Review Cloudmersive's technical library.
|What is a Multipartite Virus?
|9/29/2023 - Brian O'Neill
The descriptive term “multipartite” refers to anything composed of multiple parts. In the context of cybersecurity, multipartite viruses are those capable of infecting a computer in multiple different ways at the same time. Left undetected, these dynamic virus threats can have a devastating impact on any computer system and prove the most challenging to remove post-infection.
How are multipartite viruses composed?
In most cases, multipartite viruses tend to present both boot-sector and file-sector infection capabilities. The combination of these separate infection capabilities makes the threat of multipartite viruses particularly intimidating.
While boot-sector infections are less common today than they were in decades past (regularly incapacitating old-generation computers booted with floppy disks), it’s still possible for sophisticated multipartite viruses to encrypt modern Master Boot Records (MBR) and cause severe problems within a system. When the boot-sector of a computer is infected with a virus, its malware will load into memory once the computer completes its start-up sequence, paving the way for innumerable files and devices to be rapidly infected.
File-sector infections are very common in the modern threat landscape. This component of a multipartite virus most often targets executable/program files (often those with .exe or .com extensions). When these important executable file types are infected, they can spread a virus rapidly across systems and networks alike, and they can even reformat hard drives in extreme cases. File-sector infectors can impact several different operating systems, too.
All told, multipartite viruses can cause extreme, far-reaching damage to any system. If these viruses aren’t properly purged from a system at every level of infection, they can easily reinfect files in the system repeatedly.
How can multipartite viruses be detected and mitigated?
Because multipartite viruses contain multiple infectors, it’s important to apply a dynamic detection strategy against them. This should generally include signature-based scanning (which references a database of known virus signatures) and zero-day threat scanning (a combination of heuristic analysis, behavioral analysis, sandboxing, and other such methods which do not solely rely on referencing known virus signatures for malware detection).
Since multipartite viruses typically enter a system through traditional malware delivery methods – i.e., spam emails & untrusted file uploads – it’s important to focus a significant amount of attention on denying their entry into a system. These delivery methods can be stymied with regular user training (against social engineering attacks), dynamic threat signature detection, and judicious content restriction policies.
Detecting multipartite virus threats with the Cloudmersive Virus Scan API
The Cloudmersive Virus Scan API is a turnkey, 365-degree scanning solution designed to detect a wide range of virus & malware threats – including multipartite viruses – by applying a combination of file hashing, signal extraction, pattern matching, heuristics, whitelisting, bytecode analysis, and certificate analysis. Advanced threat detection policies make it possible to simultaneously perform in-depth content verification against a customized list of restricted file types, enabling exhaustive protection in-storage, at the network edge, and/or in defense of individual applications.
For more information about the Cloudmersive Virus Scan API capabilities, please do not hesitate to reach out to a member of our sales team.
|What is a Polymorphic Virus?
|9/27/2023 - Brian O'Neill
To effectively detect, mitigate and/or remove virus threats, it’s important we first understand the unique characteristics that set certain virus types apart from others.
What defines a polymorphic virus, and why is it effective?
By definition, all computer viruses seek to replicate themselves so they can spread across multiple files and throughout one or more systems. While some virus types retain their original signature during the replication process, polymorphic viruses do not. Instead, viruses of this type alter the appearance of their code to disguise themselves from signature-based virus scanning engines. They often encrypt their code and rapidly change encryption keys to alter the makeup of infected files, relying on complex mutation engines in that process.
As a result, even if a basic signature-based virus detection engine manages to identify one infected file within a system, it may not be capable of identifying other files infected by subsequent iterations of the polymorphic virus. If the victim of a cyberattack believes the threat within their system has been neutralized, when it in fact hasn't, the virus may be able to proliferate much more extensively throughout their system.
How can polymorphic virus threats be detected?
Identifying elusive polymorphic threats requires a dynamic & proactive virus scanning approach. To that end, rather than solely referencing a database of known virus signatures, advanced virus scanning solutions can additionally apply heuristic or even behavior-based analysis techniques. Heuristic detection techniques rely on algorithms with rulesets designed to identify malware based on patterns, while behavior-based techniques look at the way computer programs perform to identify “symptoms” of otherwise undetected malware.
Identifying polymorphic viruses with the Cloudmersive Virus Scan API
The Cloudmersive Virus Scan API is a turn-key solution designed to detect a wide range of virus & malware types – including Polymorphic viruses – through a combination of file hashing, signal extraction, pattern matching, heuristics, whitelisting, bytecode analysis, and certificate analysis. For more information, please do not hesitate to reach out to a member of our sales team.
|What are the Benefits of an In-Memory Virus Scanning Service?
|9/18/2023 - Brian O'Neill
What are the Benefits and Drawbacks of In-Memory Data Storage?
Utilizing in-memory database architecture makes it possible for web applications to access data dramatically faster than they can when communicating with traditional disc/SSD databases. Simply put, in-memory storage means data is held primarily in a server's RAM drive - a temporary memory bank fundamentally designed to make data available more quickly.
Storing and accessing data from RAM powers many of the high-speed data analytics components we see in real-time industry applications, including everything from medical device monitoring to financial analysis and online gaming. If in-memory storage didn't exist, real-time data analytics wouldn't be possible.
Due to several key drawbacks, however, leveraging in-memory storage over disc storage usually depends on having a very relevant use-case. Leaning on temporary storage can put companies at risk of losing data in the case of sudden power outages or system failures, and the cost of purchasing and maintaining an in-memory database is typically much higher than disc storage.
How can In-Memory Data Storage Impact a Virus & Malware Scanning Service?
Applying in-memory data storage concepts to a Virus & Malware Scanning API service affords two major benefits - the second of which actually stems from one of the usual drawbacks. In-memory scanning allows for 1) extremely fast round trip processing speeds and 2) naturally enhanced customer data security.
In this context, the possibility of losing RAM data in an outage is not a concern, because that data is only copied from the customer's disc to begin with; it should and will be released from its temporary storage location once the Virus & Malware Scanning API request is complete. There is no need for copies of customer data to be stored on another disc.
Cloudmersive In-Memory Virus Scanning
The Cloudmersive Virus Scan API is a stateless, high-performance API which scans customer data from temporary in-memory storage. This makes it possible for sub-second typical response times (10ms – 200ms round trip with extremely high throughput). All data stored in-memory is released upon completion of the scan; no customer data is stored to disc under any circumstances.
For more information on the Cloudmersive Virus Scan API’s features & KPIs, please do not hesitate to reach out to a member of our sales team.
|Watch Out for Archives: The Importance of Content Verification & Restriction
|9/13/2023 - Brian O'Neill
When we think about the common document types used to host & disguise custom content threats, PDF and Office file formats (DOCX, XLSX, etc.) are probably the first to come to mind. The last few decades of cyber-attack history would support that idea: malicious links/objects, macros, and similar file-based threat types are frequently buried within PDF and OpenXML file structure, designed to quickly access and compromise our device the moment the document is downloaded. Attackers rely on our familiarity with these everyday formats to facilitate tricking us into accessing and downloading their contents.
As our cybersecurity policies have evolved over years of experience and research to detect & mitigate these expected threat vectors, however, even more insidious malware delivery methods have quietly grown in popularity. In recent years, archive file formats (predominantly ZIP or RAR) have become increasingly popular hosts for concealing virus and malware threats. According to threat research conducted over a three-month period in 2022, archive formats made up more than 40% of malware delivery attempts, exceeding the utilization of Office file formats during that timeframe.
The benefits of using archive formats like ZIP or RAR to smuggle files infected with viruses and malware are clear cut. In fact, they aren’t all that different from the benefits we gain from using archive formats to consolidate and share legitimate files. Archive compression algorithms allow us to share dozens of large files across a network at once, and powerful encryption & password protection measures ensure unwanted third parties can’t access our sensitive material.
Threat actors effectively want the same things when they deliver infected files, with one key difference: instead of using encryption to hide their content from unwanted eyes, they use encryption to hide malware-infected files from signature-based scanning methods. Virus & malware scanning solutions can’t detect what they can’t decrypt, and by the time these compressed malicious files are decrypted and unzipped on a device, there may be no malware scanning policy in place to detect the infected documents. Unzipping the archive file itself won’t initiate a cyberattack, but eventually opening one of the compressed files will.
Further, malicious archives can themselves be stashed within other illegitimate (spoofed) files, making detection of the archive itself a considerable challenge. Using HTML, for example, a sophisticated attacker can create a very convincing spoof of a PDF document’s online viewer, and this document can be designed to retrieve & unzip a malicious archive from an external internet source once downloaded by the victim. Disguising a threat in this way creates all kinds of problems for traditional one-dimensional malware scanning policies, and it ultimately demands greater restriction of content types independent of malware signature detection. If these files successfully enter our networks undetected, our risk of falling victim to a dormant custom content cyber-attack greatly increases.
Detecting Custom Content Threats with Cloudmersive
The Advanced Scan iteration of the Cloudmersive Virus Scan API provides unique 360-degree protection against both infected files and hidden content threats, offering in-depth content verification and customizable file-type restriction policies. This means files entering a protected location can be scanned against a continuously updated list of more than 17 million virus & malware signatures, and the contents of those files can be simultaneously verified against the original file extensions, ensuring illegitimate files (such as the spoofed PDF example above) are immediately identified alongside infected ones.
In addition, dangerous file types – including HTML, Executables, Invalid Files, Scripts, Password-Protected Files, Macros, and more – can be blocked by setting custom threat detection policies in the API request body (or through your Cloudmersive Account page when using no-code solutions like Shield or Storage Protect). Unwanted file types – like ZIP and RAR – can be blocked by supplying a comma-separated list of acceptable file extensions in a plain text string. Files which fail to pass content verification checks against any custom restriction policies will receive the same CleanResult: False response as infected files.
For more information on how the Cloudmersive Virus Scan API can help protect your systems, please do not hesitate to reach out to a member of our sales team.
|How to Encrypt and Password Protect Zip Files using the Cloudmersive File Processing Connector in Power Automate
|9/7/2023 - Brian O'Neill
Cloudmersive APIs can limit our time capital expenditure like never before. Not only can we use these APIs as value-add services in our repetitive workflows, but we can also write our modified data directly to any of our applications, resulting in drastically more efficient (and often more accurate/reliable) processes.
In Power Automate, we can accomplish all of this without writing a single line of code. We can use established authorization credentials to quickly take advantage of our myriad third-party applications, and we can leverage Cloudmersive Connectors to perform value-add services as files flow from one folder to another.
In the below demonstration, we’ll walk through a simple & useful flow which uses the Cloudmersive File Processing Connector to secure a Zip archive with password-protection and encryption measures. On top of saving our secure file in a new storage location, we’ll ask our flow to email the resulting file to an address of our choosing. All we’ll need is a Cloudmersive API key copied to our clipboard, and we’ll be ready to consolidate our Zip security & file sharing workflows into a single button with simple input fields.
1 – Starting from the Power Automate home page, let’s click Create and “start from blank” by selecting an Instant Cloud flow.
In the Instant Cloud Flow window, let’s select the option to Manually Trigger a Flow, and then let’s click Create so we can head to the flow diagram page.
2 – On the flow diagram page, let’s open our Manually Trigger a Flow step and click on Add an Input. Let’s incorporate a File Input field into our flow. When we eventually run our flow, we’ll be able to use this trigger to select our zip archive.
Below our file input, let’s add three additional inputs. The first two will be Text inputs, and the final will be an Email address input. Let’s label our first text field File Name, and then let’s label our second text field Email Message Body. We can leave the email input blank, or we can name it something like Send To: if we want.
3 – Let’s now click New Step and type Cloudmersive into the search bar. From the list of Cloudmersive connectors below, we want to select the Cloudmersive File Processing connector with the purple thumbnail.
If we haven’t used this connector before, we’ll encounter the connector authorization step before we reach the actions list. We just need to give our connection a name, and after that we can paste the API key we copied from our account page into the API key field. If we don’t have an API key yet, we can get one for free by registering a free account on the Cloudmersive website, and we’ll get a limit of 800 API calls per month with no additional commitments.
Once we reach the actions list, let’s search for the action called Encrypt and Password Protect a Zip File. We should see this action at the top of the actions list, and we can select it from there.
To configure this action, we need to enter file content from our trigger step in the first field, and then we need to enter our choice of password and encryption algorithm in the following two fields. The default & recommended encryption algorithm is set to AES-256, but we can elect to change that to either AES-128 or PK-Zip if we want. We’ve left the encryption field blank in the below example so our flow will default to the recommended algorithm.
4 – Now that we’ve applied password protection and encryption security measures to our Zip file, let’s click New Step and search for a Create File action. Since the file we’re using in this demonstration will come from a SharePoint folder, we’ll be saving it in a OneDrive folder called Secure Zip Archives so we don’t have to manually upload it later. As a result, we’re going to select the OneDrive For Business Create File action and configure our request accordingly.
When we designate our new file’s name, let’s type “secured” followed by the dynamic content labeled File Name we created in our trigger step. This way, we’ll uniformly change the file every time we perform this operation. In the File Content field, let’s make sure we select output from our Cloudmersive File Processing action.
5 – Now that we’ve officially created our new file, we can go about formulating the email we’ll send out at the end of our flow. Before we do that, however, we’ll first need to get our new file’s content.
Let’s click New Step and search for the Get File Content action associated with the OneDrive for Business connector.
We need our new file’s unique identifier to satisfy this action’s request parameter, and we can supply that by selecting dynamic content labeled Id from our Create File step.
Let’s now click New Step one last time and search for the Office 365 Outlook Connector action called Send an Email (V2).
