cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cryptochrome
Level 7
Report Inappropriate Content
Message 1 of 6
‎12-02-2013 07:17 AM

Whitelisting for AntiMalware

Jump to solution

Hi,

in Webwasher 6 I was able to exactly tell which Antivirus component has blocked something (Proactive Scanning, Heuristic, normal AV engine). And I was able to whitelist URLs. For example, if Proactive Scanning heuristics blocked something, I was able to whitelist that URL only for Proactive Scanning while keeping the other AV engine active.

How would I accomplish this with MWG 7? I am using the default Antimalware Ruleset, which doesn't contain a whitelist at all. I could add a simple whitelist rule on top of the ruleset (match URL.host -> stop ruleset), but how can I make more granular decisions here?

Thanks

Sascha

0 Kudos
Reply
1 Solution

Accepted Solutions
jscholte
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6
‎12-02-2013 08:34 AM

Re: Whitelisting for AntiMalware

Jump to solution

You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.

So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...

See this thread:

https://community.mcafee.com/message/280395#280395

Disregard my comments on there. Erik had a good example:

Rule Criteria:

URL.IsMinimalRisk<Default> equals true AND

Antimalware.Infected<Anti-Malware: Standard Setting> equals true

Rule Criteria:

URL.IsMinimalRisk<Default> equals false AND

Antimalware.Infected<Anti-Malware: High Setting> equals true

The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

Best,

Jon

View solution in original post

0 Kudos
Reply
5 Replies
cryptochrome
Level 7
Report Inappropriate Content
Message 2 of 6
‎12-02-2013 07:18 AM

Re: Whitelisting for AntiMalware

Jump to solution

I have to correct myself: The default Antimalware ruleset does contain a whitelist. But the rest of my post still applies.

0 Kudos
Reply
jscholte
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6
‎12-02-2013 08:34 AM

Re: Whitelisting for AntiMalware

Jump to solution

You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.

So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...

See this thread:

https://community.mcafee.com/message/280395#280395

Disregard my comments on there. Erik had a good example:

Rule Criteria:

URL.IsMinimalRisk<Default> equals true AND

Antimalware.Infected<Anti-Malware: Standard Setting> equals true

Rule Criteria:

URL.IsMinimalRisk<Default> equals false AND

Antimalware.Infected<Anti-Malware: High Setting> equals true

The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

Best,

Jon

View solution in original post

0 Kudos
Reply
cryptochrome
Level 7
Report Inappropriate Content
Message 4 of 6
‎12-02-2013 09:00 AM

Re: Whitelisting for AntiMalware

Jump to solution

Thanks Jon. So there is no way to really differentiate between the different engines like before (MWG6), right?

Let's say a URL is blocked because of heuristics (is "Proactive scanning" still in use at all?) and I am sure it's false positive. There is no way I could disable heuristics for the URL while still pushing the content throuhg the AV engine?

Thanks

Sascha

0 Kudos
Reply
jscholte
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6
‎12-02-2013 09:10 AM

Re: Whitelisting for AntiMalware

Jump to solution

The questioning was confusing but I'll try to clarify.

Yes, you can disable heuristics for the URL, while still pushing content through the AV engine.

You would use the method above.

URL.Host is in list [Disable Hueristics] AND

Antimalware.Infected<Anti-Malware: Heuristics disabled> equals true

Rule Criteria:

URL.Host is not in list [Disable Hueristics] AND

Antimalware.Infected<Anti-Malware: Default> equals true

Best,

Jon

0 Kudos
Reply
cryptochrome
Level 7
Report Inappropriate Content
Message 6 of 6
‎12-02-2013 12:01 PM

Re: Whitelisting for AntiMalware

Jump to solution

Thanks Jon. I should have read the other thread you linked to before asking more questions. That other thread was exactly what I was looking for. I will play with this tomorrow.

Thanks!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC