- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- polyfill.io - malicious script embedded in website...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
polyfill.io - malicious script embedded in websites. How to handle DNS queries to it?
Hi all,
Over the past month we have seen some of our users sending DNS queries for polyfill.io and cdn.polyfill.io.
Numerous articles such as this this one report that it has started spreading malicious code to visitors of websites that use this script.
I see that our checkpoint Anti-Virus blade is detecting this as protection - CeptBiro.TC.b726wWvx
The action has been a mix of detect and prevent - do you know why this is? Is there a way to change the action to always prevent? I searched for the protection under IPS protections but could not find it. I show the logs in the attached screenshot.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to force background classification into hold. Run the following:
cp -v $FWDIR/conf/malware_config $FWDIR/conf/malware_config_ORIGINAL
sed -ie 's/^dns=.*$/dns=hold/' $FWDIR/conf/malware_config
Install TP policy after this and everything should be seen as prevent in the logs.