Within this action, let’s utilize the dynamic content we created in our trigger step to customize our email step-by-step. For our email subject, we can either enter standardized reusable text or supply our file name along with other details about the flow run. This depends entirely on our unique preferences.
To attach our Zip file to this email, let’s click on the Show Advanced Options dropdown and use dynamic content from our Create File and Get File Content steps to satisfy our Attachments Name and Attachments Content fields. We should include the dynamic content labeled File Name and File Content respectively.
6 – We can now save our flow and run a test. When we click Test in the top corner of the page, let’s select the option to Manually trigger our flow, and then let’s confirm our connections directly after that.
On the Run Flow tab, we’ll have the ability to supply a file, enter our file name, customize our email message body, and finally enter the email we want to send our file to.
When we run our test, our recipient should receive the following email:
On top of that, our OneDrive folder should hold a copy of our new file:
In one simple flow, we quickly consolidated a repetitive process into one simple & reusable button, with our Cloudmersive File Processing Connector performing a key value-add service in the middle. Easy!
For more information about Cloudmersive APIs and Cloudmersive Power Automate Connectors, please do not hesitate to reach out to a member of our sales team.
|How to Scan Outlook Email Attachments for Viruses and Malware using Power Automate
|8/30/2023 - Brian O'Neill
Given the ever-growing popularity of malicious spam emails, it’s worthwhile to layer in security policies against threatening file attachments in our Outlook inbox. Redundancy goes a long way toward protecting our system from unexpected threats.
Using the Cloudmersive Virus Scan Connector in Power Automate, we can set up a quick & easy automated flow that checks Outlook email attachments in a specific folder for viruses & malware. This means we can scour files for more than 17 million virus and malware signatures – all in a single automated API request.
Below, we’ll walk through all the steps you’ll need to set up your own automated virus & malware scanning flow in minutes.
1 – Starting from the Power Automate home page, let’s click Create on the lefthand side of the page and select the Automated Cloud Flow option.
In the Build an Automated Cloud Flow window, let’s search for the When a New Email Arrives trigger associated with the Outlook 365 Connector and select that option.
We can now click Create and head to the flow diagram page.
2 – In our flow diagram, the first thing we should do is specify the folder within Outlook we want to scan. Our main inbox should already be selected; to change this, we can follow the folder icon on the righthand side and navigate our Outlook folder path.
Once we’ve selected the Outlook folder we want, let’s click New Step and search for an Outlook Connector action called Get Attachment.
When we open this action, let’s click on the Message ID field and select corresponding content from the dynamic content window. This content is made available from our trigger step.
Let’s then click on the Attachment Id field and select dynamic content called Attachments Attachment Id. Once we click on this option, Power Automate will automatically wrap our Get Attachment action in an Apply to Each control. That’s because emails can contain multiple attachments, so this action might occur more than once when a single email is received.
We can leave the Original Mailbox Address field blank for now.
3 – Let’s now incorporate our Cloudmersive Virus Scan Connector action. Staying within the Apply to Each control, let’s click Add an Action and search for Cloudmersive connectors. From the list of Cloudmersive connectors below, let’s select the Cloudmersive Virus Scan Connector with the dark blue-green logo.
If we’ve used this connector before, we’ll jump straight to the connector actions list. If we haven’t, we’ll be asked to name our connection and supply our Cloudmersive API key first. We can name our connection anything we want, and we can simply copy the API key from our Cloudmersive account page and paste it into the API key field.
Once we reach the actions list, let’s select the Scan a File for Viruses action.
Within the Input File field, let’s select the dynamic content labeled Content Bytes made available from our Get Attachment step.
Our flow is now ready to trigger upon receiving an email in a specified Outlook folder, retrieve the attachments from that email, and scan the contents of those attachments for more than 17 million virus and malware signatures.
If attachments are infected, our Scan a File for Viruses action will return a CleanResult: False response. If attachments are clean, we’ll receive a CleanResult: True response instead. In the former scenario, we’ll also receive a FoundViruses array containing information about the viruses which were identified.
4 – We can efficiently use this action’s Boolean response to trigger a condition that takes certain steps depending on the results of our scan. For example, we can set CleanResult equal to true and ask our If No scenario to delete the original email when false responses are received (while asking our If Yes scenario to do nothing in response to clean files).
We could also elect to quarantine the infected files for further analysis while deleting the email to remain safe from immediate harm. We can utilize two Cloudmersive File Processing Connector actions to accomplish this – the first labeled Compress Files to Create a New Zip Archive, and the second labeled Encrypt and Password Protect a Zip File.
We can easily test our flow using clean files to receive a CleanResult: True response. Depending on the recommendations/preferences of our Security team, we could trigger a CleanResult: False response using inert malware signatures made available on the EICAR website.
For more information on the Cloudmersive Virus Scan API & Virus Scan Connector, please do not hesitate to reach out to a member of our sales team.
|How to Scan OneDrive Folders for Viruses and Malware in Power Automate
|8/28/2023 - Brian O'Neill
Power Automate is a steadily growing platform with immense utility. Through simple point-and-click designs, we can make efficient connections between applications, and we can take steps to automate file processing & administration tasks that might’ve once stolen our time away from more important projects.
One of the many hidden benefits we can gain from Power Automate flows is improved redundancy in our file storage security policies. Using the Cloudmersive Virus Scan API in Power Automate, we can easily engage powerful virus scans any time new files enter one (or multiple) target folders in our OneDrive file storage system.
In the below demonstration, we’ll walk through a few simple steps to automate OneDrive folder virus scanning in Power Automate. In just a few minutes, we'll be able to scan dozens of common file types for more than 17 million virus and malware signatures.
1 – Starting from the Power Automate home page, let’s select Create and click on the Automated Cloud Flow option.
In the Build an automated cloud flow window, let’s search for a OneDrive flow trigger called When a File is Created. Once we find it, let’s go ahead and select it, and then let’s click Create to head to the flow diagram page.
2 – On the flow diagram page, let’s configure our trigger step by selecting the folder we want to scan. We can accomplish this by clicking on the folder icon and navigating our OneDrive folder path.
3 – Now we can incorporate our Cloudmersive Virus Scan Connector action.
Let’s click new step and type Cloudmersive into the search bar. From the list of Cloudmersive connectors below, let’s select the Virus Scan Connector with the blue-green logo.
If we haven't yet used this connector, we'll receive a prompt to name our connection and provide our API key at this stage. We can name our connection anything we want, and we can then copy & paste an API key from our Cloudmersive Account Page. Once this information is entered, it'll save automatically for future uses.
From the Virus Scan Connector actions list, let’s select the action called Scan a File for Viruses.
To configure our request, let’s click on the Input File field and select File Content from the dynamic content window. This content is automatically retrieved when a new file is added to our target folder in OneDrive.
Our flow is now ready to trigger upon receiving a file in our target folder, retrieve the content of that file, and scan it for 17 million+ virus and malware signatures. When infected files are identified, the API response will return a CleanResult: False value. Clean files will return a CleanResult: True value instead.
4 – There are a variety of steps we can take to handle a scenario where an infected file is identified. The simplest option is to create a condition that takes different actions based on the CleanResult response. Below is one example of a condition that takes no action when clean files are detected and deletes the file outright when virus and malware signatures are identified.
To test this flow and trigger a CleanResult: True response, we can use any common file type we expect to store in this folder. To trigger a CleanResult: False response safely, we can utilize an inert file threat made available on the EICAR website (this of course depends on permissions/limitations set out in our particular environment).
For more information on how you can use the Cloudmersive Virus Scan API & Cloudmersive Virus Scan Connector to protect your applications and file storage locations, please do not hesitate to reach out to a member of our sales team.
|Why are HTML Files Dangerous?
|8/23/2023 - Brian O'Neill
While most HTML files we encounter are legitimate – containing anything from web design iterations to browser-accessible versions of Office file formats – the dissemination of HTML files for the purpose of spreading malware and/or performing other common malicious web activities has grown considerably in recent years. HTML files can house a surprisingly wide variety of threats in their various elements, and as a result, it’s critical to exercise extreme caution before opening and viewing the contents of these files.
What Makes HTML Files Dangerous?
Further, modern versions of HTML make it possible for cyber criminals to embed malware within the HTML file itself. This means that opening a malicious HTML file might directly inject the user’s device with malicious scripts and/or executable content. Malware including ransomware, spyware, viruses, trojans & more can infect a device in this way, compromising sensitive internal systems and placing the attacker in control of valuable content.
These are just a few of the more notable examples of HTML file threats. Depending on the vulnerabilities present in the victim’s environment, HTML can be used to launch Cross-Site Scripting attacks within a web application, initiate automatic file downloads, and much more.
Where can Malicious HTML Files be Shared?
In general, email is the most common method attackers use to share malicious files and URLs at scale, and attackers typically rely on social engineering techniques to encourage unsuspecting victims to access malicious content in their inbox. While many such emails are detected by anti-spam policies and siloed away from primary inboxes, emails which are more targeted (particularly those originating from compromised devices which were once trusted/corresponded with) are often capable of breaching these policies and hiding in plain sight.
It’s also possible for attackers to share HTML files through client-side file upload portals. The growth of affordable cloud-storage locations has made file upload portals drastically more popular in recent years, making it possible for a wider variety of companies to accept User-Generated Content (UGC) directly from client-side users. Latent attacks on cloud storage instances have increased as a result, often beginning with an attacker sharing a malicious file through a file upload portal and culminating in an unsuspecting internal or external user accessing that content later. It’s possible for attackers to hide malicious HTML content under the guise of different file extensions and fool weakly designed validation policies.
Mitigating HTML Threats with Cloudmersive
The Advanced Scan iteration of the Cloudmersive Virus Scan API offers 360-degree protection against more than 17 million virus and malware signatures & a variety of hidden content threats. After deploying this API in a network proxy or adjacent to an Azure Blob, AWS S3, SharePoint Online Site Drive or Google Cloud storage instance (or in a variety of other locations via custom code deployment), you can set custom threat rules against a variety of threatening file types, including HTML files, scripts, executables, invalid files, password-protected files, macros, unsafe archives, and more. This API will perform in-depth content verification on each file it scans, ensuring the contents match the extension while allowing you to block unwanted file types entirely with comma-separated file extension whitelisting.
For more information on the Cloudmerisve Advanced Virus Scan API, please do not hesitate to reach out to a member of our sales team.
|What is a Botnet?
|8/16/2023 - Brian O'Neill
In 2016, a customer of one of the world’s largest cloud-hosting providers experienced a large spike in traffic on one of their servers. Nearly 150,000 devices visited the server at once, amounting to more than 1 terabit-per-second of traffic. Unable to support such a massive volume of server requests, the server was rendered inaccessible for 7 days before it was eventually salvaged.
This server had been subjected to the largest Distributed Denial of Service (DDoS) attack ever recorded up until that point, nearly doubling the volume of traffic experienced in another attack (around 620 gigabits-per-second) which had occurred only days prior. This large-scale attack had been carried out by hundreds of thousands of compromised Internet of Things (IoT) devices located all around the world, all making requests to the same target server in unison.
Unbeknownst to the owners of those compromised devices (which consisted of cameras, home routers, video players, etc.), malware distributed by an attacker had, at some point in the recent past, silently infected their devices and established remote connections between those devices and the attacker’s personal command-and-control servers. This centralized connection allowed the attacker to control the massive group of compromised devices all at once, and this in turn made it possible to launch a coordinated, overwhelming attack against a vulnerable cloud server.
Referred to as “Robot Networks,” or Botnets for short, these groups of compromised devices cumulatively represent a formidable malware threat – one which can be used to carry out disproportionately large cyberattacks on behalf of a single threat actor.
How are Botnets Formed?
To establish a network of compromised devices, an attacker must first gain hold of a smaller group of vulnerable devices using specially crafted malware. This can be accomplished by sharing malware-infected files through various mediums such as email, social media, and more.
Once the attacker’s malware is executed and the initial target devices are compromised, the attacker’s malware can run quietly in the device’s background to avoid detection. It then establishes a remote connection with the attacker’s command & control servers, communicating that it is now capable of receiving updates and instructions from the attacker’s personal environment. The attacker can now use these compromised devices to spread its original malware to an even larger number of devices, exponentially (and indefinitely) expanding their network. The larger the network the attacker can create, the more effective their eventual botnet attacks can be.
What are Botnets used for?
As outlined in the initial example scenario, botnets are most often utilized to carry out Distributed Denial of Service attacks. These attacks usually aim to temporarily disable servers associated with large corporations, governments and/or political groups, damaging the victims’ reputations while increasing the attacker’s infamy.
Botnets can also be used to carry out a variety of other & equally sinister malicious actions. Attackers can, for example, leverage botnets to distribute other common forms of malware (including viruses, trojans, ransomware, spyware, adware, and more) to a wider net of victims. Large botnets create the capacity for attackers to make billions of outgoing malicious requests per day, increasing the likelihood that their malware will infect a substantial volume of target devices.
Attackers can also utilize botnets to compromise smaller and more vulnerable systems within a larger network and leverage those compromised systems to launch subsequent attacks on the network’s interior. This can make it possible for attackers to steal valuable data directly from an organization’s servers, including anything from sensitive customer information to irreplaceable intellectual property.
When botnets become excessively large, the attacker in control of a network may even rent out or sell segments of their network to other cybercriminals on the dark web. There are many additional examples.
How can Botnet Threats be Mitigated?
Because botnets are typically amassed through regular malware attacks (via email, file sharing, etc.), preventing the growth and proliferation of botnets begins with protecting our own devices against regular malware attack vectors.
Staying alert to the possibility of dangerous spam emails, untrustworthy content and social engineering ploys has a key role in preventing the growth of botnets.
