SmartFilter4 groupings - updated 09 Feb 2005 ;========================================================================= ; Denied exe sites define condition BC_Spyware_exe_blocks category="Anonymizers" category="Anonymizing Utilities" category="Criminal Skills" category="Drugs" category="Extreme" category="Gambling" category="Gruesome Content" category="Hacking" category="Hate Speech" category="Malicious Sites" category="Nudity" category="Personal Pages" category="Pornography" category="Provocative Attire" category="School Cheating Information" category="Sexual Materials" category="Spyware" category="Violence" category="Weapons" category="Web Ads" ; Special category "none" matches non-categorized sites category="none" end ; Denied active content sites define condition BC_Spyware_active_content_blocks ; Include the categories from exe blocks condition=BC_Spyware_exe_blocks ; Categories where exe files are fine, but other active content suspicous category="Chat" category="Forum/Bulletin Boards" category="Games" category="Internet Radio/TV" category="Media Downloads" category="P2P/File Sharing" category="Resource Sharing" category="Shareware/Freeware" category="Web Mail" end ;========================================================================= ; End SmartFilter4 groupings ;========================================================================= ;======================================================================= ; Active-Content patterns - updated 3 Jan 2006 ; ; These define what content types are dangerous. ; ;======================================================================= ; active-content extensions - those a user doesn't manually select to download define condition BC_Spyware_active_content_extensions url.extension=cab url.extension=ocx url.extension=dll url.extension=bat url.extension=cmd url.extension=vbs url.extension=vb url.extension=pif url.extension=hlp url.extension=msi url.extension=scr url.extension=wsc url.extension=wsh url.extension=wsf url.extension=hta url.extension=class url.extension=jar url.extension=ani url.extension=reg url.extension=chm url.extension=cpl url.extension=wmf end ; active-content mime types define condition BC_Spyware_active_content_type response.header.Content-Type="application/cab" response.header.Content-Type="application/x-compress" response.header.Content-Type="application/x-compressed" response.header.Content-Type="zz-application/zz-winassoc-cab" response.header.Content-Type="application/x-cab-compressed" response.header.Content-Type="application/(x-|)java[^s]" response.header.Content-Type="(application|image)/(x-|x-ms|x-win-|)(metafile|wmf)" ; ;The following rules require SGv4.2 features #if release.version=4.2.. condition=BC_Spyware_active_content_data_types response.header.Content-Length="[0-9][0-9]" #endif end ; executable extensions - those a user might manually download define condition BC_Spyware_exe_extensions url.extension=exe url.extension=com url.extension=zip url.extension=rar end ; executable and active content transfered with content-disposition headers define condition BC_Spyware_exe_active_content_disposition ; block obfuscated Mime encoding that could disguise a ".exe" ; see: http://seclists.org/lists/bugtraq/2002/Jun/0012.html response.x_header.Content-Disposition = "\*[0-9]+=" ; block executable and active-content file extensions in Content-Disposition headers response.x_header.Content-Disposition = "\.(exe|com|dll|cab|ocx|bat|cmd|vbs|vb|pif|hlp|msi|scr|wsc|wsh|wsf|hta|class|jar|ani|reg|chm|cpl|zip|wmf)($|[^a-z0-9])" end ; executable mime types define condition BC_Spyware_exe_content_type response.header.Content-Type="application/octet-stream" response.header.Content-Type="application/x-msdownload" response.header.Content-Type="application/x-msdos-program" response.header.Content-Type="application/rar" response.header.Content-Type="application/x-rar" ; ;The following rules require SGv4.2 features #if release.version=4.2.. condition=BC_Spyware_exe_content_data_types response.header.Content-Length="[0-9][0-9]" #endif end ; ; The following set of conditions require SGv4.2 features ; These data patterns will be used to enhance the policy's ; ability to detect the nature of the object being requested. ; #if release.version=4.2.. ;High level patterns ; define condition BC_Spyware_active_content_data_types condition=BC_Response_Data_Type_java_files condition=BC_Response_Data_Pattern_cab condition=BC_Response_Data_Pattern_windows_hlp condition=BC_Response_Data_Pattern_windows_compiled_help_chm condition=BC_Response_Data_Pattern_windows_scripting_host_wsh condition=BC_Response_Data_Pattern_HypertextApplication_hta condition=BC_Response_Data_Pattern_wmf end ; define condition BC_Spyware_exe_content_data_types condition=BC_Response_Data_Pattern_exe_dll_ocx_scr condition=BC_Response_Data_Pattern_msi condition=BC_Response_Data_Type_compressed_archive