Solved

Web Gateway agent

  • 24 March 2023
  • 2 replies
  • 82 views

Badge

Hello,

during the analysis of the report of the Immediate Threats test “GLOBEIMPOSTER RANSOMWARE WITH MEDUSALOCKER SPREADING VIA RDP” we verified that the access to a malicious URL has been correctly blocked. The related event registered by the SIEM reports:

  • The action is blocked because “Not allowed to use this browser”
  • The useragent reported in the event is “useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”

Our doubt is related to the fact that none of the reported browser version is currently installed on the host where the agent is running. We would like to ask if the agent uses an internal browser that is different from the default one used on the host?

 

Thank you in advance!

Lucio

icon

Best answer by Shiraz 27 March 2023, 14:07

View original

2 replies

Userlevel 3
Badge +3

Hi @lucio_de_luca 

We don’t use browser in Web gateway assessment,

This header:

“useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”

is only for simulating browser activity

 

Regarding your assessment please contact our support team, because we need an assessment ID in order to analyze it.

 

Shiraz

Product Manager

Cymulate

Badge

Hello @Shiraz ,

 

thank you for your reply! We will contact your support if we have further questions about the specific assessment, this question was meant to be more general about the Web Gateway assessment.


Thank you again!
Lucio

Reply