9 Replies Latest reply on Sep 10, 2012 9:31 PM by eelsasser

    Dear MWG Product Manager:   reporting gateway antimalware falses is a pain in my [redacted]


      Miscategorization and AV false positives are a pain.   This product is more of a pain than that of your competitors.   So if you'll excuse a constructive and well meaning rant aimed to improve your product and customers' lives....


      1) URL Categorization

      For one, I have to authenticate to gripe about a url categorization, and the user interface flow of that page https://www.trustedsource.org/en/feedback/url?action=checksingle&p=mcafee  is pretty lame.  If I pop quickly onto the page to see the categorization of the URL, I can do so without auth (hooray), but if I want to dispute or refine that classification to trigger a review with the priority appropriate to being a paying customer, now I have to auth, and I lose the data I already entered for that URL.   it's a few seconds, but I have to do this sort of thing way more than I want to.    I'd love a URL I can bookmark that preselects that I'm MWG resident, and lets me slap in a URL, and dispute a classification just by entering a minimum amount of info.   Bluecoat doesn't make customers auth for this.  They also seem to get back to ya a little quicker as well.  http://sitereview.bluecoat.com/index.jsp     



      2)  Next, heuristic gateway anti-malware detections...a bit of a bane of my existence.    Oh my god are these false positive prone.  I need ways to quickly report these, and I haven't yet figured out how most surgically to whitelist certain flavors of detection or turn them off without ditching Heuristics entirely (I'm welcome to others' advice here).  

      Returning to the reporting of potential false positives though... your URL categorization people won't deal with these requests. They say, report to Avert.   Now here's what's great--if you want to report a false positive heuristic gateway anti-malware detect to Avert, you know what they require?  A sample.  A file sample.   Zipped and encrypted with the password "infected."  Guess what I can't do if I'm behind a mcafee web gateway that's got a false positive heuristic detection on a URL I am pretty darned sure is clean?  That's right... I can't exactly get the file sample downloaded because the freaking gateway has blocked it as a heuristic malware detection.  *face palm*       So... how bout someone asking the Avert gateway antimalware folks to accept a URL as valid input to their submission process?  Please?  Pretty please?   Save me the fun of using curl and a competitor's proxy that doesn't have a false positive to gather a sample in a cygwin window then jumping to a DOS window to run infozip  with a -e and then going to an email client and attaching the file to email and hoping my DLP enabled email gateway might let me send that out to you even though DLP won't be able to inspect the encrypted zip?     And while we're at it, maybe have a way right in the email submission to automagically generate a support ticket or prioritize the issue if I provide my grant number, so I get  higher priority than randoms submitting samples?   And spare me this tremendously inefficient process of  submit sample to Avert, wait for some sort of confirmation mail back that doesn't always come,  then open a support ticket and ask support to escalate the Avert case? 


      Because, honestly, I have more than enough administration to do on your products as well as other vendors than to pat my head rub my tummy, and zip encrypt things when me emailing you a URL and a description of where it came from  really outta be sufficient information for Avert ot review a  false on a heuristic detection.





      Message was edited by: Regis on 8/22/12 11:32:09 PM CDT