Logo
Info Security
News
Advisories
 
WebKnight
Features
Download
Support
SQL Injection
Robots
Hot Linking
DoS
Blocklists
Googlebot Verifier
Testimonials
 
Log Analysis
Features
Download
Manual
 
Databases
User Agents
Http Headers
 
Members
Login
 

AQTRONiX WebKnight - F.A.Q.

WebKnight Banner
Overview
General information

What is an ISAPI filter?
An ISAPI filter is a dll that plugs into IIS. Whenever a request arrives at your web server, events are triggered. IIS calls the ISAPI filter for each event you registered your filter for and IIS allows the filter to access the url, http method, headers and raw data (postdata), send back responses and many other things. The events WebKnight uses are: OnReadRawData, OnPreprocHeaders, OnUrlMap, OnAuthentication, OnSendResponse, OnSendRawData.

As an ISAPI filter, does it add much overhead to IIS?
First of all, security comes at a certain cost, and this will almost always be performance, however, because ISAPI filters like URLScan or WebKnight run in the inetinfo.exe space itself, there is almost no overhead and in most cases you will not even notice that WebKnight is running and scanning. It is only on heavy loaded (overloaded) web servers that you can have a performance issue.

Why did you make this tool?
Very simple: I wanted to block viruses, script kiddies... and I wanted to prevent them from filling the web server log files and give them a nice legal notice or special response which crashes their script kiddie tool. I also wanted to be able to see all attempts without having to read all the web server log files. A possible solution was intrusion detection. However, this does not stop them, it only warns you, by analysing all the packets that passes your system. This has a second disadvantage because it cannot analyse packets sent over SSL (because it is encrypted of course). So I needed a tool which worked closely with IIS and could block certain requests even over SSL. One such tool was URLScan (free tool from Microsoft). However, I wanted to add functionality (the moment I started coding this tool, MS were at version 2.5 of urlscan) and I wanted to be able to block new attacks before the vendor has released a patch. So I started coding my own "urlscan". Today I can say I have an application that does what urlscan does and so much more...

Why open source?
I know the feeling of wanting to add some functionality to some program and not being able to. With a security application like this, the responsible thing to do is to make it open source. This way I know others will review the code, give feedback, hacking the source, making the final product very secure. This is at least what I want to see happening. You have the permission to change it, port it, do whatever you like with it on the condition that you agree with the terms of the GNU General Public License.

Which versions of Windows/IIS are supported?
WebKnight runs on all versions of IIS 5 to 10. The only requirement is that the webserver has ISAPI filter support. So in IIS 7+, you have to enable this feature. WebKnight will also run on future versions of IIS or Windows servers. Although we do not test all possible configurations of Windows and IIS, the version of IIS is of importance. WebKnight will run on Windows 2000 to Windows Server 2016... WebKnight is available in 32bit and 64bit.

I have application pools running in 32bit and 64bit. Can I use WebKnight?
WebKnight 3.x installs both a 32-bit and 64-bit version of the filter and the correct version is loaded for the application pool using bitness preconditions.

For WebKnight 2.5 and earlier: After installing the 64 bit version of WebKnight, remove it from the isapi filter tab (in IIS) for each application pool that is running in 32 bit and add the 32 bit version of WebKnight manually (on the same ISAPI tab, click add isapi filter and select the 32 bit version of WebKnight.dll). You can just use the contents of the setup folder (e.g. copy this folder to %Program Files%\AQTRONIX\WebKnight\32bit\).

Installation & Configuration

I upgraded WebKnight but kept my old settings and now I don't have all the new features!
If you upgraded WebKnight and are still using an older settings file, you don't have the new features in your file. If settings are missing from the file, WebKnight will still use the feature and use the defaults. This is reflected in the Loaded.xml file, so you could just use that one or rename the file WebKnight.xml to Upgrade.xml and restart IIS. Your settings will be upgraded to a new WebKnight.xml file.

How can I get the default settings back?
Simply delete the file webknight.xml and restart the web server. This way WebKnight will make a new settings file with the defaults when it gets reloaded.

