VeriSign to offer script injection scanning as part of SSL packageby Steve Ragan - Jul 19 2010, 23:27
VeriSign is set to introduce a new service on Wednesday using its SSL services. Called Malware Scan, the new service was launched in stages last week. It represents one of many planned security enhancements since Symantec acquired the SSL giant earlier this summer.
Malware Scan, as mentioned, is a free service included with VeriSign's Trust Seal package. To take part, all a customer has to do is use VeriSign's SSL offerings and opt-in to the service from the Trust Center portal. Once activated, the domain is placed in a queue and will be visited by VeriSign’s spiders within 24 hours.
If, after scanning, the site is deemed clean, it will remain in a passing state until being scanned again 24 hours later. However, while the initial scan depth is about 200 pages, all bets are off if there is malicious content discovered. If that happens, the entire site is crawled, along with other visible actions that would stand out to a VeriSign customer.
If malicious code is discovered, in addition to scanning the entire site, VeriSign will disable the Trust Seal, preventing it from being displayed on the customer’s page. Tim Callan, vice president of product marketing at VeriSign, told The Tech Herald on Thursday that this action is just one of the steps taken if rogue code is located during a scan.
Those who use LinkScanner from AVG have likely seen the VeriSign seal next to domains as they appear in various searches. Those sites represent customers who are part of the Seal-in-Search program from VeriSign. If malicious code is discovered on the customer’s site, the Seal-in-Search logo disappears along with the Trust Seal, and remains gone for as long as the site’s code is compromised.
While all this takes place, the customer will get notifications from VeriSign via email and in their Trust Center management area. The warnings in the Trust Center will show that the Trust Seal and Seal-in-Search logos have been revoked and provide the customer with a clear reason as to why.
The explanation goes so far as to tell them the exact page the rogue code was discovered on, as well as what line the offending scripts appear on. Once the site has been cleaned, the customer can request a rescan via their management console.
When The Tech Herald talked to Callan about the new technology behind the Malware Scan, we asked about false positives, as well as what the company has done to prevent a criminal from gaming the system.
The false positives problem was solved by months of testing, including demos from many vendors before the final OEM partner, Armorize, was selected. Armorize recently released HackAlert 3.0 in June, and offers a Cloud-based API to VARs such as VeriSign.
Given that HackAlert 3.0 scans websites looking for Malware and other threats via behavioral, signature-based, and blacklisted detection and analysis, this is very likely what VeriSign is using. If so, not only will the site’s code be scanned against known threats, but malicious advertisements will also be detected, as well as malicious code that attempts evasion.
When it comes to criminals who have compromised a site and plan to game the Malware Scan, aside from the fact that the sites are scanned daily but never at the same time each day, there is little that can be done. The service VeriSign offers is a single added layer of protection for its clients and not an end-all solution. It scans and alerts customers to problems, but VeriSign’s offering can do little against a fully compromised website.
Still, for a 'free-as-in-beer' offering, this is a neat perk for SSL customers.
More information is available here.