condition=BC_Response_Data_Pattern_xpi end ; ; Medium level patterns define condition BC_Response_Data_Type_java_files condition=BC_Response_Data_Pattern_class condition=BC_Response_Data_Pattern_jar end define condition BC_Response_Data_Pattern_exe_dll_ocx_scr http.response.data.2.case_sensitive="MZ" end define condition BC_Response_Data_Pattern_msi http.response.data.8.regex="^\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" end define condition BC_Response_Data_Pattern_cab http.response.data.4.case_sensitive="MSCF" end define condition BC_Response_Data_Pattern_xpi url.extension=xpi condition=BC_Response_Data_Type_compressed_archive response.header.Content-Type="application/x-xpinstall" \ condition=BC_Response_Data_Type_compressed_archive end ; ;supporting patterns used as part of the high/medium level conditions ; define condition BC_Response_Data_Pattern_class http.response.data.4.regex="^\xCA\xFE\xBA\xBE" end define condition BC_Response_Data_Pattern_jar url.extension=jar condition=BC_Response_Data_Type_compressed_archive response.header.Content-Type="application/(x-)?java($|[^A-Za-z])" \ condition=BC_Response_Data_Type_compressed_archive end ; define condition BC_Response_Data_Type_compressed_archive condition=BC_Response_Data_Pattern_zip condition=BC_Response_Data_Pattern_rar condition=BC_Response_Data_Pattern_ace end define condition BC_Response_Data_Pattern_zip http.response.data.4.regex.case_sensitive="PK\003\004" end define condition BC_Response_Data_Pattern_rar http.response.data.4.case_sensitive="Rar!" end define condition BC_Response_Data_Pattern_ace http.response.data.7.case_sensitive="**ACE**" end ; define condition BC_Response_Data_Pattern_windows_hlp http.response.data.4.regex.case_sensitive="^\?_\x03\x00" end define condition BC_Response_Data_Pattern_windows_compiled_help_chm http.response.data.4.case_sensitive="ITSF" end define condition BC_Response_Data_Pattern_windows_scripting_host_wsh http.response.data.12.case_sensitive="[ScriptFile]" end define condition BC_Response_Data_Pattern_HypertextApplication_hta http.response.data.15.case_sensitive="HTA:APPLICATION" end define condition BC_Response_Data_Pattern_wmf http.response.data.4.regex.case_sensitive="^\xD7\xCD\xC6\x9A" http.response.data.6.regex.case_sensitive="^.\x00\x09\x00\x00\x03" end define condition BC_Response_Data_Pattern_compressed_flash http.response.data.4.regex.case_sensitive="^CWS[0-9]" end define condition BC_Response_Data_Pattern_flash http.response.data.4.regex.case_sensitive="^FWS[0-9]" end #endif ;======================================================================= ; Spyware Agent Patterns - updated 6 Dec 2005 ; ; This is intended to enhance spyware detection via request patterns ; eg: user agent in requests ; ; For efficency this condition uses OR symbols in the pattern match. ; It is equally valid to replace "aaa|bbb" with two lines, ; one testing "aaa" and the other testing "bbb". ; Matching is case-insensitive ;======================================================================= define condition bc_spyware_policy_spyware_request request.header.User-Agent="Gator|FunWebProducts|BigBadProducts" request.header.User-Agent="ISEARCHTECH|IOKernel|MyWay" request.header.User-Agent="\.exe\|1, 0, 0,|3a|404search" request.header.User-Agent="Apropos|Browser Adv|Bundle" request.header.User-Agent="EnvoloAutoUpdater|ESB{|ezula" request.header.User-Agent="FunWebSearch" request.header.User-Agent="Godzilla|HelperH|Hotbar" request.header.User-Agent="iefeatsl|IST" request.header.User-Agent="istsvc|Kontiki|mez" request.header.User-Agent="MGS-Internal-Web-Manager|MyApp" request.header.User-Agent="MyTotalSearch|MyTotalSearchSearchAssistant" request.header.User-Agent="MyWebSearch|MyWebSearchSearchAssistant|NSISDL" request.header.User-Agent="OSSProxy|Peer Points Manager|PeerEnabler" request.header.User-Agent="SAH Agent|searchengine2000\.com" request.header.User-Agent="Secret Agent|sureseeker\.com|Sidesearch" request.header.User-Agent="SideStep Client|SurferPlugin|TIBS Loader" request.header.User-Agent="TIBSBrowser|Topconvertingagent|TSA/" request.header.User-Agent="UCmore|Visicom Toolbar|Wildtangent" request.header.User-Agent="Wildtangent Kernel|Wise" end condition bc_spyware_policy_spyware ;======================================================================= ; Active-Content stripping - updated 27 Sept 2004 ; ; This defines the policy action which removes potentially dangerous ; HTML tags. ; ;======================================================================= ; active content stripper define active_content transform_BC_Spyware_StripActiveContent tag_replace object < condition=bc_spyware_policy_spyware_request log.rewrite.sc-filter-result("SPYWARE_CLIENT") ;======================================================================= ; Cookie Persistence Modification - updated 07 Sept 2005 ; ; Downgrade set-cookie headers from suspicious sites to be non-persistent. ; ;======================================================================= ; ;define the action define action BC_Spyware_Downgrade_SetCookie rewrite(response.header.set-cookie, "(.