Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2227 Views 9 Replies Latest reply: Jun 7, 2013 8:23 AM by ehiemsee RSS
kmerc00 Newcomer 1 posts since
Feb 16, 2012
Currently Being Moderated

Dec 12, 2012 3:42 PM

Need a Web Gateway rule to warn users of unverified reputation of url

I need to write a Web Gateway rule to warn a user that a website's reputation is unverified. I would like the rule to then allow the user to accept the risk and proceed to the website by clicking a link if they really need to get there.  Any help on writing the rule would be appreciated.

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    Theoretically, you could use a Coaching page.

     

    There are four basic components to a Coaching rule set.

     

    1) Criteria the determines if you go into Coaching -- in your case it would be that reputation is Unverified

    2) Coaching Redirect, criteria = Quota.Coaching.IsActivationRequest.Strict, Redirect to original URL

    3) Coaching Notification, critiera = Quota.Coaching.SessionExceeded, Block with coaching notification page

    4) Coaching Check, criteria = Quota.Coaching.SessionExceeded equals false, Stop Rule Set

     

    The problem that I have yet to resolve is how to handle the fact that if you were to do coaching for one Unverified site, you've then set the CoachingExceeded flag to false which means that if someone was to go to another Unverified site within the coaching timeframe, it would be permitted. I'm trying to figure out how to make this work for things like Self-Signed certificates so that the client is prompted for a specific site, can choose to go there, MWG knows that that's okay, but if they go to a different site that also has a self-signed certificate, they get a new coaching notification for that specific site.

  • imtrying Apprentice 76 posts since
    Sep 6, 2011

    I would think that you could create a rule that says if unverified---> block and then on the block page have wording about the risk and then a button to continue but I cannot find information about the button of the action behind it.

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Sorry for the brevity, again I'm time crunched, but here is what I would expect it to look like (didnt test it):

     

    coaching_unverified_2012-12-14_162240.png

     

    You can based this on the default coaching ruleset.

     

    Best,

    Jon

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    Jon,

     

    If a client goes to a site that's Unverified and accepts the coaching option, doesn't that mean that for the timeframe in which the CoachingSessionExceeded equals false, all Unverified sites will be permitted?

  • Folcan Newcomer 36 posts since
    May 10, 2010

    Exactly the same request, and same problem.

     

    Are you found a solution ?

     

    Regards,



    Regards,

    --------------------------------------------
    RLE @ Folcan
    McAfee PS - NetStaff
    Paris, FR
    --------------------------------------------
  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009

    Under the rule above yes (because that was the only ruleset), but if you had rules occurring after, then they would still take place and block items.

     

    Best,

    Jon

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    This is highly theoretical right now because I don't know how well it's going to scale, but here's what I did:

     

    URL.ReputationString<Default> equals "Unverified" AND URL.Categories<Default> none in list AllCategories

    action = continue

    events: set user-defined.category-unverified-warning ="Unverified/Uncategorized Site."

     

    Quota.Coaching.IsActivationRequestSTrict<Uncategorized Site> equals true

    action = redirect

    events: PDStorage.AddUserData.String(URL.Host, "WarningAccepted")<Sites>

     

    Quota.Coaching.SessionExceeded<Uncategorized Site> equals true

    action = Block <Uncategorized Site>

     

    PDStorage.GetUserData.String(URL.Host)<Sites> equals "WarningAccepted"

    action = Stop Rule Set

     

     

    The idea is to use PD Storage to create an entry associated with the username or IP address of the client with the URL.Host value and a flag indicating that the coaching was acceped. Then, for the timeout of the PD Storage instance, further accesses to that site will not cause the Block page to pop up. Theoretically, you could eliminate coaching, but I'm not clear on what would need to be done to get the second rule to trigger once you blocked in the third rule.

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    Some minor modifications...

     

    Top level criteria should be URL.ReputationString<Default> equals "Unverified" AND URL.Categories<Default> none in list AllCategories

     

    First rule changes to criteria = always

     

    Third rule changes to

     

    Quota.Coaching.SessionExceeded<Uncategorized Site> equals true OR

    PDStorage.GetUserData.String(URL.Host)<Sites> does not equal "WarningAccepted"

    action = Block <Uncategorized Site>

  • ehiemsee Newcomer 1 posts since
    Jun 7, 2013

    Hello,

     

    Did you fix the problem, I have same problem

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points