Further, it’s often possible to tell if our device has been compromised by analyzing the performance of our applications and the speed of our regular internet activities. If we suddenly notice a significant drop-off in speed and performance on our device, it’s possible that malware could be running in the background and passively eating up our computer’s resources.
Preventing Compromised Devices & Detecting Botnet Traffic with Cloudmersive APIs
The Cloudmersive Virus Scan API can be used to help prevent malware from infecting your devices and adding them to a botnet. In addition, you can use various iterations of the Cloudmersive Security API to determine whether devices which are known participants in established botnets are visiting your network.
The Advanced Scan iteration of the Cloudmersive Virus Scan API can be used to scan files and content for malware. This API can be deployed in no-code product form at the network edge (Cloudmersive Shield) within forward or reverse proxies, and it can be used to perform in-storage scanning (Cloudmersive Storage Protect) for AWS S3, Google Cloud Storage, SharePoint Online Site Drive, and Azure Blob storage instances. This API additionally scans files for viruses and unwanted content types including executables, invalid files, password-protected files, and more.
The Check if IP Address is a Known Threat Security API iteration can be used to determine if a certain IP address is currently included on a continuously updated list of bad Ips, botnets, compromised servers, and other similar threats. If one of these threats is detected, the threat type will be identified in the API response through the “ThreatType” string value.
Similarly, the Check if IP Address is a Bot Client Threat Security API iteration can be used to check if IP addresses are bots, robots or otherwise non-user entities. This API leverages real-time signals to check against high probability bots, returning an “IsBot” Boolean with the threat detection outcome.
For more information on Cloudmersive Virus Scan APIs and Security APIs, please do not hesitate to reach out to a member of our sales team.
|What is a Virus?
|8/9/2023 - Brian O'Neill
The word “Virus” is often used as a catch-all term to describe any malware that infects a computer. The real definition is a bit more specific than that, however, so it’s important to make that distinction clear.
Computer viruses are malicious programs designed to latch onto files and replicate themselves throughout a system. Unlike other similar & equally prevalent forms of malware which can spread completely autonomously (i.e., worms), viruses require some form of interaction to initiate the injection of a malicious payload before they can spread from file to file and/or from system to system. The term “virus” is a direct reference to biological viruses which spread from person to person through regular human contact.
How do Computer Viruses Spread?
Viruses are most often perpetuated via widespread dissemination of infected files or compromised URLs through popular communication mediums like email. Common Office document formats like Excel, MS Word, and others have been utilized for this purpose for several decades. For example, as far back as 1999, an infamous virus (named the “Melissa” virus) afflicted more than 250,000 computers, hijacking email applications on the devices it compromised to rapidly share Office documents containing infected macros with other unsuspecting users.
Today, the increasing popularity of applications which allow direct file upload processes means these same infected documents and URLs can now enter professional networks through insecure upload portals.
Even before the internet took off in the early 1990’s, cybercriminals transmitted primitive computer viruses over floppy disks. While floppy disks themselves are now a relic in the history of computer hardware, their modern-day equivalents (hard drives and USB storage devices) are still utilized to accomplish the same outcome – albeit less frequently than methods involving internet communication.
Cybercriminals can also disguise viruses as seemingly legitimate software/application downloads. In such cases, the virus can be more accurately described as a “Trojan Horse”, or “Trojan” for short. Once a user initiates a download, the virus can spread rapidly through their file system and exploit an exponential number of sensitive file locations, one after the other, until the entire system is compromised.
What is the Impact of a Virus Attack?
Virus attacks often lead to disastrous outcomes for a target device and/or its network of adjacent devices. Viruses can be designed to rapidly exfiltrate, delete or hold sensitive data hostage (i.e., ransomware), interfere with a device’s regular functionality, compromise a device and utilize it in subsequent attacks (i.e., botnet attacks) on external devices, and much more. The scope of the impact a virus can have depends largely on the specific type of virus which is used and the security architecture of the affected device/network of devices.
How can Virus Threats be Mitigated?
Because viruses most often require users to open infected files, click on & visit malicious URLs or physically insert compromised hardware into their device, extreme caution around potentially untrustworthy content remains one of the strongest best defenses against virus attacks. Emails containing malicious attachments and URLs are often identifiable by small errors or inconsistencies in the email domain or in the message body itself, and infected file uploads often have suspiciously complex or generic titles.
Detecting Viruses with the Cloudmersive Virus Scan API
Deploying the Cloudmersive Virus Scan API (Basic or Advanced versions) will help protect your system against a continuously updated list of 17+ million virus and malware signatures. This API accepts URLs and a wide range of file types (including all Office formats, HTML, PDF, .ZIP, over 100 image formats, and more), and specific iterations of this API can be deployed to scan AWS S3, SharePoint Site Drive, Azure Blob, and Google Cloud files in-storage.
For more information on Cloudmersive Virus Scan APIs, please do not hesitate to reach out to a member of our sales team.
|What is Malware?
|8/7/2023 - Brian O'Neill
Cybercriminals use diverse methods to attack, infiltrate and compromise our systems and devices. The motivations for launching these attacks also vary, with end-goals ranging from lucrative data exfiltration to a simple desire for infamy across the digital world.
When we take a step back from the specific details and circumstances attached to any given cyberattack, we can acknowledge that they share one common theme. In one way or another, the majority of these attacks employ malicious software – “Malware” for short – to achieve their goals.
The term Malware broadly labels a category of software which is developed with the explicit intention of exploiting systems, networks and/or valuable data. In much the same way lawful organizations depend on the persistent evolution and improvement of legitimate applications and tools to create new value in a digital space, cybercriminals largely rely on the innovation and expansion of Malware to efficiently breach modern systems and networks.
What are Examples of Malware, and How is it Spread?
Malware can be broken down into a few major categories, all of which contain distinct sub-categories of their own. Malware is most often spread through the dissemination of infected content via spam emails and other common internet communication mediums, and it is typically hidden within compromised files, URLs, applications, and devices.
Perhaps the oldest and most widely understood category of malware is Viruses. These programs replicate themselves throughout a system once their host (typically a file or URL) is opened and executed, and they serve myriad purposes for cybercriminals attacking a target system.
Another major category of malware is Worms. In a similar way to Viruses, Worms self-replicate and move rapidly through a system, consuming valuable resources and damaging important content along the way. They differ from Viruses in that they do not require an initial executable host to begin replicating and spreading their contents. This trait makes them a particularly dangerous and unpredictable form of malware.
Any malware which is designed to deny an individual user or organization’s access to internal data in exchange for monetary compensation is considered Ransomware. When malware is designed to covertly enter a system and perform surveillance activities, it is considered Spyware. In addition, malware intended to forcibly advertise third-party content on a device is called Adware.
Devices compromised by Viruses, Worms, and other malware programs can themselves become weaponized as a form of malware called Botnets. These groups of compromised devices are typically controlled by a single threat actor and used to launch distributed cyberattacks against larger networks or groups of individual users.
How can Malware Threats be Detected and Mitigated?
Preventing malware from infiltrating a system begins with establishing a strong perimeter defense around a network. This generally involves deploying a strong firewall, setting up forward and reverse proxies at key network chokepoints, and training users to avoid accessing malicious files and links which may have been shared with them via email or other common communication methods.
When malware breaches a network’s perimeter, efficient compartmentalization of internal resources coupled with multiple redundant security policies helps prevent the spread of that malware internally. Latent malware running on a device (or network of devices) can be detected by using commercial network monitoring products or by logging and reporting noticeable dips in system performance (latent malware typically consumes a considerable volume of network/system resources and thus slows down other applications and tools).
Detecting Malware with Cloudmersive
The Cloudmersive Virus Scan API references a continuously updated list of more than 17 million virus and malware signatures, and it can be deployed to detect malware embedded within files and URLs as those hosts attempt to infiltrate a system or network.
Basic and Advanced versions of the Virus Scan API can be deployed flexibly as low-code solutions. The advanced version of this API, which offers 360-degree protection against viruses, malware, and non-malware content threats (including executables, invalid files, scripts, password-protected files, macros, and more), can be deployed in no-code product form at the network edge and as an in-storage scanning solution for popular cloud products including AWS S3, Azure Blob, SharePoint Site Drive and Google Cloud Storage.
For more information on how the Cloudmersive Virus Scan API can help protect your network and storage systems against malware threats, please do not hesitate to reach out to a member of our sales team.
|What is a SSRF (Server-Side Request Forgery) Attack?
|8/2/2023 - Brian O'Neill
If URLs supplied through client-side web applications aren’t rigorously validated, they can be used to force vulnerable server-side applications into accessing unauthorized data - or even sensitive, internal network resources - on behalf of a cybercriminal. In such cases, the database or backend server processing the request might interpret the malicious URL as though it originated from inside of the application’s trusted network, enabling the request to bypass internal security policies and retrieve resources without needing any permissions. Referred to as Server-Side Request Forgery (SSRF), this attack vector can lead to a variety of extremely negative outcomes, including anything from large-scale data exfiltration to Denial-of-Service attacks.
How do SSRF Attacks Work?
Once a cybercriminal identifies an SSRF vulnerability, they can exploit it by submitting a modified HTTP request (containing a malicious URL) through a client-side web application. This URL contains parameters that specify which server resources the attacker wants to gain access to. The vulnerable server-side application believes it can trust this URL’s request parameters because it appears to originate from within the application’s trusted network, rather than from the client-side browser it really originated from.
If the attacker’s goal is to exploit the web application server, the malicious URL will often contain a common local hostname followed by a specific path to the attacker’s desired resources. This can allow the attacker to circumvent normal authentication protocols and access resources directly from the application server, retrieving sensitive details which are only intended for permissioned internal or external users. Application server databases with REST interfaces (NoSQL databases), for example, can be forced to submit data to the malicious URL, thereby unintentionally exfiltrating sensitive data.
If the goal of the attack is to exploit internal-facing backend servers adjacent to the application server (i.e., those which don’t contain any resources intended for external users whatsoever), the attacker can formulate malicious URLs which call out those adjacent server IP addresses and mimic internal admin controls. Vulnerable backend servers are often entirely unprotected against requests which appear to originate from within the “secure” network perimeter, and as a result, they can be forced into sharing administrative permissions and other sensitive internal information in response to the URL’s request parameters. This information can be used to carry out subsequent attacks against the vulnerable network, and once compromised, this network can in turn be used to carry out attacks against separate external networks.
How can SSRF Attacks be Prevented?
Mitigating SSRF attacks starts with performing an exhaustive review of internal and external network security architecture. Organizations need to ensure client-side inputs are validated, and they need to make sure URL requests can only be made to necessary network resources. It’s important to extensively compartmentalize internal and external resources in a network so that internal administrative controls don’t implicitly trust requests from server-side web applications.
Detecting SSRF Threats with Cloudmersive
Using the SSRF detection iteration of the Cloudmersive Security API, organizations can detect SSRF threats from input URL strings and learn the level of threat (low, medium, or high) associated with that input URL. If, for example, a URL containing the common SSRF attack parameters “localhost/admin” were entered, the API response would return a “CleanURL: False” response with a “ThreatLevel: High” description. This response allows organizations to prevent SSRF attacks and simultaneously log data on those attacks to better understand threats to their network.
For more information on Cloudmersive Security APIs, please do not hesitate to reach out to a member of our sales team.
|What is a SQL Injection (SQLI) Attack?
|7/26/2023 - Brian O'Neill
When a client-side user searches for content on a website, logs into an account on a web application, or fills out any type of interactive form online, they are submitting data to query information from an underlying (in most cases SQL) database. At a high level, the website/web app first receives a user’s information through a designated user-input field, then structures a SQL query to store, modify or validate that information in some way, and finally returns a result which the user can view on their browser.
In many ways, these simple interactions with SQL databases embody the utility of the internet, enabling clients and hosts to exchange and mutually benefit from valuable data sets at high speeds.
Consequently, however, the user input fields which capture and submit valuable client-side information also represent direct pathways which cyber criminals can use to illegally access database information. If a website/web app fails to rigorously secure its user input fields, threat actors can exploit automatic SQL queries by structuring and submitting malicious queries of their own, inducing a database to take unauthorized actions on their behalf.
This attack vector, referred to as SQL Injection (SQLI), is a very common web security threat which has impacted dozens of high-profile websites/web apps in the past few decades. It remains an extremely attractive attack vector due to the steadily increasing volume of sensitive data that users provide to online services.
How do SQLI Attacks Work?
To carry out an SQLI attack, an attacker must first identify a vulnerable website/web application. In this case, a vulnerable website/web app can generally be considered one which does not properly validate or sanitize user input before structuring that information in a database query. A website/web app's degree of vulnerability can also be impacted by out-of-date technology; SQLI attacks are much more commonly carried out against websites/web apps with older functional interfaces.
Once a vulnerability is identified, the attacker can enter a malicious query into a vulnerable user-input field. These input fields most often include login forms (where authentication details are entered), search fields (where publicly available resources are queried), contact forms (where personal information is entered), feedback forms, and even URL parameters in some cases.
What is the Impact of an SQLI Attack?
When a website/web app executes a user-supplied SQL query against the database, the attacker can retrieve information that far exceeds normal request parameters. As a result, the extent of damage caused by these attacks tends to vary significantly based on the skill and sophistication of each individual attacker.
The most common goal of an SQLI attack is to read (access) sensitive user data in the database. Personal information, such as email addresses and phone numbers, can be stolen by the attacker and sold to malicious third parties and/or used to carry out subsequent cyber-attacks. The simplicity of this goal makes any website that stores sensitive user information, regardless of its size or reputation, a worthwhile target for motivated threat actors.
