cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rajjesh
rajjesh
Level 9
Report Inappropriate Content
Message 1 of 4
‎10-14-2013 12:24 AM

Reports showing action allowed to malicious sites while the policies on web gateway are blocked

Dear Team,

As a daily task we generated a daily report based upon top ten categories, and were surprised to find that the report contained "njnj.redirectme.net" entry which belongs to Malicious downloads category.

Then we added the actions column into the reports and found that it was showing allowed.   We then checked into the webwasher category actions and found that the category is blocked for all the policies.

After checking directly into the access.log, we found that the entries for the above website were followed by trend micro antivirus.  The client is using TRend micro antivirus.

We also checked accessing the same website directly from the client browser, for whom its showing allowed in the action, the site got blocked and showed the right category.

Can some one please let me know what exactly might be going on  in the backend.

0 Kudos
Reply
3 Replies
andyclements
andyclements
Level 12
Report Inappropriate Content
Message 2 of 4
‎10-14-2013 05:30 AM

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

Can you do a rule engine trace for that site?  There is nothing happening in the backend that your rules don't tell it to do, we just need to find out what the rules are saying.

You will need to enable the trace.  This should be at the top of your rule sets, and is generally best to have it specific to the site or user in question.

ruletrace.png

There is an article about how to use them (7.3.2 and later) here.  Before that version, you need to manually read through the XML output.

0 Kudos
Reply
Regis
Regis
Level 12
Report Inappropriate Content
Message 3 of 4
‎10-15-2013 07:00 AM

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

In 7.3.2 and later,  I'm led to believe that it's even more fun than that... I don't think you need to touch the policy to do a rule trace (which is really nice).  Or did I hear that incorrectly?

on 10/15/13 9:01:19 AM CDT
0 Kudos
Reply
sroering
sroering
Level 13
Report Inappropriate Content
Message 4 of 4
‎10-15-2013 07:18 AM

Re: Reports showing action allowed to malicious sites while the policies on web gateway are blocked

You are correct, the new rule engine tracing doesn't need to modify policy. You just enter the IP address of the client you want to trace. 

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC