HackAlert™ FAQ
Questions frequently asked about our Malware Monitoring Service
HackAlert™ Malware Monitoring Frequently Asked Questions (FAQ)
Certificate Management1. What is a drive-by download?Drive-by downloading is a hacker technique resulting in the unauthorized download and installation (drive-by download) of unwanted malicious software (malware) onto the client PC of anyone visiting the web site. It is designed to steal information from Internet users by forcing them to automatically download malware without their knowledge or consent. Malware is often designed for criminal, political, and/or mischievous purposes, such as stealing confidential information, tricking the user into buying something that she or he doesn't need, sending junk e-mail, attacking other computers or networks (zombie attacks), and distributing more malware.
2. What is blacklisting?Due to the growing problem of malware distribution, Google in particular has taken a draconian view of any website distributing malware. Being blacklisted also means a website owner may find their domain listed on stopbadware.org – a central database of infected domains referenced by hundreds of applications and service providers. For website owners, blacklisting results in damage to business reputation and an inevitable sharp drop in website traffic, and ultimately in revenues. The remedial actions needed to be removed are slow and expensive, with no guarantees of successfully regaining rankings.
3. What is HackAlert?Armorize HackAlert™ is a cloud-based web malware monitoring and detection service that immediately notifies subscribers if their website is targeting end-user Personal Computers (PCs) with drive-by downloads. Delivered as a hosted Software Service (SaaS), HackAlert™ protects businesses and customers from the impacts of Malware Injection. (Source: Armorize)
4. What is a cloud-based service?A cloud-based service leverages the principles of cloud computing to deliver computer-based business applications. In cloud computing, application details are abstracted from the users who no longer need knowledge, expertise or control over the underlying infrastructure. Instead, service providers utilize the Internet (i.e., the "Cloud") to provide scalable and virtualized resources as a web-based service. For HackAlert™, the only client requirement is a web browser, Internet access, and the necessary credentials to access the service. The application is presented through a web interface while business logic, software, and data are handled on the Armorize server infrastructure. (Source: Armorize)
5. What is meant by Software as a Service (SaaS)?Software as a Service (SaaS) is a software deployment model based on cloud computing. With SaaS, a provider licenses an application to customers as an on-demand service. The software itself is hosted on the provider's own infrastructure or at commercial accredited datacenters that offer virtualized server access. As per the definition of cloud computing, the SaaS is accessed through a web interface with all business logic, processing, and storage handled by the provider. (Source: Armorize)
6. How does HackAlert™ address injection and malware drive-by downloads?HackAlert™ monitors websites around the clock for malware injection. The service immediately notifies subscribers if their website is initiating malware drive-by downloads that target end-user computers.
7. What is meant by the term "behavior-based scanning engine"?HackAlert™ does not rely on signature matching to detect malware drive-by downloads. The service connects to the subscriber website using a standard HTTP connection. HTTP responses are downloaded to an isolated "sandbox" environment hosted at the Armorize datacenter where they are automatically analyzed for behavioral characteristics that indicate malware injection. If there is an active drive-by download, the actual downloaded file's behavior is analyzed and reported back to the subscriber. (Source: Armorize)
8. What are the advantages of behavior-based analysis?Behavior-based analysis provides the following benefits: Increased accuracy Signature-based malware solutions such as those offered by commercial antivirus vendors have several disadvantages. Once new malware is released, antivirus vendors must analyze it and create a signature for it. This means that commercial antivirus solutions offer not immediate protection for new (zero-day) malware. This often remains the case for many days after the release. In addition, web application hackers have learned to pack or obfuscate malware in a variety of formats that make signature-based detection all but impossible.
Detailed behavioral information HackAlert™ connects to the monitored website over a standard HTTP connection and captures all responses in deliberately unsecured "Honey Clients" located at Armorize data centers worldwide. All website responses are analyzed for the presence of both active malware content and suspicious links (to external sites not currently distributing malware). This distinction greatly reduces the amount of false positives.
Detailed remediation guidance As HackAlert™ actually captures the website's HTTP responses, it is able to specifically pinpoint injected code snippets to aid mitigation. Reporting also provides details of the actual browser (or browser extension) vulnerability that the malware attempts to exploit. HackAlert™ also compares the true website malware injection status with that being reported by Google's Safe Browsing index reported at http://www.stopbadware.org. (Source: Armorize)
9. How does Malware Injection Monitoring differ from Web Application Scanning?
Malware Injection Monitoring Malware Injection Monitoring connects to the website over a a standard HTTP port and analyzes all responses for the presence of malware. It does not attempt to exploit application vulnerabilities and does not impact the running application through intrusive scanning.
