cancel
Showing results for 
Search instead for 
Did you mean: 
clausonna
Level 9

Request: Put Malvertisers in their own category

I frequently look at my access_denied logs (either via the CLI during investigations or via Web Reporter) for Malicious sites (i.e. cat access_denied.log | grep -i malicious | more) On a number of occasions I've found signs that a machine is infected and attempting to reach out to sites categorized as Malicious by McAfee.  So yes, the connection is blocked, but only while the machine is on the corporate network. 

The problem is that 'Malvertisers' (Malicious Advertisers) are also lumped into the same category, thus 'polluting' the logs and hiding the otherwise obvious signs of infection.  These include sites like doubleclick.net, zedo, serving-sys.com, lijit.com, to name but a few.  These log entries are not the 'phone homes' of an infected machine, they're typically just included as potential ads on relatively benign and/or unsuspecting web sites.

It would be great if malvertisers were put in a different category to help differentiate them from truly malicious sites and/or phone-homes.

0 Kudos
2 Replies
McAfee Employee

Re: Request: Put Malvertisers in their own category

Hi clausonna!

Perhaps what is needed is a slight rule adjustment on your logs.

I suspect that these entries are ending up in your logs because there is an embedded URL which is seen as malicious.

For the domains you gave they are either categorized as "Web Ads" or "Internet Services":

http://www.trustedsource.org/en/feedback/url?action=checksingle&product=15-xl&url=doubleclick.net

http://www.trustedsource.org/en/feedback/url?action=checksingle&product=15-xl&url=serving-sys.com

http://www.trustedsource.org/en/feedback/url?action=checksingle&product=15-xl&url=lijit.com

So in your access denied log rule you could exclude sites that were blocked with the Block.ID of 10, and include the category of "Web Ads" or "Internet Services".

Or, you could make an adjustment in your rules to have a special block page for "Web Ads" or "Internet Services" with bad repuation, and assign those blocks a special Block.ID.

Let me know if this helps,

Jon

0 Kudos
consoul
Level 9

Re: Request: Put Malvertisers in their own category

I too would love to see a malvertising category but our solution was what Jon already suggested.

blocked_lists.png

The first two rules will get a reason code 10, they are handled by McAfee. The fourth, fifth, sixth, and seventh are filters that we manage, they each get a custom block page and a custom block code. This is important for our data reporting as well as knowing when McAfee has begun blocking a site that we blocked manually.

0 Kudos