*)expires=[^;$]+(.*)", "$(1)$(2)") end ; ;apply the action condition=!BC_Spyware_trusted_sites \ condition=BC_Spyware_active_content_blocks \ condition=!BC_Spyware_virtual_hostnames action.BC_Spyware_Downgrade_SetCookie(yes) ;======================================================================= ; Spyware active-content and executable blocking - updated 10 Nov 2005 ; ; This policy uses previously defined conditions to matck all non-whitelist ; sites against three types of policy: ; 1. Is the file extension or content-type of the request a drive-by install type -> Deny ; 2. Is the file extenstion, content-disposition or content-type an executable file ; and the category is in the not trusted for executables catagories -> Deny ; 3. Is the content a web-page from the non-whitelist sites -> strip risky tags ; ;======================================================================= condition=!BC_Spyware_trusted_sites \ condition=BC_Spyware_active_content_blocks \ condition=!BC_Spyware_virtual_hostnames ; 1a. DENY known active content extensions condition=BC_Spyware_active_content_extensions \ http.response.code=(200..299) \ FORCE_DENY("This request blocked as a spyware $(quot)Drive-by Install$(quot)") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Drive-by%20Install") ; 1b. DENY known active content file types condition=BC_Spyware_active_content_type \ FORCE_DENY("This request blocked as a spyware $(quot)Drive-by Install$(quot)") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Drive-by%20Install") ; 2a. DENY known executable file extensions from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_extensions \ http.response.code=(200..299) \ http.method=GET url.query.regex=!"" \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") ; 2b. DENY executable file extensions in content-dispositions from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_active_content_disposition \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") ; 2c. DENY known executable file types from suspect categories condition=BC_Spyware_exe_blocks \ condition=BC_Spyware_exe_content_type \ FORCE_DENY("This request blocked as a risky executable file download.") \ log.rewrite.sc-filter-result("SPYWARE/Blocked%20Executable") [rule] condition=BC_Spyware_webpage ;all further rules in the layer must match ;; 3. Remove object references from HTML in suspect categories ;; [Uncomment the next line to only strip object tags, the pre-v1.2.13 behavior] ; action.BC_Spyware_StripActiveContent(yes) ;; ;; 3a. Remove only object references from HTML instead of all risky tags condition=BC_Spyware_Javascript_Safe_Sites action.BC_Spyware_StripActiveContent(yes) ;; 3b. Remove risky tags from HTML in suspect categories action.BC_Spyware_StripRiskyContent(yes) ;======================================================================= ; Block Internet Explorer location bar exploit - updated 11 Nov 2005 ; ; This policy will prevent downloading of suspicious active content. ; ;======================================================================= ; define IE exploit Javascript define javascript BC_Spyware_Protect_IE prolog < condition=!BC_Spyware_trusted_sites condition=BC_Spyware_active_content_blocks ; Do not insert protective javascript for non-graphical browsers request.header.user-agent=!"^(Mozilla|Opera)" ; Insert protective javascript into HTML pages for IE browsers condition=BC_Spyware_IE_UserAgents action.BC_Spyware_Protect_IE(yes) ;======================================================================= ; Attack definition - this is a collection of known attack definitions ; ; To use this definition create a policy based on the trigger: ; condition=bc_spyware_policy_attacks ; The suggestion action for such a policy is "force_deny("Denial details")", ; thus placing the following lines (without the preceeding semi-colons ; will deny all requests/responses that match recognized attacks: ; ; ; condition=bc_spyware_policy_attacks force_deny("Request/Response denied as potential attack") ;======================================================================= define condition bc_spyware_policy_attacks condition=bc_spyware_policy_attacks_codered condition=bc_spyware_policy_attacks_nimda condition=bc_spyware_policy_attacks_cert_vu713878 end condition bc_spyware_policy_attacks condition=!BC_Spyware_virtual_hostnames condition=bc_spyware_policy_attacks FORCE_DENY("Request/Response denied as potential attack") ;======================================================================= ; Code-Red attack request patterns - updated 19 Feb 2002 ; ; This condition will match requests by Code-Red infected machines ; attempting to probe/infect other machines. ; ; This is a sub-condition of the general attacks condition. ;======================================================================= define condition bc_spyware_policy_attacks_codered url.path.regex="\.ida\?.