cancel
Showing results for 
Search instead for 
Did you mean: 
mardes
Level 7

Wrong categorization Malicious Site

Hello!

We see a following problem:  Some URLs are categorized  to category  "Malicious Sites" 

though  due to McAfee TrustedSource  hey are  an uncategorized URLs.

Some examples:

http://www.trfv.de/                                                                       OK      
http://www.trfv.de/index.php                                                     Category:Malicious Sites

http://www.helpgreekanimals.org                                                                                                                                OK

http://www.helpgreekanimals.org/index.php                                                                                                             OK

http://www.helpgreekanimals.org/index.php?option=com_content                                                                     Malicious Sites

http://www.helpgreekanimals.org/index.php?option=com_content&view=article&id=103&Itemid=350      Malicious Sites

Moreover, there's an influence  of setting  "Do a forward DNS lookup to rate URL"    in   settings  URL.categories<Default>

When we disable this categorization for all above URLs is  OK   (though  FQDN part of URL is the same)

rule:

rule-URL-category.bmp

settings-URl-filtering.bmp

Why has DNS lookup an effect when just changing  the path part of URL?

Why are these URL categorized as  "Malicious Sites"  though not listed  at McAfee  TrustedSource?

Best regards,

Michael

0 Kudos
5 Replies
andyclements
Level 12

Re: Wrong categorization Malicious Site

When enabling "Do a forward DNS lookup to rate URLs", is enabled, the DNS lookup will be made for URLs that no relevant information was found for.  When this is the case the IP address that is found will be used for another lookup.  So even if the domain name is ok, the IP address can be untrusted or malicious, then you will get the block.

0 Kudos
mardes
Level 7

Re: Wrong categorization Malicious Site

Thank you for quick answer.

Hm, but   for example  http://www.trfv.de/  and    http://www.trfv.de/index.php  both have same IP address, of course,  the first URL is OK, the second one is in category Malicious site ...

Both are uncategorized in McAfee TrustedSource.

We have MWG 7.2.0.8.

0 Kudos
mlustfield
Level 7

Re: Wrong categorization Malicious Site

It seems like this happens if an IP address used to be used for a malicious website but has been repurposed. I can't figure out why the URI has anything to do with the request, though. I'm equally stumped and until I figure it out, I'm keeping that option disabled.

0 Kudos
McAfee Employee

Re: Wrong categorization Malicious Site

In these situations, the first priority should be to get the base domain categorized (www.trfv.de).

This issue IS occurring because of the forward lookup.

hxxp://89.110.129.55 (uncategorized) - http://www.trustedsource.org/en/feedback/url?action=checksingle&product=14-ts&url=89.110.129.55

hxxp://89.110.129.55/index.php (Malicious) - http://www.trustedsource.org/en/feedback/url?action=checksingle&product=14-ts&url=89.110.129.55%2Fin...

MWG will use the path of the URL along with the looked up IP address.

Best,

Jon

0 Kudos
mardes
Level 7

Re: Wrong categorization Malicious Site

OK,  since nowadays hundrets of webservers share one IP address this leads  to false positives, I think we will disable this option, too.

Best regards,

Michael

0 Kudos