Hi,
in Webwasher 6 I was able to exactly tell which Antivirus component has blocked something (Proactive Scanning, Heuristic, normal AV engine). And I was able to whitelist URLs. For example, if Proactive Scanning heuristics blocked something, I was able to whitelist that URL only for Proactive Scanning while keeping the other AV engine active.
How would I accomplish this with MWG 7? I am using the default Antimalware Ruleset, which doesn't contain a whitelist at all. I could add a simple whitelist rule on top of the ruleset (match URL.host -> stop ruleset), but how can I make more granular decisions here?
Thanks
Sascha
Solved! Go to Solution.
You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.
So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...
See this thread:
https://community.mcafee.com/message/280395#280395
Disregard my comments on there. Erik had a good example:
Rule Criteria:
URL.IsMinimalRisk<Default> equals true AND
Antimalware.Infected<Anti-Malware: Standard Setting> equals true
Rule Criteria:
URL.IsMinimalRisk<Default> equals false AND
Antimalware.Infected<Anti-Malware: High Setting> equals true
The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.
Best,
Jon
I have to correct myself: The default Antimalware ruleset does contain a whitelist. But the rest of my post still applies.
You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.
So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...
See this thread:
https://community.mcafee.com/message/280395#280395
Disregard my comments on there. Erik had a good example:
Rule Criteria:
URL.IsMinimalRisk<Default> equals true AND
Antimalware.Infected<Anti-Malware: Standard Setting> equals true
Rule Criteria:
URL.IsMinimalRisk<Default> equals false AND
Antimalware.Infected<Anti-Malware: High Setting> equals true
The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.
Best,
Jon
Thanks Jon. So there is no way to really differentiate between the different engines like before (MWG6), right?
Let's say a URL is blocked because of heuristics (is "Proactive scanning" still in use at all?) and I am sure it's false positive. There is no way I could disable heuristics for the URL while still pushing the content throuhg the AV engine?
Thanks
Sascha
The questioning was confusing but I'll try to clarify.
Yes, you can disable heuristics for the URL, while still pushing content through the AV engine.
You would use the method above.
URL.Host is in list [Disable Hueristics] AND
Antimalware.Infected<Anti-Malware: Heuristics disabled> equals true
Rule Criteria:
URL.Host is not in list [Disable Hueristics] AND
Antimalware.Infected<Anti-Malware: Default> equals true
Best,
Jon
Thanks Jon. I should have read the other thread you linked to before asking more questions. That other thread was exactly what I was looking for. I will play with this tomorrow.
Thanks!
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA