Imperva Cyber Community

Hi guys.

I'm looking at recent logs, I have seen Dalvik/2.1.0 and curl within the user-agent requirement. I give you examples:

Dalvik/2.1.0 (Linux; U; Android 11; moto g(60)s Build/RRLS31.Q2X-70-39-5)
app_process64 (unknown version) curl/7.81.0

Based on your experience, is it suggested to block this traffic?

#On-PremisesWAF(formerlySecuresphere)

Hi Jose,

While I cannot provide a direct recommendation, I can provide some guidance.

Tools like Dalvik and Curl exist in a grey area; they can be used for good - or they can be used for bad - the difference is in the wielder and the intent. 

Attackers like to leverage these tools because it makes their "job" easier.

Likewise, Quality Assurance (QA) testers also like to leverage these tools to make their job easier.

Now, keeping this in mind, it is unlikely that QA teams will need to use these tools against production sites - whereas it may be common to use these tools against Dev/Test/UAT sites.

I recommend opening a line of communication with your dev team(s) and or business line(s) to determine if they have a legitimate business need to use these tools against a production site, and you can plan your course of action from there. 

Thank you very much for answer.