during the analysis of the report of the Immediate Threats test “GLOBEIMPOSTER RANSOMWARE WITH MEDUSALOCKER SPREADING VIA RDP” we verified that the access to a malicious URL has been correctly blocked. The related event registered by the SIEM reports:
- The action is blocked because “Not allowed to use this browser”
- The useragent reported in the event is “useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”
Our doubt is related to the fact that none of the reported browser version is currently installed on the host where the agent is running. We would like to ask if the agent uses an internal browser that is different from the default one used on the host?
Thank you in advance!
Best answer by ShirazView original
We don’t use browser in Web gateway assessment,
“useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”
is only for simulating browser activity
Regarding your assessment please contact our support team, because we need an assessment ID in order to analyze it.
thank you for your reply! We will contact your support if we have further questions about the specific assessment, this question was meant to be more general about the Web Gateway assessment.
Thank you again!