In addition, database information can be deleted outright in SQLI attacks, resulting in severe financial losses for the affected website/web app. Administrative database permissions can also be obtained, allowing the attacker to control the database. In extreme cases, the attacker can even gain complete control of the application and/or issue commands to the operating system itself.
How Can SQLI Attacks be Prevented?
To prevent SQLI attacks, websites/web apps should heavily parameterize database queries with prepared statements and include automatic input validation measures to scrutinize user input before formulating a query.
In addition, the SQLI Detection iteration of the Cloudmersive Security API can be implemented to check user-facing text input strings for SQLI attacks. This API identifies SQLI attacks and returns a Boolean (“ContainedSqlInjectionAttack”) indicating if an attack was identified from text input. The API response also contains the original input string, making it easy to remove/delete threats before they can impact the underlying database.
For more information on how the Cloudmersive Security API can protect your websites/web applications against SQL injection attacks, please do not hesitate to reach out to a member of our sales team.
|What is Cross-Site Scripting?
|7/20/2023 - Brian O'Neill
When visiting a web page with public-facing user input fields, we’re encouraged to submit content that alters what subsequent visitors see on that web page. For example, if we want to comment on an article we just read on a news site, we can simply type a string of text into a clearly labeled “comment” field, and once we’re done, we can click “enter” or “submit” to incorporate that information into the web page’s display. When the next visitor to this news site opens and reads that same article, their browser will interpret updated information from the web server that includes our comment, and that visitor can now read our comment along with the original article.
Most of the time, the content of the comments we post is exactly what the web application expects (in this case, something to the effect of plain text with a few punctuation characters here and there). If the website has high security standards, it won’t blindly trust that users are entering the exact form of content it expects – it will attempt to validate and clean that input to enforce its content limitations. If, however, the application does not properly validate and sanitize the input we’re allowed to submit, a user (threat actor) with malicious intent can easily induce the server to display insecure content – which they fully control – for subsequent web page visitors. This threat actor can, for example, enter malicious scripts into comment fields that other users’ client-side browsers automatically interpret and execute, allowing them to infiltrate and compromise those users’ devices.
This scenario represents one of several ways in which a common form of cyber-attack – widely referred to as Cross-Site Scripting (XSS) – can be carried out through a vulnerable website or web application. Once malicious scripts are executed by a client-side user’s browser, there’s little the affected user can do; the attacker can now carry out criminal actions such as stealing the user’s personal information, hijacking their session, redirecting them to malicious websites with virus or malware payloads, and much more. When this occurs, the vulnerable website or web application bears responsibility for allowing this breach to affect a patron of their service, and the ensuing loss of trust can significantly impact their future business prospects.
How Does Cross-Site Scripting Work?
To initiate an XSS attack, a threat actor must first identify a website which has poor input validation and sanitization measures. Targets in real-life XSS breaches have included a variety of popular sites including prominent news sites (exploiting insecure comment sections as outlined in the example above), email hosts, social media sites, and even ecommerce platforms.
When an attacker identifies an XSS vulnerability, they can enter a malicious script into a user-input field and induce subsequent client-side browsers to execute that script. They can also inject scripts using malicious URLs, HTTP headers and insecure Cookies. These attacks can impact more than one user at a time, and in particularly devastating cases, they can be extremely difficult for those users to recover from.
What Makes a Website Vulnerable to Cross-Site Scripting?
A website is vulnerable to Cross-Site Scripting attacks when it does not properly scrutinize user input or attempt to neutralize potential threats before it displays user-supplied content for subsequent web page viewers.
A web page must first validate the input it receives against the input it expects; for example, if a particular input field expects only integers, it should not process and display string values or special characters, and it must not allow incorrect content to persist to the database.
The web page must also sanitize user supplied content, which means removing malicious elements from the original user input. If, for example, an attacker attempts to initiate an XSS attack by supplying a malicious script enclosed within HTML tags, the web application should ensure these tags are completely removed from the text input so user-supplied HTML cannot be executed in the next visitor’s browser.
Preventing XSS Attacks with Cloudmersive APIs
The XSS Protection iteration of the Cloudmersive Security API defends web applications against XSS attacks by detecting and subsequently normalizing (removing) threats from an input string. The API response provides a Boolean determining if the input string contained an XSS attack, and below that, it supplies a string containing the original (potentially threatening) input along with a string containing the Normalized Result after the threat is rendered inert.
For more information on the XSS Protection iteration of the Cloudmersive Security API, please do not hesitate to reach out to a member of our Sales Team.
|What is a Trojan?
|7/14/2023 - Brian O'Neill
For a threat actor to initiate a cyberattack, they first need to find a way through the front gates of a target network. Threat actors perpetually seek out fresh vulnerabilities and test new attack vectors in pursuit of this goal, attempting to stay ahead of the fast-evolving cybersecurity curve.
Through all the persistent innovation in cyberattacks, however, the art of disguising threats in plain sight remains among the most effective network-breaching methods. Successfully tricking a user on a target network into accessing malicious content can rapidly snowball into a virus or malware download, and once that download occurs, subsequent attacks can be carried out within that user’s device (or, in some cases, multiple devices attached to the same network) to steal data or use their IP address for further malicious activity.
Named after the infamous wooden “gift” that famously penetrated the walls of Troy more than 4,000 years ago, Trojan Horse threats (Trojans) are a long-standing and prolific cyberattack vector, accounting for a high volume of successful breach attempts on Windows operating systems.
Trojans are a type of malware specifically designed to appear as a normal, legitimate file or program to the naked eye. Unlike viruses, which are often capable of executing without the help of user download, trojans require the victim to willingly access their contents before injecting a malicious payload. They’re most often used as a method for installing other types of malware, like viruses, worms, or ransomware, onto a victim’s device.
Trojans are very frequently spread through emails which spoof trusted external contacts or information sources. The Trojan malware itself is usually included in a file attachment, which will quickly download and install its contents once the victim clicks on the file to open it. These same types of infected files can often be found on malicious websites which aim to gain a victim’s trust by appearing like other websites that legitimate files are commonly downloaded from (imagine, for example, a fake research website promoting a free download of their report on recent marketing trends). In addition, trojans can hide alongside application downloads which are usually safe, “piggybacking” on legitimate software to sneak onto a victim’s device.
Common Types of Trojans
Because Trojans can be used to carry a wide variety of threats, they can be used to achieve an equally diverse set of malicious outcomes.
One of the most common and damaging types of trojan is a Backdoor Trojan, which attackers can use to directly take control of a computer. Once the attacker gains unrestricted access to a computer, they can download valuable data to an external device and take a variety of other malicious actions.
Trojans are also frequently used as a precursor for carrying out Distributed Denial of Service (DDoS) attacks on a separate target. Attackers often carry out DDoS attacks by flooding a target server (typically one operated by a large company or government organization) with requests, and they can assemble the required group of compromised devices by sending Trojans to victims via spam emails or through social media platforms.
Further, ransomware – an extremely common form of malware designed to hold valuable data hostage until a certain price is paid – is often installed onto a system using a Trojan as the initial attack vector.
Preventing Trojan Attacks
Preventing Trojan attacks on any network of devices starts with training users to identify threatening content. Illegitimate emails can usually be identified with a careful glance at the email address or message body, and file attachments should only ever be accessed when they come from completely verifiable and trusted external locations. In addition, users on any network should always exercise extreme caution when downloading files or applications directly from a seemingly legitimate website. Malicious sites are often flagged by up-to-date web browsers and tracked by reputable cybersecurity organizations. Developers and system administrators can also protect their network and file storage locations from Trojans by frequently updating their security policies and building security redundancy in particularly sensitive areas.
Detecting Trojans with the Cloudmersive Virus Scan API
The Cloudmersive Virus Scan API can be deployed to detect trojans at the network edge in both forward or reverse proxies (Cloudmersive Shield), and it can be deployed to detect trojans stored within cloud storage instances (Cloudmersive Storage Protect) like AWS S3, Azure Blob, SharePoint Online Site Drive, and Google Cloud Storage. Both the Basic and Advanced Virus Scan API iterations provide multi-threat scanning coverage against viruses, malware, trojans, ransomware and spyware, referencing a continuously updated list of more than 17 million virus and malware signatures. The Advanced Virus Scan API iteration is also capable of detecting hidden content threats like executables, macros, scripts, unsafe archives, and more, providing customizable threat rules in the API request body.
For more information about how the Cloudmersive Virus Scan API can protect your system against trojans and other threats, please do not hesitate to reach out to a member of our sales team.
|Why Text Files Are Unsafe for File Upload
|7/11/2023 - Brian O'Neill
What are TXT Files?
TXT files, verbally referred to as “Text” files, are universally interoperable files capable of storing any information represented in plain text format. This means they’re equipped to carry a very wide range of content – including anything from paragraphs of prose to arrays of data and lines of code – between just about any application or operating system.
How are TXT Files Typically Used?
The versatility of TXT files leads to their use in a wide range of practical scenarios. For example, they’re just as easily leveraged for jotting down notes during a team meeting as they are for storing lines of application source code (many of the configuration settings for our various software applications are stored in TXT format). On top of that, TXT files are frequently used for sharing large volumes of text-format data (JSON, XML, etc.) across networks due to their compact file size.
Why Should I Avoid Text File Uploads?
While TXT files are useful in some practical internal scenarios, the problem with uploading them to an accessible file storage instance is that they lack a formal file structure. First and foremost, this makes them impractical for sharing with consumers and business users alike (structured formats like PDF, DOCX, XLSX are designed to make plaint text information more presentable and usable), and, crucially, it makes their contents extremely difficult to verify beyond the file extension level. Any text-based program or script is technically a valid TXT file, which makes TXT file uploads viable attack vectors capable of carrying malicious code into sensitive storage locations.
Rather than assume unnecessary risk by uploading raw TXT files to storage, you can take advantage of their interoperability instead by using their contents in structured multimedia file formats (like PDF, for example). Once stored in a verifiable format like PDF, potentially threatening content can be quickly detected and flagged with content verification security policies.
How can the Cloudmersive Advanced Virus Scanning API Protect my File Uploads?
Once TXT file contents are stored in a structured file format like PDF, the Cloudmersive Advanced Virus Scanning API can then dig into the file encoding and return a CleanResult: True or CleanResult: False response. In conjunction with this measure, file restrictions policies can be configured to categorically block all incoming TXT files. All told, this will ensure your original TXT file contents can enter storage ONLY after undergoing a standard content verification check.
For more information on how the Cloudmersive Advanced Virus Scanning API can protect your file storage instances, please do not hesitate to contact a member of our sales team.
|What is Spyware?
|7/7/2023 - Brian O'Neill
Personal information is a valuable currency. Full names, dates of birth, contact details, physical addresses, personal/professional connections, and even political affiliations are regularly observed and recorded through legitimate, consented means and often used to create a more personalized online experience for each individual online user. Unfortunately, however, the retrieval and usage of personal information isn’t always limited to legal methods with established commercial outcomes.
What is Spyware?
Private personal information can be illegitimately monitored and even stolen from users on any given device through an insidious type of malware called spyware. This branch of malware is specifically designed to run on a user’s device without their knowledge or consent and report information about that user to one or more external third parties. That information can include extremely sensitive details like a user’s financial information, their keystrokes (any text a user types into their device), their login credentials for various applications, their browsing habits, and much more.
The impact of undetected spyware on any given user’s device or network of user devices can be simultaneously compromising and deeply unsettling, ranging from data theft to identify fraud. Sophisticated spyware can even leverage the built-in video camera and microphone on any given device to retrieve extremely sensitive information about that user’s physical surrounding environment.
Spyware Delivery Methods & Examples
Like most forms of malware, spyware is typically downloaded onto a user’s device without that user’s knowledge. Once the device’s anti-malware security policies are successfully bypassed, covert download techniques allow the malicious program to avoid user detection and carry out long-term spying activities unchecked.
Spam email attachments and links are an extremely common method of distribution, goading a user into initiating a malware download using social engineering tactics. In addition, safe-looking websites with underlying code vulnerabilities can be hijacked and utilized to inject spyware onto an unsuspecting client-side user’s device. It’s also possible for threat actors to package spyware alongside apparently legitimate product download files.
One extremely common form of spyware is Adware, which shares the activity it monitors on the user’s device with external advertisers or data brokers for financial gain. Another common example is a Keylogger (Keystroke Logging spyware), which stores the text information that a user types into their device at any given time – including anything from instant messaging conversations to credit card or login details – allowing external threat actors to spoof that user’s identity and access sensitive applications in their name. There are many more studied examples, and as effective solutions are developed to identify and prevent these iterations from causing harm, new versions inevitably take their place.
Preventing and Detecting Spyware
It’s critically important that users on any personal or professional network carefully evaluate the source of an email attachment or website link before accessing its contents. In addition, spoofed websites can sometimes be identified by a cursory inspection of the domain name and URL, and modern browsers are increasingly capable of alerting users when websites carry hidden threats.
If spyware downloads aren’t detected by a user’s anti-malware security policies, it’s sometimes possible to discern the presence of spyware by analyzing the performance of the user’s device. Spyware applications are always running in the background, which can have a noticeable impact on the efficiency of other applications. In blatant cases, new unidentifiable icons can appear on a user’s desktop homepage, or the homepage background might change entirely.
Detecting Spyware with the Cloudmersive Virus Scan API
The most effective method for detecting spyware (and any form of malware) before installation occurs on a device is through the deployment of regularly updated virus and malware detection software. Using the Cloudmersive Virus Scan API in conjunction with your applications, cloud storage instances, or via deployment at your network edge, you can identify a growing list of more than 17 million virus and malware signatures including spyware, ransomware, trojans, and more.
