• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

IPS is not blocking content over HTTPS

Hi

I am running 0S 10 and latest Norton version (22.9.1.12). It appears that when testing the IPS module against wicar.org, exploits delivered over SSL were not detected (post version 22.7 IPS should detect attacks using https connections). The same exploits over http connection were blocked ("Intrusion auto block" setting is off for testing purposes). Is there a Symantec CA that needs to be installed for SSL traffic to be scanned?

https://community.norton.com/en/blogs/product-update-announcements/norto...

Thanks

Replies

Kudos0

Re: IPS is not blocking content over HTTPS

With default settings for my Norton Security with Backup (Premium), I get a page block by Safe Web when I tried to access wicar.org. Detailed report for wicar.org.   https://safeweb.norton.com/report/show?url=http:%2F%2Fwww.wicar.org%2F&p...

Are you bypassing the warning? 

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: IPS is not blocking content over HTTPS

yes as I want to test the IPS over SSL protection

Kudos0

Re: IPS is not blocking content over HTTPS

What browser were you using to test? I just tried all tests with Chrome browser and all tests passed.

Which specific tests did you find that failed? Did they fail if you left the Norton settings to their defaults?

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: IPS is not blocking content over HTTPS

please delete post as I can't delete it

Kudos0

Re: IPS is not blocking content over HTTPS

I also use chrome but exploits delivered over HTTP work (I can confirm via the history ) but over HTTPS do not

example would be 

hxxp://malware.wicar.org/data/ms10_090_ie_css_clip_ie6.html

hxxps://malware.wicar.org/data/ms10_090_ie_css_clip_ie6.html

Kudos0

Re: IPS is not blocking content over HTTPS

If I try to go to hxxps://www.wicar.org I get this error message. It appears wicar does not use https. So you would not be able to test from your second link.


When I try your second link, I get a blank page. Nothing loads. What do you see?

BTW

I submitted the wicar site to Safe Web as a false positive. I received confirmation that it was a false positive, and it should now be considered safe.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: IPS is not blocking content over HTTPS

All malware is hosted at: http: //malware. wicar. org/, which is the correct address that should be blocked by anti-malware solutions (not this site).

http:// www . wicar . org/


URL: http: // malware. wicar. org/
Detection ratio: 10 / 65
Analysis date: 2017-04-10


The Test Malware! page contains widely abused browser exploits you may safely click on, to test your defences.

http:// www . wicar  . org/
e.g., [SSL]
All Windows 2003/Vista/2008/7/8/10 IE6+
DISCLAIMER: We cannot accept any responsibility or liability for any loss, damage, cost or expense you might incur as a result of the use of, or reliance upon, the materials which appear at this or any linked site.

Kudos0

Re: IPS is not blocking content over HTTPS

Hi @peterweb 

Blank page means exploit execution was successful and NOT blocked by IPS which most likely means IPS doesn't scan over HTTPS. Another example would be the links below

https:// malware . wicar . org/data/ms03_020_ie_objecttype . html <---This is "win32 NT/XP/2003 IE6
MS03-020 Internet Explorer's handling of the OBJECT type attribute CVE-2003-0344" and  if you test the exploit over HTTP it would be blocked as "Web Attack: MS IE Object Type CVE-2003-0344."

Same happens when you download malicious content over HTTPS. The object is not blocked on the network level-which makes sense as there is no symantec CA root certificate installed in order to decrypt the SSL trafffic

Kudos0

Re: IPS is not blocking content over HTTPS

there is no way to scan HTTPS traffic unless a security vendor uses his own root CA certificate to do so which results in a MITM situation.

https://www.wilderssecurity.com/threads/risks-of-using-a-v-https-interception-scanning.385828/#post-2588154 

Another thing about SSL scanning is that "it cuts both ways." Since the vendor is using his own root cert., he can verify easily unencrypt all your outbound web and client e-mail communication. So potentially the vendor can intercept your web site passwords, etc..

 https://www.wilderssecurity.com/threads/risks-of-using-a-v-https-interception-scanning.385828/#post-2587979

Kudos0

Re: IPS is not blocking content over HTTPS

Hi bjm_

Thanks for the fast response. I am fully aware of this which is why I mentioned that there is no certificate installed(basically Norton performing MiM)

My question is that since version 22.7 onwards this is a new feature from Norton, how can we enable this feature?

https://community.norton.com/en/blogs/product-update-announcements/norto..

