Anti Spyware best practice

Netzer — Wed, 02 Mar 2022 07:35:00 GMT

Hi there,

I wonder what's best practice in oder to identify theats via the Anti Spyware function. Most of the connections today are encrypted, so using the Anti Spyware function without ssl/tls decryption seems not to be a big security improvement.

So there come the following questions to me:

- is activation of ssl/tls encryption the only way?

- how will TLS 1.3 with cert pinning behave?

- is there a way to mirror encrypted (web) traffic in oder to decrypt it and test this function?

Re: Anti Spyware best practice

BPry — Wed, 02 Mar 2022 21:43:10 GMT

@Netzer,

Best practice would still be to apply the profile to capture as much as you possibly can, even if you aren't decrypting traffic. You'll capture the unencrypted traffic still, and not all payload is delivered over encrypted connections (although the vast majority of it is, which is why you really should be decrypting traffic).

Websites and services that utilize certificate pinning will require decryption exceptions. The good thing about this is that you're going to be building the exceptions, so if someone is trying to hide behind certificate pinning a good decryption profile will prevent users from navigating to the site unless an exception has been made.

As to your mirroring question, you can of course mirror the traffic and offload it, however you aren't going to be able to decrypt that traffic after the fact. The best way to test something like this would be to put together a profile that simply has everything set to 'alert' so identified traffic isn't actioned.

topic Anti Spyware best practice in General Topics

Anti Spyware best practice

Re: Anti Spyware best practice