McAfee Support Community - Web Control Category Logging Things It Shouldn't

andrewfcone · ‎04-19-2019

Hi everyone!

I'm running into a strange issue with Web Control 10.6.1.1082 . We have Content Actions configure to only block a few categories. One of the categories we do *not* block is Pornography (and we never have). And yet, on certain systems it's logging access to Pornography websites within ePO, but not blocking it (logged as Allow). This is the only category where this erroneous logging occurs - we do not see Allow traffic logged for any other category.

All systems have the same policy, and yet not all systems have this strange behavior of logging Pornography-category sites (but not blocking it). I've tried updating the agent, forcing policy updates from the ePO console, and it does not seem to make any difference at all. There's no commonality I can see on the systems/users in terms of System Tree location, OS, or version of ENS (It's been happening on and off since we started with ENS 10.5).

All extensions are up to date, and the ePO server is running 5.10 with the latest patches.

Ultimately, we only care about logging users that hit malicious sites. I know things about my co-workers now that I'd rather not. Given the sensitive nature of the traffic being logged, we don't want to have to approach the users to troubleshoot this, so I'm wondering if there's anything that can be done from the console (or even remotely modifying settings) without having to have a Pornography-related discussion with the employee.

ninov_n · ‎04-19-2019

Hello,

Even if you do not block it explicitly, it will still generate some events based on the Rating actions:

Content Actions policy

Also you need to verify your logging policy:

Common policy

Otherwise you can share the event details and collect MER logs so you can raise it as a SR with McAfee.

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

andrewfcone · ‎04-19-2019

Hey! Thank you for the quick reply!

So, under Content Actions, Pornography is not selected - so it shouldn't be logging it, correct?

Rating actions are default. Under Options (Common) --> Event Logging, none of the following 4 options are checked:

Log web categories for green rated sites
Log events for allowed sites configured in the Block and Allow List
Log Web Control iFrame events
Send browser page views and downloads to Web Reporter (increases network activity)

It's consistently inconsistent - it doesn't happen to everyone/every machine, but once it starts, it does not stop until the system is rebuilt.

ninov_n · ‎04-19-2019

Hi,

I was referring to ENS Common policy which defines to client logging options but I guess they are also default ones so it won't be much of a difference.

I think it is either corrupted ENS installation or something like this scenario below:

1. Pornography category is not blocked but default rating actions below still apply

2. An user opens such site classified as a yellow warning site which creates allow event

In case it is similar setup for all machines, it should be the same for all but it could be also some kind of a bug for WC so you can consider also submitting a ticket with them after you collect MER logs:

https://support.mcafee.com/ServicePortal/

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino

Web Control Category Logging Things It Shouldn't

Re: Web Control Category Logging Things It Shouldn't

Re: Web Control Category Logging Things It Shouldn't

Re: Web Control Category Logging Things It Shouldn't