We will use Socket Sentinel Pro to block the download of malicious PDF files that contain javascript code. With this method we can block web exploit kits that spread PDF files containing malicious javascript code, example: Blackhole Exploit Kit.

NoVirusThanks Socket Sentinel Pro is an advanced, yet user-friendly, bi-directional TCP traffic filtering software application which allows you to add custom RegEx (Regular Expression) filters. Presets for filtering include: HTTP header information, POST and GET data, Domain Names or even filter for *ANY* data passed over any connection. Read more…

1) Set needed option

Open Socket Sentinel Pro and browse to:

Rules -> Downloads

Enable the option “Block download of PDF files with JavaScript code”.

2) Testing

Now if we try to visit an infected website that is hosting the blackhole exploit kit, we will see that the download of the malicious PDF file will be blocked by Socket Sentinel Pro because the PDF file contain javascript code:

The malicious website:

hxxp://xwjbmmp.dhcp. biz/content/fdp1.php?f=19

Has been successfully blocked, see also the Events TAB:

Read more about Socket Sentinel Pro.

Posted by admin on Wednesday, January 11th, 2012 at 8:22 pm and filed under Security News with tags block malicious pdf, block pdf files, socket sentinel, website block. You can skip to the end and leave a response. Pinging is currently not allowed.