How do I upgrade a manual installation to a newer version?
If you previously did a manual install, you can't use the installer because the installer won't detect manual installations, therefore cannot upgrade them. So in that case follow these steps:

  • iisreset /stop
  • copy the new .dll and .exe files over old ones
  • rename WebKnight.xml to Upgrade.xml
  • iisreset /start

Can I run WebKnight with logging but not actually blocking anything?
Yes you can, see the setting "Response Log Only" in the section "Incident Response Handling"

Does WebKnight block access to the HTTP headers sent back by the web server?
By default access to the headers is not blocked, because it is part of the HTTP protocol: servers and clients need these. However, you can configure WebKnight so that it blocks HEAD requests (what most tools use to get the headers). To do so go to the section Methods and add the verb HEAD to the 'Denied Verbs' list and select 'Use Denied Verbs' and in the settings "Incident Response Handling" uncheck 'Response Directly', 'Response Redirect' and 'Use Response Status'. This will make WebKnight just drop the request without sending anything back to the client, but be aware that a simple GET request will also show the headers.

How does 'Response Directly' and 'Response Redirect' work?
If you use Response Directly then the file denied.htm (nohack.htm in WebKnight 1.3 and previous) located in the WebKnight directory is served up if an attack is detected. If the file is not present, or an error occurs while reading the file, a default text of "WebKnight Application Firewall Alert" is sent back. Also be aware that any changes to the file are not applied until WebKnight is restarted. The 'Response Redirect' option is to redirect the client to a URL, this url can be relative or absolute, so you could send them to an absolute url like http://www.aqtronix.com, a url starting with a slash ("/denied.htm") is an url relative to the root of your web site, a url with only a filename ("denied.htm") is relative to the current url. So, in this last case, if the client browser is at a certain virtual directory of your web site (like "http://www.yourdomain.com/shop/") they will be redirected to "http://www.yourdomain.com/shop/denied.htm". If you enable both the response directly and response redirect, then response directly has priority and response redirect is ignored.

Disadvantages of Response Redirect:

  • IIS will log the blocked request with a 302 status (Object Moved), while when using Response Directly, nothing will be logged in the IIS log file.
  • When you redirect the client and that page is also blocked, you redirect the client infinitely (most browsers will give an error about "exceeded maximum number of redirections").

Can I exclude a webapp or website from being scanned?
Yes, you can exclude the webapp using the following methods (depending on how the webapp is implemented):

  • If the webapp is a separate website in IIS, you can exclude the website using:
    • Excluded Web Instances (Scanning Engine section of the configuration). The instance id is the unique numeric identifier IIS assigns each website.
    • Excluded Host headers (also Scanning Engine section)
    • IIS manager you can also remove the ISAPI Filter (ISAPI Filters tab) and ISAPI Extension (Handler mappings) of WebKnight from the website (IIS 7 or later)
  • If the webapp is a virtual directory or single file:
    • exclude the /webapp url in Excluded Urls (Url Scanning section)
  • If the webapp is only called from a certain IP address:
    • add the IP address to Excluded IP Addresses (Scanning Engine section)
WebKnight and UrlScan

Is WebKnight meant to be a complete alternative to IISLockDown and URLScan?
It is meant as an alternative to URLScan, not IISLockDown, because this last one does things an ISAPI filter cannot do. As for URLScan, all of its functionality is implemented in WebKnight. I've seen WebKnight blocking malicious requests URLScan didn't block. In addition I looked at other commercial application firewalls and implemented everything I saw there as well. I suggest you try WebKnight and look at its features and settings, and you will be convinced that it is much more advanced than URLScan.

In the WebKnight notes you describe how to import settings used in URLScan into WebKnight, why and when should I do this?
If you import your settings from urlscan, then you are importing all the settings in the urlscan.ini file and certain Webknight settings are lost. I only recommend doing this if you did a lot of work on your urlscan.ini file and you have a complex setup where the default settings of WebKnight wouldn't work. I rather recommend using the default settings of WebKnight, because WebKnight blocks a lot more than urlscan does and you would lose some of that if you imported the settings.

