Re: malware scanning


Our (FireEye's) appliance can do this.

It's primary purpose is to detect bot traffic in network traffic (passively monitored), and one of it's major ways of doing this is to detect the malicious website infection as it happens (we scan using statistical anomaly detection techniques to look for potentially malicious entities in HTTP traffic - eg obfuscated Javascript -- and then confirm them by running them inside a browser in an instrumented virtual machine). By this means, we can detect most malicious websites with almost no false positives.

The appliance also has a mode where you can point it at a list of potentially malicious URLs and it will directly run the VM analysis on those URL and tell you whether it's malicious or not. (It's not oriented to crawling - it will check a single requested URL at a time and whatever is automatically included from that by the browser).

Stuart Staniford,
Chief Scientist, FireEye


On Dec 22, 2008, at 5:10 AM, <sisram2@xxxxxxxxx> <sisram2@xxxxxxxxx> wrote:
Is there any commercial / free tool to externally scan websites for malwares?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Testing IDS/IPS Solutions
    ... You could use tcpsic for testing how well the appliance handles fragmented packets, you could use nikto and nessus to see how many attacks each one detects and finally you could setup a lab with two PC's and try to exploit a know vuln with metasploit to see how well the appliance handles real attacks. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Browser agnostic ?
    ... appliance or kiosk and have no control over whether or not the latest ... to make the output browser neutral. ...
    (microsoft.public.dotnet.framework.aspnet)