cancel
Showing results for 
Search instead for 
Did you mean: 
feickholt
Level 10

GTI CloudLookup

Question:

My expectation: If local GTI lookup failes the Proxy tries to do a GTI Cloud lookup

http://dl2.vip0installer.com/download/Base/450233/candide/java.exe


is unrated in local Database and rated as malicious in Cloud DB (you can verify it in TrustedSource - Check Single URL

In our TestWebgateway (7.5.1) I receive an unrated categorization.

When I enable the DISABLE LOCAL GTI DATABASE in URL Filter setting the proxy says also malicous.....

?????????????

Frank

0 Kudos
6 Replies
feickholt
Level 10

Re: GTI CloudLookup

The same result in 7.4.2. und 7.3.2 :-(

In Url Categorization setting you are not able to untick

Use Online GTI web reputation and Categorization services if local rating yields no result

This is wrong!!!. The Online GTI reputation does not take place....

0 Kudos
McAfee Employee

Re: GTI CloudLookup

Hi Frank,

I'm looking into the issue, I was able to reproduce partly. I found that with "Disable local database" the URL is rated as you find on trustedsource.org.

Please try disabling the option for "Perform forward DNS lookup".

Did you have a case open for this?

Best Regards,

Jon

0 Kudos
feickholt
Level 10

Re: GTI CloudLookup

Already disabled DNS Lookup. SR is already open.

0 Kudos
feickholt
Level 10

Re: GTI CloudLookup

Now i'm totally confused:

Same link

dl2.vip0installer.com/download/Base/450233/candide/java.exe

GTI Lookup Local : Categorization Software/hardware   (DB Version 51350)

GTI Lookup Cloud: Categorization Malicious Downloads (DB Version 166628)

tested 16.2.2015 9:22 MEZ

Whom should I trust?

Frank

0 Kudos
feickholt
Level 10

Re: GTI CloudLookup

Due to my last finding I extended our ruleset to log all differences between Local and Cloud Lookup GTI

and

there are a lot...

Normally the cloud lookup offers less categories than the local lookup.

Examples: "LOCAL LOOKUP" "GTi LOOKUP"

"Health, Internet Services" "Internet Services"

"Web Ads, Internet Services" "Business"

"Web Ads, Internet Services" "Web Ads"

"Finance/Banking, Content Server" "Content Server"

"Business, Software/Hardware, Marketing/Merchandising" "Business, Software/Hardware"

"Business, Software/Hardware, Internet Services" "Internet Services"

"Shareware/Freeware, Web Ads" "Web Ads"

"General News, Internet Services, Incidental Nudity" "Internet Services"

But we have also complete other categories.

Here are some examples where cloud or local Lookup contains Malicious Sites, the other one not:

2015-02-16 09:10:43 http://adsearch.adkontekst.pl/akon/intext_spliter?prid=3&caid=96362&form=9042:0:I&ns=1424077843800 "Web Ads" "Malicious Sites"

2015-02-16 09:10:45 http://ads.pennlive.com/RealMedia/ads/adstream.cap?c=crtg&va=0&e=1s "Malicious Sites" "Web Ads"

2015-02-16 09:10:45 http://adsearch.adkontekst.pl/akon/intext_spliter?prid=3&caid=96362&form=9042:0:I&ns=1424077845792 "Web Ads" "Malicious Sites"

2015-02-16 09:10:47 http://www1.mpnrs.com/admdel/admaxxpop2.js "Web Ads" "Malicious Sites"

Same question: WHOM SHOULD I TRUST!

0 Kudos
feickholt
Level 10

Re: GTI CloudLookup

Some statistics:

During 5 minutes:

  

Total Number of objects78783100%
Uncategorized objects23343%
Objects with different Local and Cloud GTI Categorization70679%

This is more I've expected....

Frank

0 Kudos