In the age of digital economy, web applications have become the lifeblood of corporations, and protecting them is paramount for productivity and profitability. Many web servers which allow file uploads are prime targets for malware attacks on the client side, server side or both. The uploaded file could contain malicious code in the form of an exploit, virus, Trojan, or malware, and these could be used to gain control of the web server. For example, it is possible to hide PHP code inside an image file and still have it appear to be an ordinary image. When the image is opened, it also executes the code hidden in the file. The file could contain scripts or tags that exploit other well-known web application vulnerabilities, such as Cross-Site Scripting (XSS). A misconfigured web application can also be compromised by uploading a file, executing a web-shell, and moving laterally within the web server to get access to sensitive information and exfiltrate data. In the case of client-side attacks, uploading malicious files can make the website vulnerable to Cross-Site Scripting or Cross-Site Content Hijacking. However, the attack can also be malicious for the client itself while simply using the web application as a  distribution channel/vector.

Furthermore, advanced attacks can leverage productivity files distributed by your web application.  These files are seemingly innocent, however on execution, malware will try to download the malicious payload which will run only in memory (with no trace/residue on disk). This is hard to track, and during the incident response analysis, the typical conclusion may point the finger at the web application even though the traffic was seemingly legitimate. 

A worrying trend is the use of PowerShell as an attack vector by using macros as the onboarding mechanism. As an example, in the past two years, attackers have used PowerShell to deploy Trojan.Kotver obfuscated in the registry as a fileless infection to steal financial data.

Attackers often use multiple vectors for distributing malicious code. One worrying example is the installation of application backdoors that communicate with their Command and Control (C&C) servers and proceed to exfiltrate data. Moreover, malware in some cases can use application servers to directly communicate with the C&C and thereby bypass the firewall rules.  Typical security controls cannot understand and block such clever means of data theft, and, even if they occasionally do, threat actors can establish a foothold behind the firewall, steal credentials, conduct lateral movement and finally exfiltrate data. Without thorough inspection of files (including verification of file type, examination of embedded active objects and ability to verify malware-free content) other security mitigation approaches fall short.

To address the challenges posed by file uploads and files attached to emails, F5 has teamed up with OPSWAT to allow for comprehensive content analysis and sanitization. All F5 products such as BIG-IP LTM, BIG-IP ASM, Advanced WAF, and SSL Orchestrator that expose ICAP interface can take full Advantage of OPSWAT’s MetaDefender capabilities. These capabilities include thorough malware scanning using over 30 leading anti-malware engines as well as Content Disarm and Reconstruction (CDR) services for file sanitization and vulnerability assessment.

OPSWAT Deployment In F5 Ecosystem

 

MetaDefender Integration With F5 BIG-IP

 

OPSWAT’s independently-deployable MetaDefender is built on proven technology that offers the in-depth customizable logic of OPSWAT Multiscanning for granular content inspection capability, greater capacity for file type analysis, archive extraction, and the power to remove all traces of detected malware from files without impacting usability or productivity.  MetaDefender CDR detects and disables malicious active objects like embedded Macros, scripts (e.g. JavaScript), OLE objects, ActiveX controls and other potentially harmful elements. MetaDefender integrates seamlessly for total protection in file uploads (REQMOD) and file downloads (RESPMOD) while capable of deploying on-premises in cases where secure data workflow is of critical importance.

 

Abstraction Of MetaDefender Platform

 

ICAP performs content manipulation as a service for the appropriate client HTTP request or HTTP response. This service is also referred to as "content adaptation." Readymade F5 iApp templates available for MetaDefender provide configuration ease so that profile setting for application services is automated through a wizard. Once the iApp script runs, a profile is established and MetaDefender ICAP pool is defined. All that remains is to enable the profiles in the relevant field on the Virtual Server(s).

F5 Advanced WAF/BIG-IP ASM act as an ICAP client, which forwards the traffic to the ICAP server (MetaDefender) to support business-critical use cases such as file upload. The ICAP server executes its transformation service on messages and sends back responses to the F5 Advanced WAF/BIG-IP ASM.

MetaDefender performs malware detection, data sanitization through CDR and either returns:

  • A blocking page, showing that the content is either malicious or not in accordance with defined policies
  • Modified data (remove the sensitive information and/or potentially malicious payload through CDR)
  • A clean bill of health to examined files

 

 

Content Disarm and Reconstruction (CDR) In Action

 

One of the greatest benefits of using Metadafender ICAP Server is one-step configuration in the beginning of the integration.  All future updates and enhancements may be rolled in without additional integration efforts. Moreover, automation of traffic steering by offloading file inspection to MetaDefender reduces administrative costs and enables DevSecOps to gain more value from investments already made in security services.

 

F5 Advanced WAF and OPSWAT MetaDefender file content security

To enable comprehensive malware checking and data sanitization capability in Advanced WAF/BIG-IP ASM, you should configure the system to connect with the OPSWAT MetaDefender ICAP Server.

First, import the iApp Template from OPSWAT’s Github account.

OPSWAT iApp Template List

 

Second, create an Application by using the newly imported template: opswat_metadefender_icap

OPSWAT Template Import

 

This will generate the ICAP profiles and the MetaDefender ICAP Virtual Server (shown in screenshot below):

 

Then, once the previous steps are completed, just apply the new profiles in the web app Virtual Server (Select Advanced) and choose Metadefender ICAP Request and/or Response Adapt Profile, as deemed appropriate (REQMOD or RESPMOD).

Application Security Setting

 

MetaDefender ICAP Server works with the default (virus header and URI) values out of the box so that you dont' need to configure internal system variables in the Configuration utility.

After the above steps are completed, your web applications are protected against malicious files. To test the setup, simply use a test file such as eicar.  Last, you can check ICAP History on OPSWAT MetaDefender ICAP Server side to view the archives of file analysis.

Viewing File Upload/Download History In MetaDefender User Interface

 

Since ICAP can perform a variety of services including Data Loss Prevention (DLP), deploying OPSWAT MetaDefender services through ICAP provides for seamless service additions without operational disturbance and the need to reconfigure web apps.  This can apply to both request (client-to-server) and response (server-to-client) payloads.