{230}" end condition bc_spyware_policy_attacks_codered ;======================================================================= ; Nimda attack request patterns - updated 25 Mar 2002 ; ; This condition will match requests by nimda infected machines ; attempting to probe/infect other machines. ; ; This is a sub-condition of the general attacks condition. ;======================================================================= define condition bc_spyware_policy_attacks_nimda url.host.exact=www url.path.regex="/system32/cmd\.exe\?|/root\.exe\?|(/readme\.eml$)" end condition bc_spyware_policy_attacks_nimda ;======================================================================= ; CERT_vu#713878 attack request patterns - updated 14 Jun 2004 ; ; This condition will match responses attempting to exploit ; the vulnerability described in CERT vulnerability report 713878 ; (see http://www.kb.cert.org/vuls/id/713878 for details). ; ; This is a sub-condition of the general attacks condition. ;======================================================================= define condition bc_spyware_policy_attacks_cert_vu713878 response.header.Location="^[-a-z]+:" response.header.Location=!"^(https?|ftp|mms[ut]?|rtsp):" end condition bc_spyware_policy_attacks_cert_vu713878 ;======================================================================= ; "HTTP request smuggling" patterns - updated 5 Jul 2005 ; ; This condition will match request containing multiple content-length ; headers, which is an illegal request for key to the "request smuggling" ; exploit. ; ; This is a sub-condition of the general attacks condition. ;======================================================================= define condition bc_spyware_policy_attacks_request_smuggling request.header.content-length.count=2.. end condition bc_spyware_policy_attacks_request_smuggling ;======================================================================= ; Alert users of possible Phishing attacks - updated 22 Apr 2005 ; ; This policy will insert a banner advising the client of the current ; URL on web pages that contain forms that might submit personal data. ; Included with this warning is a button to disable the display of this ; warning for 30 days. ; ; The javascript insertion only occurs for "active categories" listed ; above which are not in the "trusted sites" list. ; ;======================================================================= ; define phishing protection javascript define javascript BC_Spyware_jDisplayDest onload <'; else { s += ''+h.charAt(i)+''; hasIDN = true; } } if (hasIDN) { s += ' Warning: '; s += 'red '; s += 'characters are non-English and may indicate a falsified site name.'; } return s; } function bluecoat_phishGuardDisable(days) { var ExpireDate = new Date(); ExpireDate.setTime(ExpireDate.getTime() + (days * 86400 * 1000)); cookie_text="BC_Policy_No_PhishGuard=1; path=/;expires="+ ExpireDate+";" document.cookie = cookie_text; document.location.reload(); } if (bluecoat_hasTextEntryForm()) { var p = document.createElement("p"); p.innerHTML = '
'+ 'You are at '+ bluecoat_hostname()+ "
"+ ''+ '
'; document.body.insertBefore(p, document.body.firstChild); } EOF end ; define phishing action define action BC_Spyware_aDisplayDest transform BC_Spyware_jDisplayDest end ; define delete_phishguard_disable action define action BC_spyware_delete_phishguard_disable delete_matching(request.header.cookie, "BC_Policy_No_PhishGuard"); end ; If active category list and not on the trusted list, insert phishing javascript condition=!BC_Spyware_trusted_sites condition=BC_Spyware_active_content_blocks ; Do not insert PhishGuard for non-graphical browsers request.header.user-agent=!"^(Mozilla|Opera)" ; Do not insert PhishGuard if the user requested it disabled request.header.cookie="BC_Policy_No_PhishGuard=1" action.BC_spyware_delete_phishguard_disable(yes) ; Insert PhishGuard javascript into HTML pages action.BC_Spyware_aDisplayDest(yes) ;======================================================================= ; Disallow transfer-encoding - updated 7 Dec 2005 ; ; Required for policy notification (Phishing, security advisory ...) ; ; ; action.bc_spyware_policy_ForceUncompressedResponse(yes) ; ; ;======================================================================= define action bc_spyware_policy_ForceUncompressedResponse delete(request.header.Accept-Encoding) end action bc_spyware_policy_ForceUncompressedResponse action.bc_spyware_policy_ForceUncompressedResponse(yes) ;========================================================================= ; ; End of Blue Coat ProxySG Spyware control policy using SmartFilter4 ; ;=========================================================================