Additionally, using the Advanced Virus Scan API iteration, you can apply 360-degree content protection with custom threat rules to block hidden threats like executables, macros, scripts, and more. This API can be deployed in no-code or low-code form depending on your specific needs.
For more information on the Cloudmersive Virus Scan API, please do not hesitate to reach out to a member of our sales team.
|What is Ransomware?
|6/28/2023 - Brian O'Neill
According to public reports, well over 200 million ransomware attacks happened in the first half of 2022 alone, and these attacks ultimately accounted for a fifth of all cybercrimes committed in that entire year. Ransomware continues to present a serious risk to organizations across the world, and it’s more important than ever to understand its insidious distribution methods and its notoriously catastrophic outcomes.
What is Ransomware?
Ransomware is a form of cyber-attack which seeks to encrypt a company’s most valuable data and demand payment in return for the decryption key, typically within a timeframe specified by the attacker. This aptly named attack is explicitly carried out for financial gain, standing in contrast to other common attack vectors – such as Distributed Denial of Service attacks – which generally seek to damage the reputation of a company and disrupt its operations.
While decryption without the attacker-supplied key is sometimes possible, it’s usually extremely difficult to recover compromised data in a sophisticated ransomware attack. There’s also no guarantee that the attacker will supply the encryption key once payment is received, so it’s extremely important to proactively defend against ransomware.
How is Ransomware Spread, and How does it Work?
Phishing is by far the most common method for spreading ransomware. Ransomware is generally disguised within everyday content like email file attachments and compromised website links, so spam emails with targeted social engineering attempts are often the most successful methods of distribution. It’s also common to find ransomware links posted or directly messaged to users on popular social media platforms, and instances of distribution via Malvertising (advertising sites compromised with malicious code) have been reported.
Once a victim activates a ransomware file or link, the ransomware is downloaded onto their device and automatically installed. The attacker’s goal is to encrypt valuable data either stored locally on the device or within a larger network of connected applications, and their ransomware is typically configured to find original AND backup files to improve the attacker’s chances of eventually receiving a ransom payment. When files are successfully encrypted, they become inaccessible to the victim, and the victim typically receives clear instructions detailing the ransom payment process. The victim can usually access a link to make a payment to the attacker, but there’s no guarantee whatsoever that the attacker will honor their end of the bargain.
How are Ransomware Attacks Prevented?
First and foremost, out-of-date systems are the most vulnerable to any form of malware attack, so preventing ransomware starts with rigorous patch management and system updates. Robust data backup practices with redundant security policies are also vital to ensuring successful ransomware encryptions don’t hold your business hostage. On top of this, users in any organization should receive extensive training to avoid phishing links and other common forms of ransomware distribution.
It's also vital to implement dynamic virus and malware detection policies. The Cloudmersive Advanced Virus Scan API provides a powerful solution, offering 360-degree content protection against more than 17 million virus and malware signatures and hidden content threats like executables (Windows-based executables account for more than 90% of ransomware attacks), invalid files, scripts, macros, and more. The Website Scan iteration of the Virus Scan API also provides extensive protection against phishing links, virus-infected websites, and a variety of other URL-based threats.
For more information about Cloudmersive Virus Scan APIs, please do not hesitate to reach out to a member of our sales team.
|How to Watermark PDF Files in Nintex
|6/14/2023 - Brian O'Neill
Watermarks are semi-transparent text labels generally used to protect documents from unauthorized use. They can also help promote a brand or enhance the visual appeal of a document depending on the use case. Using the Cloudmersive PDF API in Nintex, you can easily create custom watermarks and apply them to any PDF document in a few quick steps.
In this article, we’ll demonstrate how you can design a Nintex component workflow that adds a fully customized watermark to a single PDF file.
1 – Starting from the Nintex workflow design page in our web browser, our first step is to click on the “Start From” dropdown and select the “Component Workflow” option.
2 – Next, let’s add a step to grab our PDF file. This file used in this example workflow lives in OneDrive for Business, so we’ve included the “Get a File” action in our workflow. This action can be found by searching “OneDrive” or “Get a File” in the search bar on the lefthand side of the page and selecting it from the list of options.
Using any action in Nintex starts with providing authentication credentials via the “Connection” dropdown on the righthand side of the page, and it ends with creating a variable to store the output data from that action. To create an output variable, click on the “Select a Variable” tab under “Store Output,” click “Add Variable,” and then give the variable a name and confirm its data type. In this case, our data type should be “File”. Once the variable is created, it can be accessed from the “Select a Variable” dropdown.
In the below screenshot, we’ve created a variable called “PDF File” and used it to capture the output file from our OneDrive connector.
3 – We can now incorporate out Cloudmersive PDF API action. To find the watermark action, let’s type “Cloudmersive” into the search bar on the lefthand side of the page. This brings up a list of Cloudmersive API connector actions; we can now click on the “Add Text Watermark to PDF” action and drag it into our workflow.
From here, we can click on the action to configure it in the tab on the righthand side of the page.
To create our Cloudmersive Connection, let’s click on the “Connection” dropdown and select “Add Connection”. After that, we can give our connection a relevant name like “Cloudmersive PDF”, and then we can authenticate our connection by copying the API key from our Cloudmersive account page and pasting it into the “API key” field. If you don’t currently have a Cloudmersive API key, you can get one for free by registering a free account with no commitment (this will allow a limit of 800 API calls per month).
With our connection established, let’s now hover over the “File” input parameter and click “insert”. This brings up the option to select the “PDF File” variable we created in the previous step. Let’s click “insert” on that variable to include it in our Cloudmersive PDF API request.
We can now begin customizing our watermark. We can set the watermark’s display text in the “Watermark Text” field, and after that, we can specify out desired font type (by name), as well as the font size, font color, and font transparency level. In our example, we’ve set “Cloudmersive” as our watermark display text, kept the font name at the default value (Times New Roman), set the font size to 100, kept the font color at the default value (red), and set the font transparency level to 0.3.
To finish configuring this action, we need to store its output in a custom variable. We can do so by following the exact same process outlined in the OneDrive “Get a File” step above. Let’s select “Add Variable” from the “Select a Variable” dropdown, give our variable a relevant name like “Watermark PDF Output”, ensure the data type says “File”, and then click “Create” to store our variable. Once stored, we can access it from the “Select a Variable” dropdown.
The configuration step for our “Add Text Watermark to PDF” action is now complete.
4 – Let’s now add a final step to generate our watermarked PDF. This example workflow will once again use a OneDrive for Business connector, so we’ve included the OneDrive “Store a File” action in our workflow. This action is configured to accept the Watermark PDF Output” variable we created and store it in a OneDrive folder of our choosing. We’ve elected to not overwrite existing files in future workflow runs.
5 – Now we can save and test our workflow. Let’s click “Save” in the upper left corner of the page, and let’s then give our workflow a relevant name like “Create Custom Watermark.” In the workflow description, we can specify that this workflow uses the Cloudmersive PDF API connector to accomplish its task. We can optionally elect to set our workflow and business owners, and once we’re done, we can click “Save” to finish the saving process.
6 – After saving our workflow, we can test our workflow by clicking on the “Workflow Testing” option at the top of the workflow design page. Once we do so, Nintex will stage our workflow before asking us to click “Submit” to confirm testing without dedicated start event variables.
Once we click “Submit”, Nintex will run the test and update us with instance details every 10 seconds. We’ll know the test succeeded once we see “Completed” in the “Status” column for each action in our workflow.
7 – With our test complete, we can now check our target folder for the results of our operation. We didn’t include a step to name our new file, so we should see a new PDF file with the generic name “output.pdf” in our folder.
When we open this file, we should see our new watermark running across the center of our document following our exact formatting specifications.
At this point, we’re all done. It’s just that easy to create custom watermarks in Nintex using the Cloudmersive PDF API connector.
For more information about Cloudmersive API connectors in Nintex, please feel free to reach out to a member of our sales team.
|How to Scan Files for Viruses, Malware, and Non-Malware Threats in Nintex
|6/8/2023 - Brian O'Neill
Nintex is a powerful no-code workflow automation platform featuring several built-in Cloudmersive API Connectors. In this article, we’ll walk through how you can set up a Component Workflow to scan files for viruses, malware, and non-malware threats with custom threat rules using the Cloudmersive Advanced Virus Scan API. After creating and publishing a Component Workflow in Nintex, we can call our new component from future workflows as a value-add service.
1 - Our first step is to create our new Component Workflow in Nintex. From the Workflow Dashboard, let’s click “Create Workflow” in the top left corner of the page.
2 - This brings us to the Designer page where we can incorporate new actions into our workflow. We should see a “search” tab on the lefthand side, two actions labeled “Start Event” and “Workflow Complete” in the center, and a configuration tab on the righthand side.
To begin, let’s specify that we’re creating a Component Workflow. On the righthand side of our page where it says “Start Event,” let’s click on the “start from” dropdown and select “Component Workflow” from the list.
3 - Below that same tab, let’s click “Create Variable.” We need this variable to define the data that can enter this workflow when it’s called externally.
When we click on “Create Variable,” we’ll open an expanded tab called “Variables” where we can quickly define new variables and select them when they’re needed later. Let’s name our first variable “File Input,” and then let’s navigate the Type dropdown to select “File” as our data type. When we’re done with that, let’s go ahead and click “Create” to save our variable.
Our variable should show up like this:
4 - Now we can incorporate the Cloudmersive Advanced Virus Scan API Connector. To find it, let’s click on the plus sign below the “Start Event” action. This brings up a search field where we can type “Advanced Scan a File”. This will bring up the “Advanced Scan a File” action, and we can click on it to incorporate it into our workflow.
5 - Let’s now click on the “Advanced Scan a File” action, which brings up a configuration tab on the righthand side of the page.
The first thing we need to do is create our Cloudmersive connection. Let’s click on the “Connection” dropdown and select “Add Connection”. We can give our connection a relevant name, and then we can authorize our connection by copying and pasting our Cloudmersive API key (found in the Cloudmersive Account page) into the API Key field.
After that, let’s set the file input parameter to consume the “File Input” variable we created at the beginning of our workflow. Let’s click “Insert” on the File parameter, navigate to the “Start Event” variables, and then hover over the “File Input” variable and select “Insert”.
Now we can review this connector’s Yes/No (Boolean) request parameters. These parameters are automatically set to “No”, which means executables, invalid files, scripts, password protected files and macros will all return a CleanResult: False value in the API response object. This is the default recommended setting, but we can of course change these threat rules to suit our needs. We can also include a comma-separated list of accepted file types in the “Restrict File Types” request parameter to limit acceptable files to a specific list of extensions.
After we’ve customized our threat rules, we need to save the API output in its own variable. Let’s click on the “Select a Variable” dropdown and click “add variable.”
Let’s then name our variable “Advanced Scan Results”, leave “Object” as the data type, and click “Create” to save our new variable. We can then select the “Advanced Scan Results” variable in the “Scan Result” dropdown.
We can now access the results of our scan using the “Advanced Scan Results” variable in a variety of different ways. For example, we could use “Send an Email” feature built into Nintex to share the API response with us directly any time a file is scanned using this Component Workflow.
6 - The Component Workflow logic is now complete. We can save our workflow by clicking “Save” at the top of the page. This will bring up a window where we can name our workflow, provide some details about it, and click “Save” to include it in our Workflow Dashboard.
After our workflow saves, we can publish it by clicking on “Publish” at the top of the page. This brings up a window which contains the Workflow Name and Workflow Description we created at the top. When we scroll down this window, we can assign our Component Workflow’s use for production or development, and at the bottom we can add tags and make version comments.
When we’re finished, let’s click “Publish”. This officially launches our Component Workflow and makes it available for usage in other workflows.
That concludes our Advanced Virus Scan API Component Workflow in Nintex! To learn more about using Cloudmersive API Connectors in Nintex, please do not hesitate to reach out to a member of our sales team.
|What are Executables and Why Are They a Threat?
|6/1/2023 - Brian O'Neill
Executables are a vital file type, required to install many of the desktop applications and tools we rely on day to day. They can also be used to inject malware into our system, however, which makes them a potent security threat. Below, we’ll review how legitimate executables work and discuss how malicious executable threats can be mitigated with straightforward security policies.
What are Executables?
Executables are files containing binary machine code which is explicitly intended to run (execute) on a certain computer operating system. These files make it extremely easy to distribute software programs across multiple systems through simple file sharing mechanisms. They’re commonly used to initiate the installation of commercial products like licensed business applications, computer games, and many more examples.
An executable file can be thought of like a list of instructions. After an executable file is launched on a compatible system, the system will load the file’s contents into memory and work its way down the file’s list of instructions, ultimately running the executable file’s program.
Why are Executables Dangerous?
Since executable files are designed to run programs directly after file opening, they present an ideal method for threat actors to install malicious code – including viruses, malware, and a variety of other threat types – onto a victim’s operating system. Attackers can email executable files from compromised external devices and convince victims to open (and therefore execute) their malicious files using social engineering tactics. They can also share these files directly through vulnerable file upload portals for distribution to a wide range of victims who have access to their target application’s database.
Executable files can also be distributed through far more insidious means to avoid detection from poorly configured security policies. For example, attackers can give executable files misleading names, so they appear to be an entirely different file format than they are. A file with a seemingly innocent name like “newemployeeheadshot.jpg” might contain executable contents, and this file might then successfully avoid detection from system users who assume the file contents safely match the simple, descriptive title. Additionally, attackers can bury executable files in compressed archives alongside a number of valid documents. Once files are extracted from these folders, the executable file can lay dormant until it’s opened by a downstream system user at some point in the future.
