cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
andrewfcone
andrewfcone
Level 7
Report Inappropriate Content
Message 1 of 4
‎04-19-2019 03:05 PM

Web Control Category Logging Things It Shouldn't

Hi everyone!

I'm running into a strange issue with Web Control 10.6.1.1082 . We have Content Actions configure to only block a few categories. One of the categories we do *not* block is Pornography (and we never have). And yet, on certain systems it's logging access to Pornography websites within ePO, but not blocking it (logged as Allow). This is the only category where this erroneous logging occurs - we do not see Allow traffic logged for any other category.

All systems have the same policy, and yet not all systems have this strange behavior of logging Pornography-category sites (but not blocking it). I've tried updating the agent, forcing policy updates from the ePO console, and it does not seem to make any difference at all. There's no commonality I can see on the systems/users in terms of System Tree location, OS, or version of ENS (It's been happening on and off since we started with ENS 10.5).

All extensions are up to date, and the ePO server is running 5.10 with the latest patches.

Ultimately, we only care about logging users that hit malicious sites. I know things about my co-workers now that I'd rather not. Given the sensitive nature of the traffic being logged, we don't want to have to approach the users to troubleshoot this, so I'm wondering if there's anything that can be done from the console (or even remotely modifying settings) without having to have a Pornography-related discussion with the employee.

0 Kudos
Reply
3 Replies
ninov_n
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 4
‎04-19-2019 03:56 PM

Re: Web Control Category Logging Things It Shouldn't

Hello,

Even if you do not block it explicitly, it will still generate some events based on the Rating actions:

Capture.PNGContent Actions policy

Also you need to verify your logging policy:

1.PNGCommon policy

 

Otherwise you can share the event details and collect MER logs so you can raise it as a SR with McAfee.

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Tags (1)
Reply
andrewfcone
andrewfcone
Level 7
Report Inappropriate Content
Message 3 of 4
‎04-19-2019 04:12 PM

Re: Web Control Category Logging Things It Shouldn't

Hey! Thank you for the quick reply!

So, under Content Actions, Pornography is not selected - so it shouldn't be logging it, correct?

Rating actions are default. Under Options (Common) --> Event Logging, none of the following 4 options are checked:

  • Log web categories for green rated sites
  • Log events for allowed sites configured in the Block and Allow List
  • Log Web Control iFrame events
  • Send browser page views and downloads to Web Reporter (increases network activity)

It's consistently inconsistent - it doesn't happen to everyone/every machine, but once it starts, it does not stop until the system is rebuilt.

0 Kudos
Reply
ninov_n
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎04-19-2019 05:22 PM

Re: Web Control Category Logging Things It Shouldn't

Hi,

I was referring to ENS Common policy which defines to client logging options but I guess they are also default ones so it won't be much of a difference.

I think it is either corrupted ENS installation or something like this scenario below:

1. Pornography category is not blocked but default rating actions below still apply

2. An user opens such site classified as a yellow warning site which creates allow event

In case it is similar setup for all machines, it should be the same for all but it could be also some kind of a bug for WC so you can consider also submitting a ticket with them after you collect MER logs:

https://support.mcafee.com/ServicePortal/

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Tags (1)
0 Kudos
Reply
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

      • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center