cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cryptochrome
cryptochrome
Level 7
‎12-02-2013 07:17 AM

Whitelisting for AntiMalware

Jump to solution

Hi,

in Webwasher 6 I was able to exactly tell which Antivirus component has blocked something (Proactive Scanning, Heuristic, normal AV engine). And I was able to whitelist URLs. For example, if Proactive Scanning heuristics blocked something, I was able to whitelist that URL only for Proactive Scanning while keeping the other AV engine active.

How would I accomplish this with MWG 7? I am using the default Antimalware Ruleset, which doesn't contain a whitelist at all. I could add a simple whitelist rule on top of the ruleset (match URL.host -> stop ruleset), but how can I make more granular decisions here?

Thanks

Sascha

0 Kudos
Reply
1 Solution

Accepted Solutions
jscholte
McAfee Employee
‎12-02-2013 08:34 AM

Re: Whitelisting for AntiMalware

Jump to solution

You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.

So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...

See this thread:

https://community.mcafee.com/message/280395#280395

Disregard my comments on there. Erik had a good example:

Rule Criteria:

URL.IsMinimalRisk<Default> equals true AND

Antimalware.Infected<Anti-Malware: Standard Setting> equals true

Rule Criteria:

URL.IsMinimalRisk<Default> equals false AND

Antimalware.Infected<Anti-Malware: High Setting> equals true

The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

Best,

Jon

0 Kudos
Reply
5 Replies
cryptochrome
cryptochrome
Level 7
‎12-02-2013 07:18 AM

Re: Whitelisting for AntiMalware

Jump to solution

I have to correct myself: The default Antimalware ruleset does contain a whitelist. But the rest of my post still applies.

0 Kudos
Reply
jscholte
McAfee Employee
‎12-02-2013 08:34 AM

Re: Whitelisting for AntiMalware

Jump to solution

You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.

So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...

See this thread:

https://community.mcafee.com/message/280395#280395

Disregard my comments on there. Erik had a good example:

Rule Criteria:

URL.IsMinimalRisk<Default> equals true AND

Antimalware.Infected<Anti-Malware: Standard Setting> equals true

Rule Criteria:

URL.IsMinimalRisk<Default> equals false AND

Antimalware.Infected<Anti-Malware: High Setting> equals true

The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

Best,

Jon

0 Kudos
Reply
cryptochrome
cryptochrome
Level 7
‎12-02-2013 09:00 AM

Re: Whitelisting for AntiMalware

Jump to solution

Thanks Jon. So there is no way to really differentiate between the different engines like before (MWG6), right?

Let's say a URL is blocked because of heuristics (is "Proactive scanning" still in use at all?) and I am sure it's false positive. There is no way I could disable heuristics for the URL while still pushing the content throuhg the AV engine?

Thanks

Sascha

0 Kudos
Reply
jscholte
McAfee Employee
‎12-02-2013 09:10 AM

Re: Whitelisting for AntiMalware

Jump to solution

The questioning was confusing but I'll try to clarify.

Yes, you can disable heuristics for the URL, while still pushing content through the AV engine.

You would use the method above.

URL.Host is in list [Disable Hueristics] AND

Antimalware.Infected<Anti-Malware: Heuristics disabled> equals true

Rule Criteria:

URL.Host is not in list [Disable Hueristics] AND

Antimalware.Infected<Anti-Malware: Default> equals true

Best,

Jon

0 Kudos
Reply
cryptochrome
cryptochrome
Level 7
‎12-02-2013 12:01 PM

Re: Whitelisting for AntiMalware

Jump to solution

Thanks Jon. I should have read the other thread you linked to before asking more questions. That other thread was exactly what I was looking for. I will play with this tomorrow.

Thanks!

0 Kudos
Reply