UrlScan blocks exe files from being downloaded, does WebKnight do the same?
By default WebKnight does not block .exe files. Instead WebKnight uses a list of all system exe files, which I block access to, this should be secure enough. Only IIS knows if the requested exe is meant for download or is to be executed on the server. In WebKnight and UrlScan it is impossible to know this, that's why I chose to block access to all exe files installed on a standard w2k server installation, the other alternative is blocking all exe files (even for legitimate download) like urlscan does. I prefer my solution, because it will block those "/scripts/cmd.exe" requests but it won't block your program you wish to distribute like "/download/mysetup.exe".

Can I install both WebKnight and UrlScan?
Yes, you can run UrlScan together with WebKnight. WebKnight has all the features of UrlScan, so it is not necessary to install UrlScan if you are using WebKnight. In addition, if you are running WebKnight as a higher priority than UrlScan, it will block the request and UrlScan will not even see the request. If UrlScan has higher priority, the request will only be blocked by UrlScan (not by WebKnight, because the first filter blocks subsequent execution of the request). You also have to be aware that if UrlScan blocks something, it redirects to a url (one you can change), but the default url which UrlScan redirects to is also blocked by WebKnight. It might also be a performance bottleneck to run 2 such filters, so if you are running a web server on limited hardware it is recommended to uninstall UrlScan.

WebKnight and other ISAPI filters

We are running an ISAPI Rewrite filter and WebKnight is blocking everything?
There are two things you can try:

  1. Adjust the settings that shouldn't be blocked.
  2. Make the ISAPI Rewrite filter a higher priority than WebKnight. This will make sure that WebKnight will only see the already changed urls after rewriting is done. In WebKnight configuration, enable the "Allow Late Scanning" setting (section Scanning Engine) and change the priority in the ISAPI Filters tab in IIS by making sure ISAPI rewrite has a higher priority than WebKnight.

WebKnight and ISA Server

Can WebKnight be installed together with ISA Server on the same machine?
There is no problem to install both ISA Server and WebKnight on the same machine. WebKnight integrates closely with IIS because it is an ISAPI filter, therefore ISA shouldn't even know about WebKnight. ISA Server operates differently, because it inspects network traffic and also has application firewalls for specific protocols that run on top of this network traffic inspection, but it does not integrate with IIS, so there is no problem installing both of them on the same machine.

Can WebKnight be installed in ISA Server as a web filter?
Yes, ISA Server uses ISAPI for its Web Filters (see ISA Server Extensions). WebKnight 2.3 and later comes with an install/uninstall script. The script supports ISA Server 2000, ISA Server 2004, ISA Server 2006. This way, WebKnight can be used as a content filter for your internal users (filter web traffic) or can be used as an upfront firewall for your web servers (if you are using web publishing). You should additionally change the following settings:

  • Give change permission to the NETWORK SERVICE on the WebKnight Folder
  • check "Allow Late Scanning"
  • Remove "w3proxy.dll" from the Denied Files in the section Requested File
  • Uncheck "Use Allowed Paths" in the section Mapped Path
  • Uncheck "Use Allowed Url Starts" in the section URL Scanning
  • In WebKnight 2.5 and later, check the "Is Installed In Web Proxy" in the global filter capabilities

WebKnight and Forefront TMG

Can WebKnight be installed in Forefront TMG as a web filter?
Yes, WebKnight can plug into TMG as an ISAPI filter. It will scan all HTTP traffic inside TMG, this is traffic coming in to your published websites (reverse proxy) as well as internal requests going out to the internet (forward proxy). You can use WebKnight in both ways, as an internal content filter to protect your users, or as a WAF for your published websites, in the last case it would be a good idea to exclude the internal IP address range from being scanned.