Web Application Scanning Web Application Scanning - often referred to as Penetration Testing - is also known as "Black Box" testing, as it is conducted from the perspective of the hacker probing the running application. Web application scanning tools are typically client-based software applications that scan live web applications, locating entry points and executing multiple attack variants based on the vendor-supplied signature database. These scans may be intrusive when the application is vulnerable to an attack signature that causes it to crash.
10. How does malware injection monitoring differ from antivirus software?
Malware Injection Monitoring HackAlert™ is a cloud-based software service that monitors subscriber websites to detect and mitigate malware injection and drive-by downloads from website. Honey-clients located at the Armorize datacenter browse subscriber websites and analyze the HTTP responses, potentially malicious links, and active malware downloads. HackAlert™ does not rely on signatures and is thus best suited for detection of zero-day attacks.
Antivirus Software Antivirus software is installed on the host being protected and is designed to detect and isolate malware attacking that host. In order for malware to be detected, the malware signature must be on the host. This is typically downloaded in the form of a vendor-supplied update file. The latency between malware releases and the corresponding signature along with improvements in obfuscation and packing techniques make host-based antivirus an increasingly less effective anti-malware solution. (Source: Armorize).
11. How does HackAlert™ differ from signature-based malware injection monitoring tools?
Unlike signature based malware detection tools, HackAlert™ does not rely on the Google Safe Browsing Index for reporting and analysis. Instead, with its 24/7 scanning, it ensures that website owners can detect and remediate malware injection before the next Google Index cycle. In this manner HackAlert™ prevents Google blacklisting.
12. How does HackAlert™ help website users?
HackAlert™ helps protect website end-users by notifying the website owner immediately if their site is injected with malware or is pushing drive-by downloads to computers bro
13. How does HackAlert™ help businesses?
As a critical component of the malware injection incident response process, HackAlert ™ helps safeguard website users from malware and thus:
14. How are HackAlert™ scans managed through the web console?
HackAlert™ is accessed through an Internet-based web console that allows subscribers to enable on-demand or automated web site scans. The Web 2.0 interface supports configuring scan schedules, report distribution options, and scanner crawling depth. (Source: Armorize)
15. What is website crawling?
HackAlert™ is designed to monitor entire websites as opposed to just single URLs. When configuring a new website monitoring project, the initial URL is specified. HackAlert™ will scan that page as well as every page that is linked to on that page. This will continue until the maximum depth or number of pages to be scanned is reached.
16. What information is contained in HackAlert™ alerting and reporting?
HackAlert™ reporting delivers the following details via email and SMS as well as within the Web console:
17. How can I use the HackAlert™ report to recover from injection?
HackAlert™ ensures that website owners can identify not only the URL on their website that has been injected, but also the source URL from where the browser retrieves that active malware. HackAlert™ provides the actual injected code snippets to aid in immediate removal and to support identifying the name of the actual download file. (Source: Armorize)
18. How does HackAlert™ address false positives?
HackAlert™ relies on analyzing the actual web application behavior as opposed to simply relying on malicious code and exploit signatures or feeds from Google's Safe Browsing API.
19. How does HackAlert™ address false negatives?
For active malware, HackAlert™ will always detect the malware in the download stream and will therefore have zero false negatives.
20. Will HackAlert™ impact a Web application's performance?
HackAlert™ connects to the monitored website over standard HTTP connections at intervals defined by the subscriber. The scans are non-intrusive and all analysis is conducted by the service on computing systems hosted at the Armorize datacenters. Therefore, HackAlert™ has no impact on web application performance. (Source: Armorize)
21. Does HackAlert™ require any software installation?
HackAlert™ requires no software installation on either the websites being monitored or on end-user PCs. The service is hosted at Armorize Technologies' global datacenters and is accessible to subscribers via a Web 2.0 interface. (Source: Armorize)
22. Is HackAlert™ dependent on the Web application development language?
HackAlert™ can monitor any website for malware injection regardless of the programming language used to create it. The HackAlert™ service simply makes standard HTTP connections to the website being scanned. (Source: Armorize)
23. Does HackAlert™ require access to source code, binaries, or debug information?
HackAlert™ requires no access to application source code, binaries, or debug information. The HackAlert™ service simply makes standard HTTP connections to the website being scanned. (Source: Armorize)
|
