Month: January 2017

Mass Import of McAfee Firewall Domains to block

As of late, I’ve been experimenting more and more with the McAfee HIPS Firewall with the McAfee ePO. So far, I think it is decent. It is at least stateful, so that’s a plus. The firewall has a feature to block domains and using the GUI, you can only add them one at a time. There is an option to import them but that would require us to have it in a readable format the McAfee could understand. Thinking outside the box, I decided to put an entry in the firewall and export that policy in order to get a feel for the structure. Once I did that, I was able to take a list of domains from www.malwaredomains.com, change some formatting in their file, and fit it into the McAfee format. The result is a perfectly formatted firewall policy ready to import. The workhorse of it all, PowerShell!

In my testing from testing with www.malwaredomains.com, I imported over 14000 entries and while McAfee HIPS took it, I don’t think it can handle that much as the server became incredibly slow. Nonetheless, you could now take my script, make some minor adjustments and use it with your malware domain listing of choice. Since we are on the subject, below are a few other sites that are good sources as well.

The code, by the way, is on my github at https://github.com/WiredPulse/PowerShell/tree/master/McAfee

Sinkhole Domains Using DNS with the help of PowerShell

Thanks to Jason Fossen, there was no need to create a PowerShell script to input domains to sink. He had already created one called Sinkhole-DNS.ps1 (located here). One of the options in the script is to read in a file with domains listed. I like to frequent www.malwaredomains.com for my listing of bad domains and wanted to use that to feed it into the PowerShell script so I fired up ISE and begin knocking out some code. In the end, I developed a script located here that will download domains.zip from www.malwaredomains.com, uncompress it and take only the domain names out, and output them to a file. The file can then be used with the Sinkhole-DNS.ps1 script to import the domains into DNS. The syntax for this is shown below.

Bitnami