Spyware Blocker
From UntangleWiki
 Spyware Blocker
|
|
About Spyware Blocker
Spyware Blocker is a compilation of several open source projects. Spyware Blocker examines web requests from your protected network and does the following:
- Uses virus signatures to detect and identify specific viruses.
- Prevents keyloggers, a computer program that captures and stores the keystrokes of a computer user.
- Provides a URL blacklist to block known spyware websites (for example, www.gator.com).
- Provides a URL blacklist to block websites that require cookies.
- Blocks harmful Active X controls that are known to be spyware applications.
- Examines the IP addresses of websites that users visit, and compares them to a list of offending subnets.
In the unusual event that members of your organization visit a legitimate website that Spyware Blocker deems malicious, the Untangle Server's interface enables you to create exception rules to remove this website from Spyware Blocker's blacklist.
Settings
This section reviews the different settings and configuration options available for Spyware Blocker.
Block Lists
This tab controls the different mechanisms to classify and block content. Using this tab, you can selectively block Spyware and Ad URLS, cookies, and ActiveX controls.
Blocking Spyware Websites
Just make sure Block Spyware & Ad URLs and Spyware Blocker will be working - for more information on the User Bypass setting, see Unblocking Spyware Websites.
Blocking Cookies
If Block Tracking & Ad Cookies is checked, these cookies will be blocked by Untangle. If you need to add more, you can simply click manage list and enter a URL or IP - make sure Block is checked or nothing will happen!
Blocking ActiveX Controls
To block additional ActiveX Controls:
- From Spyware Blocker, click the Settings tab.
- Click the Block Lists tab, and click the manage list button under ActiveX section. The table that appears contains known malicious ActiveX controls, so do not clear the block check box.
- Click the plus (add) button to the left of the table. A new row appears with the block check box selected.
- Add the identification of the ActiveX control, and click the Save button.
- Contact Untangle Technical Support to inform us of the new malicious ActiveX control that you identified as Untangle constantly improves its products.
Blocking All ActiveX Controls
If your end-users do not have job responsibilities that require them to download plug-ins, you might want to block all ActiveX controls—both malicious and helpful ActiveX controls. Spyware Blocker provides a long list of known malicious ActiveX controls, but this list is incomplete because not all malicious ActiveX controls are known by the Internet community.
To block all ActiveX Controls:
- From Spyware Blocker, click the Settings button.
- For the block all ActiveX checkbox, select the Block All ActiveX check box.
- Click the OK button.
Monitoring Suspicious Traffic
This option allows you to log traffic going to known advertising and tracking companies, however traffic will not be blocked. You can add your own using the manage list button.
Pass List
Pass Lists are used to pass content that would have otherwise been blocked. This can be useful for "unblocking" sites that require functionality impaired by Spyware Blocker or allowing certain users special privileges.
Unblocking Spyware Websites
If a trustworthy user within your protected network needs to visit a site that is listed on one of the block lists because it is known to download spyware, you can unblock that website; in fact, Untangle recommends that you do so in order to maintain the highest workplace productivity.
If you need to prevent a website from being categorized as spyware, you can add that site to the pass list or use the Spyware Blocker's quick-passlist as outlined in this procedure. If you want specific users to have this privilege, but not all users, create a virtual rack for the users that need quick-passlist privileges.
To unblock a spyware website:
- From Spyware Blocker, click the Settings button.
- Do one of the following:
- If you want to enable users to decide for themselves or others or both whether or not to block a known spyware website, specify a quick-passlist:
- Click the Block Lists tab.
- For the User Bypass setting, select Temporary or Permanent and Global:
- Temporary. Enables the user that visits the spyware website and unblock that site for himself/herself for 1 hour. When the user visits a spyware website, the user receives a warning stating that it is a known spyware site. The user can bypass the warning and visit the site, or choose not to launch the website. If the user bypasses the warning, Spyware Blocker no longer alerts the user if the user visits that spyware site within the 1 hour timeframe. If the user choose not to launch the website, Spyware Blocker alerts the user to the hazard of launching a spyware site the next time the user visits the website.
- Permanent and Global. Enables any user to visit the spyware website and unblock that site for himself/herself and all other users. When the user visits a spyware website, the user receives a warning stating that it is a known spyware site. The user can bypass the warning and visit the website, or choose not to launch the website. If the user bypasses the warning, Spyware Blocker no longer alerts all users that visit that spyware site in the future. If the user choose not to launch the site, Spyware Blocker continues to alert the user to the hazard of launching a spyware site.
- If you want to unblock specific sites for all users, create a pass list.
- Click the Pass List tab.
- Click the add (plus) button to the left of the table. A row appears with the pass check box selected.
- In the new entry, type the domain name that you want to unblock. Domain field is the only required field. The format of the domain is http://approved_domain where approved_domain is replaced with the approved domain. Although it may seem as one could enter a full URL path into the domain field, domain only handles top-level domains. For example, attempting to place http://some_domain.com/site1 into the pass list causes all paths at http://some_domain.com to be passed (such as http://some_domain.com/site2).
Tip: Administrators can enable/disable a domain from being bypassed by selecting the pass check box.
Unblocking ActiveX Controls
Spyware Blocker provides you the ability to unblock ActiveX Controls, however Untangle recommends that you do not unblock any that are blocked by default because these are known to be malicious. If you add any additional ActiveX controls to the Spyware Blocker, you can then use the block check box to enable and disable individual ActiveX controls to ensure that you are properly identifying them.
Event Log
Use the following terms and definitions to understand the Spyware Blocker Event Log:
timestamp The time the event took place. action The action which took place (e.g. block). client The client IP address of the traffic. request A description of the request made (e.g. http://someurl/somepath.html). reason for action The reason the action was taken (e.g. in URL list). server The server IP address of the traffic.
Related Topics
Spyware Blocker FAQs
My users complained that they cannot connect to somesite.com, and it keeps showing up in my Event Log as blocked. How can I stop somesite.com from being blocked?
You can add a rule to the Pass List for somesite.com, as described in Unblocking Spyware Websites.
While I agree that ActiveX is something I would like to keep out of my network, one of our business partner's sites requires ActiveX. How should I configure my system?
First, disable all ActiveX Controls as described in Blocking All ActiveX Controls. Then, exclude your business partner from this restriction by adding the business partner's domain to the Pass List as described in Unblocking Spyware Websites.