Anyone from Norton that can assist?

Kudos0

Re: IPS is not blocking content over HTTPS

I hear ya'.   FWIW ~ IIRC > IPS w https:// is not at the network layer (as you know).

The IPS (Intrusion Prevention System) included in Norton Security now detects attacks using https connections, and stops those attacks before they take up residence on the device.

Kudos0

Re: IPS is not blocking content over HTTPS

em so what exactly is it? According to the release notes from v 22.7: 

 

The IPS (Intrusion Prevention System) included in Norton Security now detects attacks using https connections, and stops those attacks before they take up residence on the device.

It mentions that it detects attacks using SSL and stops before they are on the device 

Kudos0

Re: IPS is not blocking content over HTTPS

IPS definitions

The intrusion prevention engine and the corresponding set of signatures are installed on the client.  IPS can drop malicious packets, blocking the traffic of an offending IP address, etc.

> think suspicious activity matched to an IPS signature

For known attacks, intrusion prevention automatically discards the packets that match the signatures.

Kudos0

Re: IPS is not blocking content over HTTPS

Hi @bjm_

Not sure what do you mean by this :) I understand that IPS definition would be the ones responsible to detecting such attacks but my question is rather simple : 

Is Norton IPS module able to detect attacks over SSL and if yes where can we turn this on? We have already proved that this is not the case (based on the exploits delivered over SSL in wicar.org) so either we are missing something or Norton 22.7 release notes were inaccurate

Thanks

Kudos0

Re: IPS is not blocking content over HTTPS

M3gatron:

Hi @bjm_

Not sure what do you mean by this :) I understand that IPS definition would be the ones responsible to detecting such attacks but my question is rather simple : 

Is Norton IPS module able to detect attacks over SSL and if yes where can we turn this on? We have already proved that this is not the case (based on the exploits delivered over SSL in wicar.org) so either we are missing something or Norton 22.7 release notes were inaccurate

FWiW ~ I'll presume that Norton IPS would need Signatures that match wicar.org exploits to satisfy your testing.
AFAIK ~ when IPS is On then IPS is on.

Norton firewall focuses on the source, destination and type of traffic, IPS works by scanning the actual traffic entering and leaving your computer to look for anomalous traffic. The main new feature is the ability to scan HTTPS streams as well as HTTP.  We are scanning the traffic on HTTPS connections that previously went unscanned. This allows us to detect attacks that hide inside the HTTPS connection. Ultimately we 'see' the data that enters and leaves the HTTPS connect without having to monitor it, but by monitoring the connection we are able to spot exploit-based attacks. (internal source)

Lets hear from Community. 

Kudos0

Re: IPS is not blocking content over HTTPS

You do not turn it on. It is there if you have IPS running. It is not a separate setting.

Things happen. Export/Backup your Norton Password Manager data.
Kudos1 Stats

Re: IPS is not blocking content over HTTPS

Thanks for the reply The problem that I have is that with up to date IPS definitions, exploits are detected and blocked if delivered via HTTP but the exact same exploit is not detected if delivered via HTTPS and therefore I am trying to understand 1) Does IPS over SSL actually works? 2)if yes ,how since Norton is not intercepting SSL traffic (by the means of performing MiM techniques) 3)IPS definition are uptodate since we are talking about the same exact exploit delivered over http and it is detected I have contacted norton support via chat and they were unable to assist me-they mentioned to post the question in the community forums as there are developers here as well. I would also appreciate if someone could contact me from customer support regarding this case as I would not expect norton support pointing users to the to the community to get support answers. My expectation was for level 1 support to escalate the ticket internally to level 2 etc
Kudos1 Stats

Re: IPS is not blocking content over HTTPS

FYI (In case Someone from Norton would need to jump in as this is a perfect opportunity) - I have tried to contact Norton Support (chat) before and they advised me that someone from Norton would be replying to this threat (that didn't happen-happy to provide ticket number) - I then contacted Symantec as the virus submission ack email was asking to "contact Symantec support" but not luck either as they would required business support contract (again happy to provide to Norton ticket numbers and conversation history if anyone from Norton wants to have a look) - Unfortunately the IPS module over HTTPS doesn't seem to work correctly on my tests (exploits delivered over https) 