How can Executable File Threats be Prevented?
Preventing the distribution of malware within any system always begins with user accountability. System users should be regularly trained to identify illegitimate files, and they should know to avoid clicking on suspicious attachments shared from any external source.
It’s equally critical to scan files for malicious content as they enter a system at the network edge, before they enter specific applications, and while they reside in cloud storage instances. The Cloudmersive Advanced Virus Scan API can be deployed in any of those locations, and API administrators can configure custom policies in its request body (or from their Cloudmersive account page) to block executable files from entering their system. This API ignores superficial information like file names, extensions, and headers, instead performing in-depth content verification to detect and report each file’s actual encoding.
This API also scans files for viruses and malware, referencing a continuously updated list of more than 17 million virus and malware signatures in the process. Further, it provides additional request policies for blocking more non-malware threats than just executables, with coverage including scripts, macros, XML external entities, and much more. Any files found to contain viruses, malware, or non-malware threats blocked by custom policies in the API request body will receive a CleanResult: False response. This uniform threat value makes it easy to categorically delete (or quarantine) malicious files in a single API request.
For more information on the Cloudmersive Advanced Virus Scan API, please do not hesitate to reach out to a member of our sales team.
|What is Remote Code Execution?
|5/26/2023 - Brian O'Neill
Remote Code Execution (RCE) is an extremely dangerous attack vector which aims to exploit vulnerabilities in an application’s input validation measures to execute arbitrary code. While RCE is conceptually straightforward, it’s also an extremely broad threat category. There are multiple ways RCE can be accomplished, and the outcomes can vary greatly depending on a threat actor’s individual goals.
What are Common Remote Code Execution Outcomes?
Threat actors can use Remote Code Execution attacks to accomplish a variety of malicious outcomes. A few of those outcomes are outlined below.
One common goal of an RCE attack is to disrupt regular activity within a system or network, often with the intention of causing Denial of Service. By gaining unrestricted access to a system, a threat actor can arbitrarily change important system information, remove critical files, and deny external users access to the system’s internal resources. This type of RCE attack severely damages the victim’s reputation, often causing irreparable harm to their current and future business prospects.
Another common goal of RCE is Data Theft. Most companies thriving in the modern, digital landscape view data as their most valued asset, including financial data, customer data (e.g., personal contact information), and much more. Motivated threat actors are aware of this fact, and as a result, RCE attacks often aim to retrieve or modify data housed in sensitive storage locations. Once a threat actor gains access to internal data, they can remove (steal) it, corrupt it, or threaten to delete it unless the victim provides financial compensation (i.e., ransomware).
How is Remote Code Execution Accomplished?
At a high level, to accomplish any RCE attack, a threat actor must first find weak points in their target’s system or network. After that, they can begin sharing malicious code by exploiting the vulnerability they found. Once they succeed in the first two steps, the threat actor can hijack their target system/network or compromise data for a variety of purposes.
One common system vulnerability is found in an application’s data deserialization process. By sending malicious objects through a poorly sanitized data parser, a threat actor can trick an application into executing code of their choosing. Several high-profile attacks in the last decade have utilized this method, and in one case, this resulted in theft of customer data on an unprecedented scale.
Another common vulnerability is found in a system’s external file upload process. In recent years, adoption of direct file upload workflows has grown in lockstep with businesses gaining increased access to affordable cloud storage solutions, and this development has encouraged threat actors to seek out file upload vulnerabilities much more actively. If file uploads aren’t scanned and validated thoroughly, threat actors can carry out RCE attacks by loading files with malicious code and delivering them through a vulnerable upload portal.
Protect your System with the Cloudmersive Advanced Virus Scan API
The Cloudmersive Advanced Virus Scan API provides 360-degree content protection for your system and/or network (depending on where you choose to deploy it). Its anti-virus and anti-malware policies reference a continuously updated list of more than 17 million virus and malware threats, and its non-malware threat detection capabilities can be customized to block common RCE file upload attack vectors, including executables, invalid files, scripts, password-protected files, insecure deserialization, and more.
For more information on the Cloudmersive Advanced Virus Scan API, please do not hesitate to contact a member of our sales team.
|Why are Macros a Security Threat?
|5/26/2023 - Brian O'Neill
What is a Macro?
Like most non-malware file upload threats, there’s nothing inherently malicious about a macro. At a high level, macros are just lines of Visual Basic (VBA) code embedded within a Microsoft document, and they’re generally intended to expedite some specific tasks performed within that document through process automation. For example, a macro might be created to automatically format text entered within specific cells in an Excel spreadsheet, or it might be used to create formulas that change based on certain evolving input criteria.
Why are Macros a Security Threat?
Despite their time-saving benefits, macros unfortunately represent a significant attack vector which threat actors exploit with relative ease. Since the introduction of macros in the early 90’s, threat actors have consistently (and quite often successfully) used them to inject malware onto client devices, often compromising systems completely while also gaining exponential access to new victims through those systems. Since macros can be primed to run based on simple document events (e.g., when a document is opened), all it takes is one errant double-click from a system user to trigger a full-blown malware crisis.
Contributing to the challenge of mitigating macro threats is the fact that Microsoft document formats are ubiquitous in professional systems. Files like .DOCX and .XLSX, for example, are used widely in professional environments all around the world, which means system users naturally expect to see them attached to emails and saved within important shared folders. By applying basic social engineering techniques, threat actors can share documents containing malicious macros (or encrypted .ZIP archives containing multiple infected documents) from compromised devices, assuring the recipient that enabling the macro provides access to necessary content. They can also share their infected document through an insecure file upload portal, waiting patiently for a downstream internal or external user to access that file and unleash its contents.
How are Macro Threats Mitigated?
Recent versions of Microsoft Office disable macros by default, so keeping systems up to date is an important first step. Additionally, regular user training is critical to prevent the spread of any type of malware through social engineering techniques; system users should always know how to identify suspicious emails and subsequently avoid clicking on their attachments.
A comprehensive anti-macro policy can also be configured within the Cloudmersive Advanced Virus Scan API request body. Setting the allowMacros Boolean to “False” will return a CleanResult: False response for any files containing macros, making it easy to delete or quarantine these files alongside other virus, malware, and non-malware content threats. This API references a continuously updated list of more than 17 million virus and malware signatures, including ransomware, spyware, trojans and more, and it delivers high-speed, sub-second typical response times.
For more information on Cloudmersive Virus Scanning APIs, please feel free to contact a member of our sales team.
|Why are ZIP File Uploads Dangerous?
|5/18/2023 - Brian O'Neill
Sharing groups of files in .ZIP archive format is common practice for users working within most professional networks. Compressing bulky files (including .PPTX, .XLSX, or .DOCX for example) drastically accelerates file upload processes and facilitates faster file sharing over communication platforms. The trouble with .ZIP files, however, is that they’re just as expedient for client-side threat actors as they are convenient for trustworthy users. As a result, it’s often best to avoid allowing .ZIP files move through our network entirely.
What makes .ZIP archives dangerous?
Files containing viruses, malware and other malicious content can be compressed together into .ZIP archives and jointly bypass weakly configured upload security policies. In some cases, polymorphic code can be used to further disguise these threats, ensuring any traceable signatures change frequently enough that basic anti-virus & anti-malware policies are thrown off their trail. Left undetected, these unsafe archives can remain dormant in file storage for extended periods of time before trusted users unwittingly open and activate their contents.
Further, even without using malicious code, threat actors can weaponize .ZIP files by filling them with immense quantities of data. Known as “ZIP Bombs,” these overloaded archives are intended to rapidly overwhelm and crash a system once opened, triggering Denial of Service (DoS) and sometimes opening the door to subsequent cyber-attacks.
How can the Cloudmersive Advanced Virus Scan API protect a system against unsafe archives?
Deployable in multiple critical locations around a network – including at the file storage layer, at the network edge, and in defense of any specific application with custom code integration – the Cloudmersive Advanced Virus Scan API can be used to scan inbound & outbound archives for millions of virus and malware signatures. In addition, a custom policy can be configured within the Advanced Virus Scan API request body to specifically detect and weed out unsafe archive contents. Once configured, all unsafe archives will receive a CleanResult: False Boolean within the API response body, making it easy to delete or quarantine these files before they can reach their intended destination.
For more information on Cloudmersive Virus Scanning APIs, please do not hesitate to reach out to a member of our sales team.
|How do I protect my system from password-protected file threats?
|5/10/2023 - Brian O'Neill
New file upload security policies are typically workshopped in response to threats which successfully breached (or came close to breaching) some reputable organization's systems. Once brought to fruition, these advancements allow our own systems to inch closer towards becoming havens for valuable and sensitive customer data.
The challenge is that determined threat actors work equally hard to overcome new attempts to ward them off, and they’re quite often successful. Right when we least expect it, clandestine file upload attacks are carried out through even more convoluted pathways than we first imagined possible, often catching us off guard completely.
Why are password-protected file threats so dangerous?
Password-protected files are a particularly subtle threat type, designed to slip malicious code past poorly configured input validation/content verification policies while relying on us – the internal (or external) user accessing that file – to eventually execute that code within the targeted system. One of the most challenging aspects of threats involving password-protected files is that they tend to leverage simple & effective social engineering concepts, goading us into unlocking a threat which we aren’t alert to.
A threat actor can, for example, infiltrate systems adjacent to ours – i.e., a trusted client or partner – and then email or upload password-protected files to our system from a seemingly legitimate source. If we normally trust content originating from that source, we’re quite unlikely to suspect a potential threat, and we might blindly follow instructions to unlock that file with a password supplied alongside it. Many commonly shared file types like Excel (XLSX) and PDF are capable of housing malicious code behind password protection, and that code is designed to execute immediately once the file’s password is supplied.
How can I stop password-protected file threats from harming my system?
First and foremost, if password-protected files are a recurring and immutable form of content our job necessarily deals with, our own vigilance is key. Malicious password-protected files are sometimes identifiable by their incongruous names and suspect purposes; if we see a file that doesn’t look right, there’s a good chance it isn’t. It’s important to exercise extreme caution if we’re suddenly equipped with the means to unlock content which we don’t fully understand the origin or purpose of. We should always feel entitled to question where a file came from, who the original creator is, what the intended use-case for that file is, and more.
If password-protected files are not a necessary part of our workflow, however – which is often the case in scenarios involving external client-side file uploads – blocking them altogether is a sensible step to take.
The Cloudmersive Advanced Virus Scan API can be used to block password-protected files from a file upload process entirely. By setting the allowPasswordProtectedFiles Boolean to “false” in our request (configurable via our Cloudmersive Account page), we can ensure that all files with password protection will categorically receive a CleanResult: False response from the API, allowing us to easily delete (recommended) or quarantine these files and protect our underlying system from potential harm.
For more information on how the Cloudmersive Advanced Virus Scan API can protect any system from non-malware content threats, please feel free to reach out to a member of our sales team.
|How do I protect my application against file upload threats?
|5/5/2023 - Brian O'Neill
What are file upload threats?
File upload threats refer to deliberate attempts, orchestrated by malicious client-side actors (i.e., hackers), to exploit our systems from the inside out by weaponizing common files in various ways. The incentive to execute such attacks is largely driven by an increase in the adoption of file upload processes by professional websites around the world.
File upload threats can be used to target a wide range of vulnerabilities in a file upload process. JSON or XML files can, for example, contain malicious code designed to be executed by poorly configured data parsers, allowing attackers to subsequently retrieve or delete sensitive data from within a system. PDF files can house dormant viruses and malware which infect client-side user devices once downloaded, leaving the website they originated from directly accountable and seriously damaging their reputation. Zip files can be rigged with exceptionally high volumes of data in order to crash (or severely limit) our system once they're opened, resulting in a sudden Denial of Service (DoS). The list goes on.
How do I protect my application against file upload threats?
There isn’t any one-track answer to this question, unfortunately. There are, however, a variety of sensible security policies which, applied together, can collectively create a formidable content security phalanx for any application. Below, we’ll look at a few of the most critical, rudimentary policies which can help secure any file upload process.
First and foremost, it’s critical to validate file extensions immediately after file names are decoded, which is a process made simpler by restricting accepted file extensions in the first place. While myriad file types are used around the world, most businesses only need to accept a few common file types to fulfill the needs of the service they’re providing. A recruitment website, for example, can comfortably limit CV (resume) uploads to .DOCX or .PDF file extensions without inconveniencing their user base, and a social media site can narrow its image uploads to .JPG or .PNG with similar effect.
It's equally important to validate file contents, too. Files with valid, expected extensions can quietly contain a very wide range of malicious content, including anything from viruses and malware to illicit (i.e., pornographic) material. As outlined above, poorly validated files can also contain massive quantities of inert data intended to bypass limited security checks and crash a system. Without digging into the contents of every new file upload, an application is at severe risk of releasing a virus internally (or infecting an external user device), distributing unsolicited illicit content, or triggering widespread service outages which might violate its SLA (Service Level Agreement).
How can the Cloudmersive Advanced Virus Scanning API Protect my system against file upload threats?
By combining multiple critical file upload security policies in a single API call with high-speed, in-memory scanning and sub-second response times, the Advanced Virus Scanning API protects applications against file uploads with unparalleled efficiency. This API is designed to provide 360-degree content protection against a wide range of file upload threats at once - including viruses and malware, executables, invalid files, HTML and scripts, password protected files, macros, XML external entities, JSON insecure deserialization, and OLE (Object linking and embedding). In the core virus scanning process, a perpetually cloud-updated list of more than 17 million virus and malware signatures is referenced to rapidly identify any potential viruses, malware, trojans, ransomware, or spyware embedded within a file’s encoding.
