My expectation: If local GTI lookup failes the Proxy tries to do a GTI Cloud lookup
is unrated in local Database and rated as malicious in Cloud DB (you can verify it in TrustedSource - Check Single URL
In our TestWebgateway (7.5.1) I receive an unrated categorization.
When I enable the DISABLE LOCAL GTI DATABASE in URL Filter setting the proxy says also malicous.....
The same result in 7.4.2. und 7.3.2 :-(
In Url Categorization setting you are not able to untick
Use Online GTI web reputation and Categorization services if local rating yields no result
This is wrong!!!. The Online GTI reputation does not take place....
I'm looking into the issue, I was able to reproduce partly. I found that with "Disable local database" the URL is rated as you find on trustedsource.org.
Please try disabling the option for "Perform forward DNS lookup".
Did you have a case open for this?
Now i'm totally confused:
GTI Lookup Local : Categorization Software/hardware (DB Version 51350)
GTI Lookup Cloud: Categorization Malicious Downloads (DB Version 166628)
tested 16.2.2015 9:22 MEZ
Whom should I trust?
Due to my last finding I extended our ruleset to log all differences between Local and Cloud Lookup GTI
there are a lot...
Normally the cloud lookup offers less categories than the local lookup.
Examples: "LOCAL LOOKUP" "GTi LOOKUP"
"Health, Internet Services" "Internet Services"
"Web Ads, Internet Services" "Business"
"Web Ads, Internet Services" "Web Ads"
"Finance/Banking, Content Server" "Content Server"
"Business, Software/Hardware, Marketing/Merchandising" "Business, Software/Hardware"
"Business, Software/Hardware, Internet Services" "Internet Services"
"Shareware/Freeware, Web Ads" "Web Ads"
"General News, Internet Services, Incidental Nudity" "Internet Services"
But we have also complete other categories.
Here are some examples where cloud or local Lookup contains Malicious Sites, the other one not:
2015-02-16 09:10:43 http://adsearch.adkontekst.pl/akon/intext_spliter?prid=3&caid=96362&form=9042:0:I&ns=1424077843800 "Web Ads" "Malicious Sites"
2015-02-16 09:10:45 http://ads.pennlive.com/RealMedia/ads/adstream.cap?c=crtg&va=0&e=1s "Malicious Sites" "Web Ads"
2015-02-16 09:10:45 http://adsearch.adkontekst.pl/akon/intext_spliter?prid=3&caid=96362&form=9042:0:I&ns=1424077845792 "Web Ads" "Malicious Sites"
2015-02-16 09:10:47 http://www1.mpnrs.com/admdel/admaxxpop2.js "Web Ads" "Malicious Sites"
Same question: WHOM SHOULD I TRUST!
During 5 minutes:
|Total Number of objects||78783||100%|
|Objects with different Local and Cloud GTI Categorization||7067||9%|
This is more I've expected....