Kudos0

Re: IPS is not blocking content over HTTPS

FWIW ~ based upon examples Permalink

look at File name & downloaded file analysis

URL: http  malware.wicar.org/data/ms10_090_ie_css_clip_ie6.html
Detection ratio: 10 / 68
Analysis date: 2017-01-15 18:52:10 UTC ( 3 months ago )
File scan: Go to downloaded file analysis

URL: https  malware.wicar.org/data/ms10_090_ie_css_clip_ie6.html
Detection ratio: 8 / 64
Analysis date: 2017-04-19 15:03:04 UTC ( 0 minutes ago )
File scan: Go to downloaded file analysis

Kudos0

Re: IPS is not blocking content over HTTPS

HI bjm_ Do not look at the file analysis. We are talking about the IPS module and whether IPS signature triggers over https. You can try yourself and you will see that file is detected as malicious (when browsing to the https site) which means it completely bypassed the IPS protection snd it was just detected by the AV engine
Kudos1 Stats

Re: IPS is not blocking content over HTTPS

M3gatron
I'm trying to show same "file name" and same "signature"

FWIW ~ I'm trying to bolster your observation.

Kudos0

Re: IPS is not blocking content over HTTPS

Hello

Norton can't scan anything over SSL. That's why email scanning is limited to ports 25 and 80  Don't know if this has anything to do with what you are trying to find out.

Thanks.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos2 Stats

Re: IPS is not blocking content over HTTPS

floplot:

Norton can't scan anything over SSL.

The issue is that Norton announced this:

What's New:

  • The IPS (Intrusion Prevention System) included in Norton Security now detects attacks using https connections, and stops those attacks before they take up residence on the device.

 https://community.norton.com/en/blogs/product-update-announcements/norto...

Kudos0

Re: IPS is not blocking content over HTTPS

So, IPS is / is not blocking content over HTTPS ?

Or, maybe just not blocking wicar.org/test-malware ?

Kudos0

Re: IPS is not blocking content over HTTPS

? > any chance wicar test page behaves unexpected because vulnerability is patched or no longer relevant. 

Kudos0

Re: IPS is not blocking content over HTTPS

Anyone from Norton (@Sunil_GA) to confirm the IPS functionality?

Kudos0

Re: IPS is not blocking content over HTTPS

M3gatron:

Anyone from Norton (@Sunil_GA) to confirm the IPS functionality?

@Sunil_GA

Kudos3 Stats

Re: IPS is not blocking content over HTTPS

Thank you M3gatron for posting your question over the HTTPS support by IPS. I apologize for the delay; I've been working with our teams in Norton. We have confirmed that what you see is the correct behavior as the feature is only applicable to IE and Firefox at this time. The implementation for Google Chrome is on its way and will be included as part of next major release. Based on your problem description, it looks like you’re running your test with Google Chrome. Can you can confirm?

Norton uses its own proprietary technology to scan HTTPS traffics, that is not based on decrypting it or using SSL certificates. The feature is ON by default and hence no further actions are required to benefit from the feature.

I'm also sorry that this information wasn't included with the 22.7 announcement. I'm in the process of updating that announcement with the information. Again, thank you for posting your question and let me know if have any further questions or concerns.

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: IPS is not blocking content over HTTPS

Hi @Tony_Weiss

Thanks for the clarification on this feature  

Indeed same traffic tested above is blocked by the IPS module (tested with the wicar.org over HTTPS serving exploits) when using Firefox v53. Testing with Microsoft edge doesn't block the specific tests. (I assume that when you reference IE you do not include edge)

Internet explorer V11.0.1563  does block eicar over HTTPS with IPS module but does not block few of the wicar exploits tested (example below for CVE-2014-6332)

Thanks for taking the time to update the announcement as Norton users post v22.7 expected -based on the announcement -that Norton IPS would be able to protect them for HTTPS websites regardless the browser which is simply no correct statement.  Do you know what the ETA for Chrome and Microsoft edge (default for windows 10) is?

Kudos0

Re: IPS is not blocking content over HTTPS

@Tony_Weiss

Thanks for responding after my Inside Thread. Please see the above. Since M3gatron can't do it him/her self, I'm sending this. Permalink

Thanks

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.

This thread is closed from further comment. Please visit the forum to start a new thread.