When you put entries in the Global Whitelist rules at the top of the rule sets with a Stop Cycle, the URL does not fall into any rules that check for URL.Categories and then it doesn't assign a category to that URL in the logs.
One thing you can do is have the logs categorize on input in Web Reporter. It will lookup all the ones that don't have values.
Another thing that might occur is if you are doing proxy authentication. The embryonic 407 entries don't have categories assigned to the yet, but they still have log entries.
You can exclude the logging of 407 by putting a rule into the log handler that says 'Response.StatusCode does not equal 407'Message was edited by: Erik Elsasser on 1/13/11 1:23:10 PM CST
In Web Reporter, go into Administration>Options>Categorizations and enter the Web Reporter Serial Number and download the TrustedSoruce database.
Then on the Log Source itself, edit the Log Source>Processing and select the options for Include Categories from TrustedSrouce Web Data base and the Reputation option below it.
That should try to categorize anything that has a blank category against the currently download databse in reporter.
Thanks for the suggestion. This problem was actually fixed when I upgraded to the new version 5.1.1.01
Now I only see the "-" under Malware and Protection Areas. What does the "-" mean under these areas?
In essence, those are entries that do not contiain malware. That's probably almost all entries, and throws off the scale of charts.
I apply a filter for Malware name
To get them to display better on the quick views, I put a filter for non-blank malware names.
For Advanced Reports, I put an exclude in the query:
Thanks for the information, I was missing the part where we needed to download the TS database. I tried setting this up, but I am getting an error message from Web Reporter when I try to download the Trusted Source database. We get this same error whether the download is manual or scheduled.
McAfee Web Reporter was unable to download the TrustedSource Web Database on [servername].
Reason: Not enough memory (10)
Memory utiliztion seems normal on the Web Reporter server, but we do have our database on a separate server, which I haven't checked yet. I'm really not even sure if the Trusted Source database gets inserted into our SQL database for Web Reporter or if it just resides on the Web Reporter server. There don't seem to be any articles in the KB about this issue. Do you have any ideas?
TammyMessage was edited by: sdtsmit on 1/20/11 2:46:08 PM CST