Apart from virus and malware checks, each built-in threat restriction stated above can be lifted by configuring the API’s request parameters with custom Boolean values (for example, to allow executables, the allowExecutables parameter can be set to “True”). Additionally, restrictions on unwanted file types can be placed upon any file upload process by providing a list of acceptable file types in comma-separated format. Once a list is designated in the API request, all file extensions AND contents will be verified against this list; any files which violate the file restriction policy will categorically receive a CleanResult: False response from the API.
For more information about Cloudmersive Virus Scan APIs (low-code and no-code products), please do not hesitate to reach out to a member of our sales team.
|How to Scan SharePoint List Item Attachments using the Cloudmersive Virus Scanning Connector in Power Automate
|4/13/2023 - Brian O'Neill
Seemingly harmless, run-of-the-mill document uploads in SharePoint can hide dangerous viruses and malware threats under the guise of valid file extensions. The longer these infected files remain undetected, the more likely it is that a member of our organization unwittingly opens one and releases its malicious content into our system.
Thankfully, through Power Automate, we can create RPA file security flows which automatically run when new files are uploaded to specific SharePoint locations. Below, I’ll demonstrate how we can use the Cloudmersive Virus Scanning Connector to ensure new SharePoint List Item Attachments are clean the moment they’re uploaded to a specific list.
The goal of this demonstration is to show how the Cloudmersive Virus Scanning Connector can be used in a Power Automate flow to automatically scan SharePoint list item attachments the moment they’re uploaded.
1 - To accomplish this, we’re going to start on the Power Automate home page and select the Create option on the lefthand side of the page. Doing so will provide us with the following flow options:
For this flow, we’re going to select the Automated Cloud Flow option on the far lefthand side.
2 - Once we select this option, we’ll jump into the Build an Automated Cloud Flow tab which allows us to give our flow a name and choose the way our flow will be triggered. At this stage, we can give our flow a relevant name of our choosing, and then we can select the When an Item is Created SharePoint trigger (which should appear high on the list of initial trigger options).
At this point, we can click Create at the bottom of the window. Doing so will bring us to the Flow Diagram Page where we can begin assembling our flow logic.
3 - On the Flow Diagram Page, we’ll find our When an Item is Created trigger already opened. We can begin the flow design process by configuring our SharePoint Site Address within the request body and selecting the List Name we want to attach this flow to (for this demonstration, I’ve created a Site Address called “List Site” with a List called “List”).
Once we’ve configured these details, we can click New Step.
4 - In the second step of our flow, we’re going to implement a second SharePoint action which will automatically retrieve the attachments from our new SharePoint list items. To find this action, we can type “Get attachments” into the Choose an Operation search bar and select that option when it comes up below.
Once we select this option, we’ll have a few important fields to configure.
5 - Just like we did in our trigger step, we’ll need to configure our SharePoint Site Address and List Name once again. After we do that, we’ll need to supply the Id of the List Item which we’re pulling the attachments from. We can accomplish this easily by simply clicking on the Id field and selecting the “Id” option from the Dynamic Content window.
Since we chose to use an automated flow, the List Item Id will always represent the most recently uploaded file to our SharePoint list.
This step is finished, so we can go ahead and click New Step once again.
6 - Now that our new list items’ attachment IDs are available as Dynamic Content within our flow, we can set up a subsequent step which retrieves the actual contents (file encodings) of those attachments.
To do so, we’ll use the SharePoint Get Attachment Content action. To find this action, we can type “get attachment content” into the Choose an Operation search bar and select the correct option when it comes up below.
7 - Once we select this action, we’ll need to again choose our Site Address and List Name from their respective dropdowns. After that, we can again select the ID of our List Item using Dynamic Content from our trigger step.
Once we’ve configured the first three fields of our Get Attachment Content action, we can turn our attention to the final field which asks for the File Identifier. We can retrieve this ID by clicking on the File Identifier field and selecting Dynamic Content labeled “Id” from the Get Attachment step.
The moment we select this option, Power Automate will automatically create a Control around our SharePoint action called Apply to Each. This action will ensure our attachment content retrieval operation is executed for each item in an array of uploads.
8 - With our file attachment content now available in our flow, we can introduce the Cloudmersive Virus Scanning Connector and task it with scanning each new attachment’s contents.
Within the Apply to Each operation, let’s select the option to Add an Action, which will once again open the Choose an Operation search bar. From here, we can type “Cloudmersive” and allow the full list of Cloudmersive Connectors to populate below. From that list, we can select the Cloudmersive Virus Scanning Connector (written as Cloudmersive Virus Scan) with the dark, blue-green logo.
Upon selecting this Connector, we’ll be prompted to name our connection and provide an API key for authorization. We can retrieve our API key by visiting our Cloudmersive Account Page, clicking on View and Manage API Keys, and finally clicking Copy next to our API key to add it to our clipboard.
Once we’ve successfully established our Cloudmersive connection, we can now view both Cloudmersive Virus Scanning Connector actions on the actions list. From this list, we can click on the Scan a File for Viruses option.
9 - Within the Scan a File for Viruses action, we only have one request field to satisfy, and this simply asks us for our Input File. To satisfy this request field, let’s click on the Input File bar and select the Attachment Content option – which is available from our Get Attachment Content action – from the Dynamic Content window.
10 - At this point, we can save our flow and test it. Power Automate will prompt us to test our flow manually by creating a new SharePoint list item and adding a file attachment to it.
Once we do so, we should shortly see green checkmarks appear on each operation in our flow to indicate that they ran smoothly.
If we take a closer look at the Scan a File for Viruses output body, we can see that this action provides a simple Boolean response called CleanResult.
This response makes it easy to take subsequent steps in our flow depending on the results of the virus scan. For example, if our new file receives a CleanResult: True response, we can prompt our flow to automatically save the attachment in a specific folder of our choosing. If our file receives a CleanResult: False response, we can take steps to automatically delete or quarantine the infected file through various means, and we can set up alert mechanisms (such as through Outlook, Slack, Teams, etc.) to notify relevant stakeholders within our organization about the flow’s concerning results.
11 - To automatically delete SharePoint List Items whose attachments received a CleanResult: False response, let’s click Add an Action once again within our Apply to Each control and type “Condition” into the Choose an Operation search bar. Let’s then select the Condition action once it comes up below.
Once we’ve opened the Condition control body, we can use the Choose a Value request field to trigger subsequent flow actions based on previous flow results.
In this case, we want to use Dynamic Content from the Scan a File for Viruses action. To do so, let’s first click on the first (lefthand) Choose a Value field and select CleanResult, and then let’s type “false” into the second (righthand) Choose a Value field.
Our Condition is now configured such that the If Yes response will trigger based on a CleanResult: False result, and the If No response will trigger if any other value is provided (in this case, that means CleanResult: True).
Within the If Yes body, let’s click Add an Action and type “delete item” into the Choose an Operation search bar. Let’s then select the SharePoint Delete Item action when it comes up below.
Within this action body, we can quickly provide our Site Address and List Name once again. After that, we can select ID from the Dynamic Content window to specify that the original flow item should be deleted upon receiving a CleanResult: False response.
In this example, we’ll leave the If No body blank so that our flow takes no action when it receives a CleanResult: True response.
Our flow should look like this when we’ve finished testing:
If you have any additional questions about using Cloudmersive Virus Scanning Connectors to scan your SharePoint file uploads, please do not hesitate to contact a member of our sales team (you may also contact a member of our support team through your account page).
|What is Natural Language Processing (NLP)?
|3/31/2023 - Brian O'Neill
What is Natural Language Processing?
Natural Language Processing (NLP) is a field of artificial intelligence which aims to improve the relationship between human language and computer language. Its origins date back to the period directly following the end of the Second World War, during which time the prospect of accomplishing some means of mechanical language translation was placed at a premium.
The field of NLP persisted into its expansive modern form due to the emergence of computers as everyday tools and the studiously recorded dissonance between human and computer language which came along with that. The challenge is that we humans chiefly learn to interpret our native languages/dialects (English, Spanish, French, Mandarin, etc.) in an unstructured way through years of socialization. We may initially learn the rules of our language through academia, but as we grow, we rely predominantly on our surrounding cultures to assign meanings to specific words and phrases, which then slowly change shape over time. Since computers conversely rely on rigidly structured, quantifiable data to communicate with one another, they cannot natively interpret asynchronous, evolving human languages on their own, and must be rigorously trained to do so as a result.
Why is NLP Important, and How is it achieved?
Natural Language Processing combines a variety of scientific fields – including computer science, linguistics, mathematics, and psychology – with the goal of structuring linguistic data in such a way that computers can successfully and efficiently predict the meaning of human sentences (in any given language; NLP is highly language-specific). Successfully predicting the meaning of written language allows computers to both draw insights from and reproduce human language on their own, increasing the range of useful services computer applications can provide to human users. Given that, in the modern digital era, an increasingly high volume of human interactions occurs online in an automated fashion, NLP capabilities have quickly transformed into a necessity rather than a luxury.
The high-level NLP training process starts with tokenizing vast quantities of reference text into individual words and tagging each token with the part-of-speech category it belongs to (i.e., verb, noun, adjective, etc.). Once language has been tokenized and tagged, parsing algorithms can be applied to establish relationships between different tokens, enabling computers to discern how words tend to occur (in what order) in any given language’s phrases or clauses. These basic building blocks make it possible for applications to perform several rudimentary NLP services – many of which we have benefited from for a long time (like spellcheck, for example).
From these building blocks, various complex subfields of NLP branch out to train computers with specific contextual understandings which are pivotal to a well-rounded understanding of any human language. Some subfields include Sentiment Analysis (identifying the meaning of text as positive, negative, or neutral), Subjectivity/Objectivity Analysis (identifying the bias inherent in a text string), Semantic Similarity Comparison (identifying the degree to which two sentences with different words mean the same thing semantically), and more. Techniques such as these effectively empower our applications to draw meaningful insights from text on their own, rather than simply predict and reproduce words in the correct grammatical order.
Cloudmersive NLP APIs
Creating any NLP service from scratch is a significant challenge given the vast quantities of data involved (bringing overhead storage cost into play) and the hands-on training required to bestow meaning upon that data. As a result, it is highly efficient and advantageous to incorporate NLP services into any application through external, RESTful API calls. This method loosely couples a business’ text data with a powerful, pre-existing reference dataset & codebase without the need to update or maintain those systems whatsoever.
Cloudmersive NLP APIs are low-code solutions designed to easily integrate and scale with your business’ needs. There are dozens of useful NLP services available through the Cloudmersive NLP API endpoint, including NLP Analytics, Language Translation, Spellcheck, and more.
For more information on our NLP APIs, please do not hesitate to contact a member of our sales or support teams.
|What is a File Upload Security Threat?
|3/28/2023 - Brian O'Neill
Should I be Worried About File Upload Threats?
Cyber criminals are always on the lookout for new vulnerabilities in our applications. If they can effectively identify and exploit a hidden weakness in our system, they can damage or steal information from our servers – often before we have a chance to stall or counter their efforts. Since a variety of successful, high-profile web breaches have stolen headlines in the last decade (including several in which poorly documented vulnerabilities were exploited in data parsers, user input sanitization workflows, and more), it’s easy to forget about the more obvious paths we leave open into our system which are often less protected and easier to take advantage of.
As more and more businesses move towards implementing user file upload workflows – accepting images, videos, and documents with myriad purposes and origins – the potential to exploit systems through the file upload process has grown all the more attractive to attackers. As a result, it's important that we stay vigilant and apply appropriate security policies to protect our storage infrastructure.
What do File Upload Threats Entail, and How Can We Protect our System Against Them?
Without adequate protection, file upload workflows can be exploited more insidiously than we might first imagine. For example, files in ubiquitous formats (like PDF) can quietly carry malware or executable content into our cloud storage instances, tricking poorly configured security policies by presenting valid file extensions. Compressed zip files containing gigantic payloads of data can slip into our system and remain undetected for days, weeks or even months before they’re opened by an unsuspecting user, suddenly crashing our system from the inside. The list of hidden threats goes on and on.
Protecting a system against file upload threats requires a dynamic, multi-pronged solution, and that can only begin with a comprehensive evaluation of the present state of file upload security. Is our virus scanning software up to date? Are we assuming files contain content directly aligned with their file extensions, or are we digging through each file’s contents thoroughly? Do we pay close enough attention to the complexity of file names and file paths in our storage architecture, or are we unwittingly leaving a trail of breadcrumbs which attackers can easily follow to our sensitive data? Do we have clear-cut quarantine protocols in place when malicious files are detected, or are we really unprepared to handle threats when we find them?
How can Cloudmersive Virus Scanning APIs Improve My Threat Profile?
Implementing a powerful file scanning security solution is a critical piece of the puzzle – and that’s where Cloudmersive Virus Scanning APIs can make a big difference.
Our Virus Scanning APIs reference a continuously updated list of more than 17 million virus and malware signatures in an effort uncover malicious content in each file entering your system, digging deep into each file’s encoding to ensure disguised threats won’t slip through the cracks. Advanced scanning features can be configured to block a variety of threatening file types, including executables, invalid files, scripts, password protected files, macros, and more; in addition, custom restrictions can be applied to allow/disallow specific file extensions.
These APIs can be deployed flexibly as low-code or no-code solutions, and they can occupy several strategic footholds in your upload architecture, kicking into gear at the network edge or between cloud storage instances.
For more information on how our Virus Scanning APIs can impact your business, please feel free to contact a member of our sales team.
|What is a Content Delivery Network (CDN)?
|3/17/2023 - Brian O'Neill
What is a Content Delivery Network?
