In my experience, the GTI and site categories that mcafee products use ... aren't good enough for isolating that. GTI will tell us a risk level associated with an ip or URL, but it won't tell us WHY. Which is irritating in certain cases like this. Also, unlike Bluecoat, which has a separate category for "Malicious Sources" vs Malicious Outbound Data/Botnets , MWG categories seem to be grouped into "Malicious Downloads" and "Malicious Sites." That's where most of the blocking takes place. The AV engine in my experience catches mostly heuristics, and the Blackhole signatures to come up oh, maybe a few a week at most. Web site categorization and/or GTI risk is doing most of the blocking.
I've just gone through an exercise with the firstname.lastname@example.org team trying to figure out specifics why a given site was listed as high risk, and the answers that came back were vague to the point of making me want to beat my head on the desk. Finally a support engineer from the web gateway side explained that they simply don't have access to that level of detail on the history and the best I was able to get is that "The previous high risk web reputation of [site] was based on potential risk associated with one of the nameservers and not with [site] specifically." Further pressing never got me even to a given name server.
Are you an Arcsight customer? I'm investigating their capabilities in this realm, and among their value add is that their threat intel feeds to have more info as to the "why's" associated with given IP or URL blocking. I haven't seen yet with my own eyes whether that's true yet though. But I can confirm that GTI makes this pretty opaque and that to my knowledge, I don't think you'll be able to do what you've been asked based on anything McAfee provides.