  • Use the ISAInstall.vbs script, but as the destination folder use: 
    C:\Program Files\Microsoft Forefront Threat Management Gateway\AQTRONIX WebKnight
  • Give change permission to the NETWORK SERVICE on the WebKnight Folder
  • Check "Allow Late Scanning" (just a priority issue with other filters)
  • Remove "w3proxy.dll" from the Denied Files in the section Requested File
  • Uncheck "Use Allowed Paths" in the section Mapped Path
  • Uncheck "Use Allowed Url Starts" in the section URL Scanning
  • In WebKnight 2.5 and later, check the "Is Installed In Web Proxy" in the global filter capabilities

Troubleshooting:

  • You can enable/disable the filter in TMG Management -> Server -> Web Filters
  • Run WebKnight in logging only mode (Check Response Log Only in the section Incident Response Handling)

Log file entries

OPTIONS ; BLOCKED: HTTP VERB 'OPTIONS' not allowed ; BLOCKED: Header 'Translate:' not allowed ; f ; ; HTTP/1.1 ; /
This is just a genuine WebDAV request. WebDAV is an HTTP extension to easily work with files on a web server like you would do in a folder on your local computer. Microsoft implemented this extension in Windows 2000 (and up). One way to reproduce this is to go to My Network Places and add a network place to your web server (add 'http://server/'). If you need WebDAV, you should change the settings of WebKnight (see Web Applications).

GET ; BLOCKED: Content-Type 'text/xml' not allowed ; ; HTTP/1.0 ; /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN...
This is the Code Red I/II worm passing your system.

GET ; BLOCKED: Content-Type 'text/xml' not allowed ; ; HTTP/1.0 ; /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXX...
This is a new variant of the Code Red I/II worm (Code.Red.F, first detected on 11 March 2003).

WARNING: Could not determine end of headers, will process all data as headers ; BLOCKED: Directory traversal not allowed in headers ; BLOCKED: 'cmd.exe' not allowed in headers ; BLOCKED: 'system32' not allowed in headers ; GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir
Due to an error in the script kiddie tool (which should end a HTTP request with a double CRLF), WebKnight scans the raw data (in the OnReadRawData event) and treats it as headers, this together with the presence of 'cmd.exe', makes sure it is being blocked. If the error in the tool were not there WebKnight would block it in the next server events (OnPreprocHeaders and OnUrlMap).

CONNECT ; BLOCKED: HTTP VERB 'CONNECT' not allowed ; ; HTTP/1.0 ; mx1.mail.yahoo.com:25 ; BLOCKED: URL not in allowed list
Some spammer is trying to send spam via the HTTP tunneling technique. This is not supported by IIS. It is supported by Apache, but only if you enable the particular plug-in. Nothing to worry about.

/sumthin ; C:\InetPub\wwwroot\sumthin ; BLOCKED: accessing/running 'sumthin' file ;
Someone is probing you with some tool, this tool does a request for an unexisting page and the response (normally a 404 Not Found page) is analysed to determine what web server you are running. WebKnight blocks this particular request by default.

HTTP Server Error ; ; ; ; ; ; HTTP/1.1 500 Server Error...
Some error occured in IIS. If you look at the logfiles of IIS, you won't find this error, because IIS fails to log it (due to the error), however a response is sent back (or at least IIS tried to send it!), and this is being logged by WebKnight.

HTTP Server Error ; GET ; /some.large.file.jpg ; ; ; ; HTTP/1.1 500 Server Error...
This error means that someone requested a file and the connection was reset. The webserver was sending the file and when the connection resets, it generates a 500 error. However that error is not sent back to the client, as the connection was reset. You can test this yourself by requesting a page that takes a while to load and while doing that, hit the stop button (will most likely happen with image files). You should see a 500 error in the log files. So there is not really a thing you can do about this, except disabling WebKnight to report HTTP server errors. A lot of these errors are an indication that your server is under heavy load (users tend to close their browsers).

GET ; ; HTTP/1.1 ; BLOCKED: 'Host:' header required for HTTP 1.1 request ; /
The HTTP 1.1 specification requires a 'Host:' header in every request. This is due to the fact that HTTP 1.1 allows multiple sites to be run on the same ip address AND on the same TCP port. This process requires a host header (usually just the dns name of the website) for the web server to know which website to access. Bad written clients (e.g. some script kiddie tools) send a HTTP 1.1 request without a 'Host' header (or an empty host header). WebKnight blocks this by default.

