Malvertising And Why You Should Ad-block Your Network At The Gateway


Etienne Liebetrau

Etienne Liebetrau

The proceeds from Internet advertising fund the Internet, providing us with some fantastic free services. Because ad revenue essentially pays for these services, you may conclude that web ads are good. You are right—to some extent.

There are some good reasons, however, to consider blocking web ads at the gateway.


Essentially what happens in malvertising is malware-laden ads are legitimately placed on sites by approved advertisers. The problem has become so commonplace, there is an officially recognized term for it. The advertisers are not aware the ads contain malware, and the attackers are using a highly optimized and automated system to gain a large footprint.

The following link directs you to some interesting information on malvertising; it is worth your time to read this information:

If that sounds scary, take a look at a few recent examples of how malvertising affected the Internet world.

Internet usage and web performance

In some cases, web advertising has become completely out of hand. Have you ever been to a download site with six download buttons? It is difficult to figure out which download link to actually click on.

The additional advertising not only increases the overall size of downloaded content, but it also adds to the number of DNS lookups, TCP connections, and network round trips.

At first, you might not think that is a big problem, especially if you have loads of bandwidth, but once you start using Fastvue Reporter and gain real insight into your Internet usage, you might feel a little differently.

This  graphic shows an astonishing 5.6 GB of data being wasted on web ads. Even more frightening is that there was a total of 4.8 GB of data sent out toward these sites. This means the web ads are mining and sucking out multiple gigabytes of data from your enterprise or company on an ongoing basis.

Network performance—with and without web ads

The two images below show the bandwidth statistics for the exact same site ( In the first image, web ads are allowed. In the second, web ads are blocked.

Here is the site loaded with web ads allowed:

Here is the same site loaded with web ads blocked:

Loss of productivity

Loss of productivity is another concern when it comes to web ads. It is somewhat harder to express (as opposed to the network performance example above) because it depends on the audience. However, you can minimize loss of productivity by reducing the noise that your users encounter while working.

Some users are prone to following web ads because the ads are highly targeted. Some users are confused by multiple options jumping up at them from a page. Some people get annoyed with web ads, others call their colleagues over and say, “Hey check this out.”

Here, the same site was used to generate the performance stats above. No ad-blocking was used.

So Web ads are bad. How do we fix it?

There are many browser plugins that can help block web ads, and some of the users in your company might already be using them. As a system administrator, you want something you can deploy easily and uniformly across your environment and manage it centrally.

Sophos UTM's Web Protection functionality allows us to complete this task.

Configure Sophos UTM's Web Protection Filter Options

Sophos UTM filters web sites based on the definitions in the Filter Actions. You can amend these to block web ads by adding the Suspicious category:

  1. Open the Sophos UTM management console, and go to Web Protection | Web Filtering Profiles | Filter Actions.
  2. Click the Edit button on the relevant Filter.
  3. Locate the Suspicious category, and set the action to Block.
  4. Click Save.
  5. Repeat for all other filter actions in use.

Sophos UTM will now block all of the subcategories that are deemed suspicious.

You can confirm that web ads are in the suspicious category (as they are by default) by going to Web Protection | Filtering Options | Categories. Locate Suspicious. It should contain: Spyware / Adware, Parked Domains, Malicious Sites, Spam URLs, Web Ads, Phishing.

The result

Here is the same site loaded using the suggested web filter. Note that there are no ad-block plugins running in the browser because all of the sanitizing is being performed by Sophos UTM.

The core functionality of the site is now clear, and you have reduced the amount of bandwidth-draining, potentially malicious traffic significantly. You also saved 55 TCP round trips, 314KB of data, and 16 TCP connections.

Now that you're blocking web ads at the gateway, your users will have a cleaner, safer, and faster Internet experience.

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story

Attacking and Testing Sophos SG Web Application Firewall

Learn how to set up a Sophos SG Web Application Firewall testing environment where you can test and hone your WAF configuration skills.

Attacking and Testing Sophos XG Web Application Firewall

Continuing our series on the Web Security Dojo, now testing Sophos XG web application firewall with easy to follow step by step instructions.