What tuning parameters are available for HTML_Script_Extension_Evasion?
XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.
HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.
By default, the following list of extensions are blacklisted:
If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
|Security||Proventia Virtualized Network Security Platform||Not Applicable||Firmware||3.1, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6|
|Security||Proventia Network Multi-Function Security||Protocol Analysis Module (PAM)||Firmware||3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6|
|Security||IBM Security Host Protection||General Information||AIX, HP-UX, Linux, Windows||2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0|