/cgi-bin/formmail.pl ; BLOCKED: '/cgi-bin' not allowed in URL ; BLOCKED: '/cgi' not allowed in URL ; C:\InetPub\wwwroot\cgi-bin\formmail.pl ; BLOCKED: accessing/running 'formmail.' file ; ...
Some spammer is trying to exploit a bug in a well known formmail script.

BLOCKED: Not in allowed path list
You need to add the folder following this entry to your allowed paths. Open the config utility and go to the section Mapped Path, then in the allowed path list, add the above folder and save your file if you want to allow this path to be available for your web server.

What is this?
/scripts/root.exe ; BLOCKED: ...
/MSADC/root.exe ; BLOCKED: ...
/c/winnt/system32/cmd.exe ; BLOCKED: ...
/d/winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..Á../winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/winnt/system32/cmd.exe ; BLOCKED: ...
/winnt/system32/cmd.exe ; BLOCKED: ...
/winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..%5c../winnt/system32/cmd.exe ; BLOCKED: ...
/scripts/..%2f../winnt/system32/cmd.exe ; BLOCKED: ...

This is just the Nimda worm (or some skiddie running a tool).

POST ; BLOCKED: Content-Type 'application/octet-stream' not allowed ; ; HTTP/1.1 ; http://212.239.180.24:25/
Some spammer is trying to send mail via your web server. Nothing to worry about.

BLOCKED: '[token]' not allowed in User Agent
BLOCKED: User Agent not allowed
WebKnight blocked the request by a token specified in User Agent (Sequences) or Robots section of WebKnight configuration. More information about robots and user agents.

BLOCKED: Encoding exploit in cookie (abuse of: '%00' or '%u0000')
those are common encoding exploits by injecting the NULL terminating character (which terminates the string prematurely).

Troubleshooting

I changed the default settings and it is blocking all my web requests?
If WebKnight blocks legitimate requests after changing certain settings, you should try to locate what setting is blocking the requests. Open the log file and have a look at the entries, whenever you see a 'BLOCKED:' message, you have an indication of what is being blocked, now look at the configuration file and you'll find something similar. If you think it shouldn't be blocked, change the setting.

WebKnight does not see the changes in the configuration or is using the default settings?

  1. Make sure you edit the file WebKnight.xml and NOT Loaded.xml (this last one is for debugging and to see what is loaded in memory).
  2. Make sure the account used by IIS (SYSTEM,NETWORK SERVICE,IIS_IUSRS...) has change permissions on the WebKnight folder (and subfolders). If this is not the case then WebKnight will revert to the built-in default settings. Restart IIS after doing this.
  3. For performance reasons, changes of the configuration file will only be detected once a minute and only if there is website traffic (no traffic = no detection).
  4. If you are changing the User-Agent section, be aware that the robots section changes the actual values in the User-Agent section: that's why there is a difference between loaded.xml and WebKnight.xml

Issue with images (jpg,gif,...) under a certain size not being displayed.
This is an IIS6 issue and is solved in WebKnight 2.0. A workaround for WebKnight 1.3 and previous versions is to simply not change or remove the server header. So, in your settings file, go to the "Headers" section and uncheck "Change Server Header" and also make sure "Remove Server Header" is unchecked.

WebKnight is blocking a POST request or file upload on some page?
POST ; /mypage.asp ; HTTP/1.1 ; BLOCKED: Content-Type 'multipart/form-data; boundary=---------------------------7d5281ab0594' not allowed ;
In WebKnight 1.3 (and previous), go to the headers section of WebKnight config, in Allowed Content-Types, you have to add "multipart/form-data" (without quotes). But be sure to leave the first line blank (as explained below that list).
In WebKnight 2.0 (and later) go to Web Applications and check Allow File Upload.