A Content Delivery Network (CDN) refers to a group of servers strategically distributed across widespread geographical regions with the goal of reducing content loading speeds (latency) for client devices in those regions.
It’s important to note that servers in a CDN don’t host content directly, however; rather, they simply cache content from an origin server at the network edge. In this way, they reduce the physical distance content must travel to reach a particular group of client applications/users.
What are the main benefits of CDNs?
By reducing the distance content must travel to reach a client application, CDNs greatly improve web content loading times in their locale, thereby improving the user experience.
If, for example, a popular video streaming service based in North America is preparing to launch an episode of a TV show for a global audience, it can leverage its CDN to cache the episode data in Europe-based servers so it can be accessed easily by European consumers upon release. Without a CDN in place, viewers based in Europe would be forced to wait much longer than North American viewers to buffer and watch the new episode. Each individual request to load that content would need to travel across the Atlantic Ocean and back.
While CDNs are primarily deployed to benefit content consumers, they also benefit the content provider in a few noteworthy ways. For example, caching content at the network edge reduces the volume of traffic making requests to a company’s origin servers, improving local performance and, by extension, cheapening web-hosting costs. A widely distributed content delivery architecture also passively decreases the likelihood of hardware failures and provides extra redundancy when failures do occur.
What other utility do CDNs offer?
Websites which rely on user-generated content (UGC) uploads can also leverage their CDN in reverse, increasing the speed at which their global diaspora of users can upload content from their device. This not only improves the user experience, but it also presents a new chokepoint for security redundancy. Similarly to reverse proxies, CDN servers can be configured with Virus Scanning software to weed out threats while new content uploads are conveniently cached at the network edge.
Can I Secure My Website's CDN Uploads with Cloudmersive Virus Scanning APIs?
Cloudmersive Virus Scanning APIs can be deployed within a CDN to quickly identify any viruses and malware present within your cached content. Advanced custom rules can be configured to block additional content threats including invalid files, executables, scripts, password protected files, macros, and many more.
For more information on how you can leverage our Virus Scanning APIs to protect your network, please feel free to contact a member of our sales team.
|What is an API?
|2/14/2023 - Brian O'Neill
What does the acronym “API” stand for?
The term API Stands for “Application Programming Interface.” Despite its association with modern web architecture, the term originated in the 1970’s.
What are the different categories of APIs, and how are they different from one another?
There are two basic, high-level categories of APIs: OS (operating system) APIs and Web APIs. The key difference between these categories is that OS APIs make it possible for developers to access resources within a specific operating system (such as Mac, Windows, Linux, etc.), while Web APIs make it possible to access resources from web servers.
Some common examples of OS APIs include System Call APIs, GUI (Graphical User Interface) APIs, and Network APIs, all of which define access to their namesake resources within a given OS architecture. Web APIs, on the other hand, are defined quite differently; they most often either adhere to REST (Representational State Transfer) architecture or follow SOAP (Simple Object Access Protocol) protocol. Please note that there are several other types of OS and Web APIs beyond those listed above; these examples are simply among the most common.
How do Web APIs work, and how do they benefit us day to day?
Simply put, Web APIs make it possible for two separate web resources to communicate with ease. Many of the web applications and tools we use day-to-day benefit enormously from sharing data with each other, and for that relationship to be possible, these applications need to access each other’s code efficiently. A Web API serves to establish the way in which its underlying web resource can be accessed, allowing an external web developer to send, modify, and receive important data by structuring their request to that resource in a specific way.
To provide a basic example, if a social media application wants to display daily weather reports for its site visitors, it can do so efficiently by accessing an external Web API created by an independent weather reporting application. The weather application’s Web API will likely follow a common architectural guideline (like REST), making it easy for the external web developer to understand and create a connection with the underlying weather reporting resource. The Web APIs various rules and protocols will also serve to ensure that the social media application receives a secure and timely response after information is requested.
Without a Web API to facilitate this connection, the web developer working on the social media application would be forced to either develop their own weather reporting functionality – a very significant undertaking in time and resources – or abandon the inclusion of this feature all together, leaving their users with a less enticing product. In this way, APIs benefit everyone involved. The social media application can use the weather API to efficiently expand its features, the weather application can monetize its API service (compensating for what it might consider a marginal drop-off in website traffic), and the client-side user can gain access to more information in one place, increasing the likelihood they’ll enjoy and recommend this app to their friends.
What are Cloudmersive APIs?
The Cloudmersive API platform allows individual web developers and enterprises to add dozens of unique and powerful services to their applications quickly and at low cost. These APIs enable developers to add scalable data and file format conversions, advanced security policies, media processing services, optical character recognition (OCR) capabilities to their applications through a single, all-encompassing account. With a suite of scalable APIs in their arsenal, a developer can more easily create a multidimensional application and bring it to market quickly or flesh out an existing application with useful new features.
For more information on Cloudmersive API products, please feel free to contact a member of our sales team.
|How to Protect File Uploads against Viruses and Malware
|2/6/2023 - Brian O'Neill
Why is file security so important, and what is the risk in failing to secure file uploads?
There’s a lot at stake when external files are uploaded to our websites. Poorly vetted files containing viruses and malware can lay dormant in storage for indefinite periods of time before executing attacks from within, compromising our systems and stealing or corrupting invaluable data.
Once our systems are exploited, the resulting damage can range from catastrophic to completely irreparable, resulting in a major blow to our bottom line and to our credibility as a secure and reliable business. Even worse, our website patrons can be directly affected by our security failure when they unwittingly download infected files made available through our servers. All told, it’s essential that we take numerous steps to protect our systems from hidden file threats.
What are the steps an online business should take to protect their systems against malicious file uploads?
There are a variety of ways we can actively protect our systems against malicious file uploads. To begin with the most obvious solution, deploying a virus scanning service is essential. From a high-level security architecture point of view, there are many ways to do this; for example, such services are often incorporated into a reverse proxy or ICAP server to take advantage of the strategic bottleneck (receiving each incoming server-bound HTTP message) each option occupies.
New files originating from a client-side visitor should be thoroughly vetted through our Virus Scanning service for viruses and malware, and certain file types (such as executables and password-protected files) should trigger alarm bells even when they don’t overtly contain virus or malware signatures.
Further, after files are thoroughly vetted through these initial policies, they should be scanned regularly in storage (especially cloud storage). Taking this extra step adds an important layer of redundancy to our security architecture, smoking out malicious files which may have snuck into storage from a typically trustworthy source.
In addition to the above, checking the IP addresses of certain client-side users attempting file uploads can sometimes help identify whether a malicious file upload is imminent. Files originating from known cybercriminal IP address should never be trusted, and files originating from generally suspicious IP addresses (such as bot clients or Tor servers) should receive an additional layer of scrutiny. This layer of security can also help protect against various network security threats.
Finally, once our file security solutions are in place, they need to be regularly updated and reviewed. There’s no such thing as a static security solution; cybercriminals are constantly at work developing new ways to advance and disguise their threats, so our security policies need to mirror those efforts as threats take on new forms.
How does the Cloudmersive Virus Scanning API protect files uploads?
The Cloudmersive Virus Scanning API offers 360-degree content protection, referencing a continuously updated list of more than 17 million virus and malware signatures to find threats hidden within file uploads. Advanced Virus Scanning API features can be customized to allow or block various inherently dangerous file types such as executables, invalid files, scripts, password protected files and much more. This API boasts high-speed, in-memory scanning and delivers a sub-second average response time.
The Virus Scanning API can be custom integrated within your systems, and it can also be leveraged as the underlying service in a Virus Scanning Reverse Proxy server or Virus Scanning ICAP server. Further, in product form (Cloudmersive Storage Protect), this API can be deployed in conjunction with Azure Blob, AWS S3, SharePoint Online and GCP to scan files in cloud storage.
For more information on the Cloudmersive Virus Scanning API and its various applications, please contact our sales team.
|What is a Virus Scanning ICAP Server?
|1/19/2023 - Brian O'Neill
What is ICAP?
ICAP (Internet Content Adaptation Protocol) is a lightweight, transparent internet protocol capable of modifying HTTP messages. ICAP was initially proposed at the turn of the millennium as the need for scalable internet services became increasingly apparent. Global internet traffic was growing exponentially, and ICAP presented an efficient way of reducing the burden on monolithic servers to process high volumes of HTTP messages on their own.
How are ICAP Servers used?
ICAP servers are typically used to extend the services of proxy servers. They do so by performing specific content adaptation services on HTTP messages as they flow through a network. In this case, “content adaptation services” refers to many important, value-add operations such as virus scanning, language translation, ad insertion, content filtering, and more.
In effect, ICAP servers lighten the load experienced by proxy servers on a high-traffic network. A company can deploy an ICAP server to access its proxy server caches and perform its adjacent value-add services seamlessly.
What is a Virus Scanning ICAP Server, and What are its Advantages?
A virus scanning ICAP server is one which is deployed specifically to scan HTTP message contents for viruses (and other forms of malicious content) as those messages flow through a network.
Leveraging ICAP for virus scanning purposes is highly advantageous for several reasons, and it’s an extremely common practice as a result. These servers fit naturally into network chokepoints, which are ideal positions for any security policy. At the same time, they also increase the efficiency of high-traffic networks by reducing the need for proxy servers (which typically perform several different tasks at once) to scan each HTTP message for viruses by themselves. Their relative ease of deployment and maintenance makes them a particularly cost-effective security policy as well.
What is the Cloudmersive Virus Scanning ICAP Server?
The Cloudmersive Virus Scanning ICAP Server performs its value-add service by calling the Cloudmersive Virus Scanning API as HTTP messages pass through your network. The Virus Scanning API offers distinct security advantages, including continuously updated signatures for millions of threats and advanced, high-performance scanning capabilities. In addition, the Virus Scanning API provides customizable content security policies, allowing you to block or allow content including executables, invalid files, scripts, password-protected files, and more.
For more information on the Cloudmersive Virus Scanning ICAP server, please contact our sales team.
|What is a Reverse Proxy Server
|1/6/2023 - Brian O'Neill
What is a Proxy Server?
Before we dive into a closer look at reverse proxy servers, we should first understand proxy servers from a birds-eye view. In short, the purpose of any proxy server is to act as an intermediary between client-side users browsing the internet and the various external web servers they request information from. It’s in the name: the word “proxy” refers to any entity which has been given the power to act on another entity’s behalf. There are two major categories of proxy servers: forward and reverse.
What is the Difference between Forward and Reverse Proxy Servers?
Both forward and reverse proxy servers are extremely useful, and they perform very different functions in practice. While forward proxies work on behalf of client-side users, acting as a buffer between them and the various web resources they request information from, reverse proxies behave in the exact opposite way, acting as a buffer between a particular web server (or group of web servers) and the inbound client-side requests they receive. In practice, forward proxies typically protect client-side user identities while they browse the internet from a particular network, and they can also provide a means for restricting access to specified web servers.
What is a Reverse Proxy Server, and How does it Benefit a Backend Server (or Group of Backend Servers?)
At a basic level, a reverse proxy server funnels client-side requests towards the backend web servers they seek resources from. Once those requests are satisfied, the reverse proxy server receives responses back from the web server and subsequently returns those responses to the client-side user.
The excellent strategic positioning occupied by a reverse proxy server allows it to benefit backend web servers in a variety of useful ways. For example, reverse proxy servers are generally used to load balance inbound requests across their group of assigned web servers, ensuring no one server is ever overloaded. This is accomplished using one of several load balancing algorithms, such as a Round Robin algorithm, which balances requests to a group of servers in a specific order (one request per server). In addition, reverse proxy servers are often asked to carry out important functions such as terminating SSL connections, decrypting incoming requests, and temporarily caching frequently requested content for convenience. Functions such as these effectively help lighten the burden for backend web servers when they experience high volumes of requests.
Perhaps most beneficially of all, reverse proxy servers can be leveraged to deploy basic and advanced security policies which greatly help to protect the backend web servers they support. On the simplest end of that spectrum, they can be configured to process authentication details for various types of information – such as personal account details – only redirecting client requests to the backend server(s) when valid authentication details are supplied. On the more complex end, they can be configured to scan incoming client-side data for viruses and screen out various forms of otherwise untrustworthy content (such as macros and executables), acting as a first line of defense against a wide variety of potentially dangerous external requests.
Cloudmersive Virus Scanning Reverse Proxy Server
The Cloudmersive Virus Scanning Reverse Proxy Server represents a multidimensional reverse proxy security solution, calling the Cloudmersive Virus Scanning API into action when inbound requests are funneled through the reverse proxy stage. This API placement protects backend web servers from malicious traffic - such as virus and malware uploads - before that traffic has a chance to reach its intended destination.
The Cloudmersive Virus Scanning API has access to a growing list of more than 17 million virus and malware signatures, and various custom settings can be configured to either block or allow myriad dangerous forms of content, such as scripts, executables, invalid files, and more. For more information, please feel free to check out our product page, or make an inquiry to one of our sales representatives.
|What is a Forward Proxy?
|12/27/2022 - Cloudmersive Technical Writing Team
A forward proxy is a type of proxy server that acts as an intermediary between a client and a server. It is called a "forward" proxy because it forwards client requests to the appropriate server on behalf of the client.
Forward proxies are often used in corporate networks to enforce Internet usage policies, block unwanted websites, and provide additional security. They can also be used to improve Internet performance by caching frequently requested content, such as popular videos or images.
Forward proxies can be configured in a number of ways. They can be configured to allow all client requests to pass through, or they can be configured to block certain types of requests based on criteria such as the destination website or the client's IP address. They can also be configured to encrypt client requests for added security.