Spyware Blocker

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide

Contents

[edit]

About Spyware Blocker

Spyware Blocker is a compilation of several open source projects. Spyware Blocker examines web requests from your protected network, and does the following:

  • Uses virus signatures to detect and identify specific viruses.
  • Prevents keyloggers, a computer program that captures and stores the keystrokes of a computer user.
  • Provides a URL blacklist to block known spyware websites (for example, www.gator.com).
  • Provides a URL blacklist to block websites that require cookies.
  • Blocks harmful Active X controls that are known to be spyware applications.
  • Examines the IP addresses of websites that users visit, and compares them to a list of offending subnets.

In the unusual event that members of your organization visit a legitimate website that Spyware Blocker deems malicious, the Untangle Server's interface enables you to create exception rules to remove this website from Spyware Blocker's blacklist.

[edit]

About ActiveX Controls

Many websites use a Microsoft technology called ActiveX controls to add additional software to your computer. There are two types of ActiveX controls:

  • Trusted ActiveX controls. Helpful ActiveX controls that allow you to download plug-in/add-ons from websites.
  • Malicious ActiveX controls. Harmful ActiveX controls that provide intruders the ability to install spyware, pop-ups, and harmful software programs that compromise your network security.

If you install Macromedia Shockwave Player, the website needs permission to download ActiveX controls as shown in Figure, Installing ActiveX Controls for Macromedia Shockwave Player. Because you initiated the download from Adobe's official website, you trust that Adobe is not going to install malicious ActiveX controls, so you continue with the installation. However, many unofficial websites distribute malicious ActiveX controls.

Figure, Installing ActiveX Controls for Macromedia Shockwave Player
Figure, Installing ActiveX Controls for Macromedia Shockwave Player
[edit]

Unblocking Spyware Websites

If a trustworthy user within your protected network needs to visit a site that is listed on one of the block lists because it is known to download spyware, you can unblock that website; in fact, Untangle recommends that you do so in order to maintain the highest workplace productivity.

If you need to prevent a website from being categorized as spyware, Untangle recommends that you not remove that site's data from one of the block lists. Instead, add that website to the pass list or use the Spyware Blocker's quick-passlist as outlined in this procedure. If you want specific users to have this privilege, but not all users, create a virtual rack for the users that need quick-passlist privileges.

To unblock a spyware website:

  1. From Spyware Blocker, click the Show Settings button.
  2. Do one of the following:
    • If you want to enable users to decide for themselves or others or both whether or not to block a known spyware website, specify a quick-passlist:
      1. Click the General Settings tab.
      2. For the quick-passlist setting, select User Only or User Global:
        3. Figure, Enabling Users to Unblock Spyware Websites
        Figure, Enabling Users to Unblock Spyware Websites
        • User Only. Enables the user that visits the spyware website and unblock that site for himself/herself. When the user visits a spyware website, the user receives a warning stating that it is a known spyware site. The user can bypass the warning and visit the site, or choose not to launch the website. If the user bypasses the warning, Spyware Blocker no longer alerts the user if the user visits that spyware site in the future. If the user choose not to launch the website, Spyware Blocker alerts the user to the hazard of launching a spyware site the next time the user visits the website.
        • User and Global. Enables any user to visit the spyware website and unblock that site for himself/herself and all other users. When the user visits a spyware website, the user receives a warning stating that it is a known spyware site. The user can bypass the warning and visit the website, or choose not to launch the website. If the user bypasses the warning, Spyware Blocker no longer alerts all users that visit that spyware site in the future. If the user choose not to launch the site, Spyware Blocker continues to alert the user to the hazard of launching a spyware site.
    • If you want to be the person to block specific sites, create a pass list.
      1. Click the Pass List tab.
      2. Click the add (plus) button to the left of the table. A row appears with the pass check box selected.
      3. In the new entry, type the domain name that you want to unblock. Domain field is the only required field. The format of the domain is http://approved_domain where approved_domain is replaced with the approved domain. Although it may seem as one could enter a full URL path into the domain field, domain only handles top-level domains. For example, attempting to place http://some_domain.com/site1 into the pass list causes all paths at http://some_domain.com to be passed (such as http://some_domain.com/site2).

    Tip: Administrators can enable/disable a domain from being bypassed by selecting the pass check box.

[edit]

Unblocking ActiveX Controls

As shown in Figure, Do Not Unblock Malicious ActiveX Controls, Spyware Blocker provides you the ability to unblock ActiveX Controls. However, Untangle recommends that you not unblock any default ActiveX controls because these are known to be malicious ActiveX controls. If you add any additional ActiveX controls to the Spyware Blocker, you can then use the block check box to enable and disable this ActiveX control to ensure that you are properly identifying the ActiveX control.

Figure, Do Not Unblock Malicious ActiveX Controls
Figure, Do Not Unblock Malicious ActiveX Controls
[edit]

Blocking Additional ActiveX Controls

To block additional ActiveX Controls:

  1. From Spyware Blocker, click the Show Settings tab.
  2. Click the Block Lists tab, and click the ActiveX List tab. The table that appears contains known malicious ActiveX controls, so do not clear the block check box.
  3. Click the plus (add) button to the left of the table. A new row appears with the block check box selected.
  4. Add the identification of the ActiveX control, and click the Save Settings tab.
  5. Contact Untangle Technical Support to inform us of the new malicious ActiveX control that you identified as Untangle constantly improves its products.
[edit]

Blocking All ActiveX Controls

Figure, Blocking All ActiveX Controls
Figure, Blocking All ActiveX Controls

If your end-users do not have job responsibilities that require them to download plug-ins, you might want to block all ActiveX controls—both malicious and helpful ActiveX controls. Spyware Blocker provides a long list of known malicious ActiveX controls, but this list is incomplete because not all malicious ActiveX controls are known by the Internet community.

To block all ActiveX Controls:

  1. From Spyware Blocker, click the General Settings tab.
  2. For the block all ActiveX setting, select the setting value check box.
  3. Click the Save Settings button.
[edit]

About Spyware Blocker Event Log

Use the following terms and definisions to understand the Spyware Blocker Event Log:

timestamp The time the event took place.
action The action which took place (e.g. block).
client The client IP address of the traffic.
request A description of the request made (e.g. http://someurl/somepath.html).
reason for action The reason the action was taken (e.g. in URL list).
server The server IP address of the traffic.
[edit]

Spyware Blocking FAQs

Retrieved from "http://wiki.untangle.com/index.php/Spyware_Blocker"
Personal tools