I am having a performance issue or other strange issue with WebKnight?
If you have a performance issue (very rare) or another issue (also very rare) with WebKnight, there are several things you can do:

  • Uncheck Is Installed As Global Filter (Global Filtering Capabilities).
  • Uncheck Change & Remove Server header (in Headers section).
  • Make sure WebKnight is loaded as high priority, but AFTER the "sspifilt" filter and the "Compression" filter.
The first two will boost performance while the last one addresses issues involving SSL and loss of some WebKnight scanning or loss of some other functionality. In WebKnight 2.0 you can also further improve performance by doing these additional steps:
  • In the robots section uncheck:
    • Block Bots Email Harvesting
    • Block Bots Guestbook Spammers
    • Block Bots Other Bad
  • Uncheck Use Referrer Scanning (Referrer section)
  • Uncheck Deny User Agent Non RFC (User Agent section)

Some files are blocked and the log file says the URL is not RFC compliant?
For your URLs, you need to follow the proper RFC (RFC 1808 and RFC 1738). Encoded URLs are restricted to US-ASCII only. This probably means you don't use the required hex encoding (%xx) in your URLs for ASCII codes higher than 127 (or unicode characters). To resolve this issue, you need to properly encode your URL!

Some files are blocked and the log file says the URL contains high bit characters (shellcode) or says "%u" is not allowed?
The default setting of WebKnight restricts URLs to US-ASCII only (after decoding). You probably have file names which are not restricted to US-ASCII, but ASCII codes higher than 127 or unicode characters. In WebKnight 2.0 you need to enable Unicode (in "Web Applications" section). In previous versions of WebKnight, you need to disable the following setting (run configuration tool) under URL Scanning -> Deny High Bit Shellcode (uncheck this). To enable unicode encoding you have to allow %u. Remove this from the denied header/querystring/url/postdata sequences.

IIS 6 in Isolation Mode and SSL gives problems (connection resets)!
There is a known issue with SSL in IIS6. This is fixed in Windows Server 2003 SP1. A workaround is to change the setting of global filtering (if enabled, disable it, if it was already disabled, try enabling it). If that doesn't work, run IIS in worker process mode and change the WebKnight settings accordingly (see installation manual).

; HTTP Server Error ; POST ; /write.asp ; /write.asp ; |7|ASP_0101_:_80004005|
This usually occurs when uploading files which are larger than your component can handle (usually > 2MB). Use another component (newer version) or use chunked encoding instead of a single stream.

/<Rejected-By-UrlScan> ; C:\InetPub\wwwroot\ ; BLOCKED: '<' not allowed in path ; BLOCKED: '>' not allowed in path ; BLOCKED: '<' not allowed in filename ; BLOCKED: '>' not allowed in filename ;
It seems that you are running UrlScan on the same machine you are running WebKnight. This is possible, however when UrlScan blocks something, it redirects the client (default setting) to the url /<Rejected-By-UrlScan> which is not well formed. This has a cascade effect, because now WebKnight will block it. Solution: uninstall UrlScan or change the redirect url in the file urlscan.ini.

WebKnight is blocking the ASP error page (IIS 5 only)?
By default WebKnight blocks access to the /iishelp folder (as this folder can be a security risk). A default installation of IIS 5 has its error pages located in this folder, but this shouldn't be a problem, because they are set to FILE and the error handling is done internally in IIS. The error page for ASP is set to an URL: /iisHelp/common/500-100.asp. Because of this, the server has to map this to a local file name, and the event OnUrlMap is triggered which is seen by WebKnight. By default WebKnight blocks the /iishelp folder, so the client receives the WebKnight Firewall Alert instead of the error page. On a production server this shouldn't be a problem, as pages shouldn't error and even if they did, the client shouldn't see the error message because this page might reveal sensitive information. If you do want to enable these ASP errors, you have two options:

  • Change the default error pages to your own or the default text (in IIS click set to default) Note: in some versions of Internet Explorer you might need to disable the setting "Show friendly HTTP error messages" to see the actual error.
  • Allow /iishelp by removing it from Denied URL Sequences (section URL Scanning in the configuration tool)
IIS 6 does not have this issue.

