Back=right mouse click.
HTTP > Applets and ActiveX > Policies | Policy | Java Applet Security Rules
IWSVA can analyze the behavior of Java applets according to the criteria you choose. Then, whenever a Java applet is detected in a client's HTTP traffic that meets the criteria, IWSVA takes the action you choose.
Note: IWSVA automatically adds unknown certificates to the Inactive Certificates table when validating applet signatures. (HTTP > Configuration > Digital Certificates | Inactive Certificates).
If you have notifications enabled (Notifications > Applets and ActiveX Instrumentation), clients will receive a message each time a file of the specified type is blocked.
Block all Java applets—Choose this option to have IWSVA prevent all Java applets from crossing the HTTP gateway. Note: Although the most secure, a significant number of Web pages and sites might not function as intended.
Process Java applets if applet has:
Valid signature, trusted certificate—Lowest risk. The applet has been signed and verified by a Certification Authority (CA) that is known to, and trusted by IWSVA (as registered in the Digital Certificates page).
Valid signature, flagged certificate—Uncertain risk. The applet has been signed, but the IWSVA administrator has determined that the certificate is not trustworthy.
No signature—Highest risk. The applet has not been signed or certified. There is no indication of publisher and no assurance against tampering. Note: Web browsers restrict access to the client machine's resources when running unsigned applets.
Invalid signature—Moderate risk. A signature might be invalid because it is corrupt, has expired, or is on the CRL (certificate revocation list). Note: Web browsers treat applets with invalid signatures as unsigned, with restricted permissions.
Actions—When an applet meets the specified condition, you can have IWSVA pass, instrument and re-sign, instrument and strip the old signature, or block the applet. SHOW ME>>
Pass—The Java applet is delivered to the client as usual. Java applets are not scanned.
Instrument applet (re-sign)—The applet was validly signed; IWSVA inserts code into the Java applet to monitor and restrict actions that might be harmful. This action breaks the original signature. If the code is found to be okay, and if IWSVA have been configured with a resigning certificate on the HTTP > Applets and ActiveX > Settings > Java Applets page, IWSVA will re-sign the applet. Otherwise, the applet will be left unsigned.
Instrument applet—The applet was originally unsigned; IWSVA inserts code into the applet to monitor and restrict potentially harmful actions.
Instrument applet (strip signature)—The applet was validly signed; IWSVA inserts code into the Java applet to monitor and restrict actions that may be harmful. Because this action breaks the signature, the original signature is removed. The applet is left unsigned.
Block—Prevents the Java applet from entering the LAN. The original applet is discarded and an IWSVA-generated applet is sent to the client browser that displays an informative block message.
Note: The Note field in the Java Applet Security Rules tab is the same Note field found in the ActiveX Security Rules tab. Therefore, when you make a note in one tab screen, it appears in the counterpart tab screen. Trend Micro recommends that when you make a note, you identify it as either a Java Applet Security Rules note or an ActiveX Security Rules note. For example: - Applet rules created by <ABCD> on <2345> - ActiveX rules created by <DFGH> on <6886>
