Created a report on users which consumed much bandwidth and found this particular user.
But when I checked it, almost all of its access were blocked.
How does McAfee web reporter associate bandwidth? Does this mean the user consumes lots of bandwidth even if his accesses were all blocked?
MWG writes bytes_to_client in the access.log by default which is what WR will use to report on bandwidth. The data contained in a block page counts as bytes_to_client. Is the client spamming the proxy with requests that are blocked? Perhaps to mtalk.google.com? I've seen a case where over 6 gigs of block pages were transmitted to a client over 2 days due to the mtalk bug.
Thank you for the info.
Yes, I think this is a spam and it is sp-alive-msg.databssint.com. But these are blocked without any block page shown.
Is it considered already a 5mb data even if the block page isnt shown?
*Ive checked the detailed web actvty for this domain and it shows 5mb per block instance.
I queried the detailed web activity of the said domain.
I dont see in the raw logs anything that could pertain to bytes consumed. Where can we check it?