IIS does not load WebKnight?
There are several things you can do:

  • Uncheck "Is Installed As Global Filter" (in the section Global Filter), if this setting is checked, then WebKnight will register for the OnReadRawData event which is not supported on IIS 6 and IIS 7 in its defaults installation.
  • Check file permissions on the WebKnight folder. The account used by IIS (SYSTEM, NETWORK SERVICE or IIS_IUSRS) needs to have write permissions on that folder.
  • Restart IIS.
  • Check the WebKnight log file and event log to see why IIS will not load WebKnight.

How can I block XSS injection or any other attack that relates to remote servers?
You can do this by adding the "http://" (without quotes) to the "Denied Querystring Sequences". Open config.exe and load the WebKnight.xml file and go to the section Querystring. The same applies for the "Denied Postdata Sequences" (in global filtering). But, also be aware that any redirection scripts or other web services/scripts that use absolute uri's in the query string will probably be broken. WebKnight 2.2 (and up) blocks this by default.

Downloading large PDF files is being blocked?
The log file will probably tell you something about the "Range:" header being too long. You can change the "Range:" header limit in the "Request Limits" section (see Max Headers list) of the WebKnight configuration.

Can I exclude certain IP addresses or IP ranges?
You can exclude an IP address in the section "Scanning Engine". Just add the IP address or range to the list and make sure this setting is enabled.

There are no log files?
WebKnight logs to a certain LogFiles folder, if you don't have this folder, or the folder is empty then it means that WebKnight does not have access to write to that folder. WebKnight runs inside the IIS process or worker processes, so the account used for running IIS needs to have change permission on the WebKnight folder (the SYSTEM, NETWORK SERVICE or IIS_IUSRS account).

I am missing log entries or the log files are not complete?
WebKnight runs in IIS or worker processes, if WebKnight is loaded more than once into memory, then only the first loaded instance of WebKnight will be able to access the log file. The subsequent loaded instances will not have write access to the log file and will skip logging their entries. The scanning will continue and requests will be blocked without logging. Use a unique log file path for each instance or enable the Per Process Logging setting in the config file.

I get an error after installing WebKnight 64-bit?
If you are running IIS in 32-bit on a 64-bit operating system (enable32BitAppOnWin64:true), and you installed the 64-bit version of WebKnight 2.5 or earlier, IIS will fail to load the firewall, because IIS is running as an 32-bit application (Calling LoadLibraryEx on ISAPI filter "C:\Program Files\AQTRONIX Webknight\WebKnight.dll" failed). In this case you have to install the 32-bit version of WebKnight.

WebKnight 3.x does not have this issue as the correct version of WebKnight is loaded using bitness preconditions.

ISAPI Filter could not be loaded after installing WebKnight.
ISAPI Filter 'C:\Program Files\AQTRONIX Webknight\WebKnight.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number.

You are running a 64-bit version of WebKnight in a 32-bit application pool. Use the 32-bit version of WebKnight instead.

WebKnight 3.x does not have this issue as the correct version of WebKnight is loaded using bitness preconditions.

This server variable cannot be modified during request execution.
You get this ASP.NET exception in the event logs.

You are using the IIS Integrated Pipeline and events in the global.asax file at the same time. This generates an ASP.NET exception when you have an ISAPI filter installed that registers for the IIS authentication notification. In WebKnight uncheck the option Notify Authentication in the Authentication section of the configuration. This issue is described in KB 2605401.

Requests to /WebResource.axd or /ScriptResource.axd return a 404 Not Found error page.

You probably have the option "Verify that file exists" in the WebKnight ISAPI wildcard extension checked. The file WebResource.axd or ScriptResource.axd does not really exists but is mapped by ASP.NET to an embedded resource in the web application. Make sure you have unchecked this option. To do this, go to ISAPI Extensions, edit the WebKnight entry in the wildcard mappings.

More questions?

If your question is not in the F.A.Q. you can contact us.

Published: 13/05/2003Document Type: INFO
Last modified: 23/08/2019Target: Administrator
Visibility: PublicLanguage: English

[top] Print Edit
AQTRONiX
Serious about Security
Copyright © 2024 AQTRONiX. All rights reserved.