Malicious File Upload

If your application allows file uploads, attackers could upload malicious files that compromise your system. Application Security leverages Trend Micro Smart Scan as well as the Advanced Threat Scanning Engine (ATSE) to protect your application from malicious file uploads by scanning uploaded files for malware and restricting the size of uploaded files.

Configure the Malicious File Upload policy

  1. Go to Your Group > Policies > Malicious File Upload and ensure that it is enabled.
  2. Set the state to Report. This will trigger events without blocking the request, which allows you to run your application and see which expected behaviors trigger Malicious File Upload events.
  3. On the right of the page, select Configure Policy.
  4. Configure the following settings to protect against malicious file upload attacks:

    • Antivirus Scanning: Scans uploads for malware
      • Max Buffer (MB): The maximum amount of memory to be allocated for buffering.
      • Archive compression level limit: The maximum compression level the scanner will go through in archives.
      • Archive file count limit: The maximum number of files the scanner will scan in archives.
      • Archive file size limit:The maximum archive size the scanner will scan. A value of 0 disables archive malware scanning.
      • ATSE Scan Aggressiveness Level: The aggressiveness level when the Advanced Threat Scan Engine (ATSE) engine scans files with heuristics. The default value is Medium, with the possible values of Low, Medium, High and Very High. Very High might generate false positive. Please refer to the table for agents versions compatibility for this feature.
    • File Size Check: Restricts the size of uploaded files.
      • Max Filesize (MB): The maximum file upload size permitted. A value of 0 disables file uploads. Screenshot
  5. Select Save Changes and close the window.

  6. Navigate to your application and upload a typical file. Use the application in the various scenarios that it was designed to handle.
  7. On the Dashboard, check the Events page for Malicious File Upload events (see Manage Events for more information). If one has been triggered, follow the steps in Manage Malicious File Upload events.
  8. Once you're happy with your policy configuration and events are no longer being triggered by expected behavior, go to Your Group > Policies > Malicious File Upload.
  9. On the right of Malicious File Upload, set the state to Mitigate. When a rule is triggered, the attempt will be blocked and a Malicious File Upload event will appear on the Dashboard.

Agents' versions compatibility with ATSE aggressiveness feature setting

Agent Compatible Versions
agent nodejs 4.3.1 and above
agent Python 4.5.3 and above
agent Java 4.4.5 and above

For all other agents or agents versions, the ATSE aggressiveness setting has no effect, and the default value of Very High is used by these agents.

Malicious File Upload events

Malicious File Upload events are displayed on the Dashboard in Events or in your respective Groups's dashboard.

Every event includes the Request Details panel for general information about the event. For more information, see Manage Events.

Under Antivirus Scanning the following information specific to the Malicious File Upload policy is displayed, depending on what triggered the event:

Trigger: Antivirus Scanning

Screenshot

Trigger: Size Check

  • Entity size

Screenshot

Manage Malicious File Upload events

If Application Security is reporting Malicious File Upload events:

Select Click to Manage Policy. In the Alert section, you can see what policy rule was triggered. If you'd like to allow this behavior on your application, reconfigure the rule based on your desired parameters.

For example, if a Malicious File Upload event was triggered because a file was five MB larger than the max file size, increase the max file size by five to allow these files to be uploaded in the future.

Screenshot