Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
619 Views 1 Reply Latest reply: Jan 16, 2013 11:05 AM by Regis RSS
satbir Apprentice 85 posts since
Oct 9, 2011
Currently Being Moderated

Jan 16, 2013 1:22 AM

Botnet report

Hello,

 

My management is looking for a report that provides information only on botnets identified by MWG. Does it follow any fixed format so I can use wildcard expression in Malware Name feild to extract such reports.

 

Regards,

Satbir


SS
  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    1. Jan 16, 2013 2:13 PM (in response to satbir)
    Re: Botnet report

    In my experience, the GTI and site categories that mcafee products use ... aren't good enough for isolating that.   GTI will tell us a risk level associated with an ip or URL, but it won't tell us WHY.  Which is irritating in certain cases like this.   Also, unlike Bluecoat, which has a separate category for "Malicious Sources" vs Malicious Outbound Data/Botnets , MWG categories seem to be grouped into "Malicious Downloads" and "Malicious Sites."       That's where most of the blocking takes place.  The AV engine in my experience catches mostly heuristics, and the Blackhole signatures to come up oh, maybe a few a week at most.   Web site categorization and/or GTI risk is doing most of the blocking.

     

    I've just gone through an exercise with the sites@mcafee.com  team trying to figure out specifics why a given site was listed as high risk, and the answers that came back were vague to the point of making me want to beat my head on the desk.   Finally a support engineer from the web gateway side explained that they simply don't have access to that level of detail on the history and the best I was able to get is that "The previous high risk web reputation of [site] was based on potential risk associated with one of the nameservers and not with [site]  specifically."  Further pressing never got me even to a given name server.

     

    Are you an Arcsight customer?    I'm investigating their capabilities in this realm, and among their value add is that their threat intel feeds to have more info as to the "why's" associated with given IP or URL blocking.   I haven't seen yet with my own eyes whether that's true yet though.   But I can confirm that GTI makes this pretty opaque and that to my knowledge, I don't think you'll be able to do what you've been asked based on anything McAfee provides.

     

     

     

     

     

    Message was edited by: Regis on 1/16/13 2:13:23 PM CST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points