Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1378 Views 9 Replies Latest reply: Oct 4, 2013 3:47 AM by cryptochrome RSS
satbir Apprentice 85 posts since
Oct 9, 2011
Currently Being Moderated

Feb 15, 2013 12:32 AM

Dynamic content classification (DCC) Clarification

Hello,

 

I have recently upgraded to MWG 7.3.1 and was going through its release note for new features. I am interested to know how does MWG evaluates category of a website using DCC. As per the default URL settings this option is disabled but mentions few categories in it. I dont understand why categories are mentioned when URL rating is still pending. Is it a guess work like DNS lookups for URL rating or it picks up information from some other source?

 

Please help me understand this feature and it's benefits as I am looking foward to use it.

 

Regards,

Satbir


SS
  • eelsasser McAfee SME 842 posts since
    Mar 24, 2010
    Currently Being Moderated
    1. Feb 15, 2013 12:52 AM (in response to satbir)
    Re: Dynamic content classification (DCC) Clarification

    I've been playing with this a little bit yesterday. It's kind of interesting.

     

    If a site is not categorized in the local database, it looks it up in the cloud. If it is still uncategorized there, then the content of the page is analyzed for keywords and categorizes it accordingly locally on-box.

    This occurs in the Response Cycle as the content is being retrieved, so you may have to adjust the cycle checkmark on the URL filtering rule set.

    When a site is categorized via DCC, the site's FQDN gets classified and cached for a period (I think it's either 5 or 15 minutes, i forget).

     

    They will expand the category list eventually, but they have only completed the dictionaries for the 6 specified categories. When they do, the updates will come as part of the normal engine updates that occur when DAT or URL DB updates occur.

     

    You may have also noticed a new feedback capability that you can opt-in to. When sites are dynamically classified, they can send the results into the GTI cloud to have them processed more permanently for everyone else.

     

    That's it in a nutshell.

  • fschulte Apprentice 57 posts since
    Nov 16, 2011
    Currently Being Moderated
    3. Feb 15, 2013 3:50 AM (in response to satbir)
    Re: Dynamic content classification (DCC) Clarification

    Hi Satbir!

    satbir wrote:

     

    Wow! I like this feature...

    I am glad to hear that

     

     

    satbir wrote:

     

    Does it check only for text content or takes into account images etc present in the web page.

    It only works on the text and html meta data.

     

    Ciao

    Felix

  • fschulte Apprentice 57 posts since
    Nov 16, 2011

    Thanks for your post, Erik. Here are some further comments.

    eelsasser wrote:

     

    This occurs in the Response Cycle as the content is being retrieved, so you may have to adjust the cycle checkmark on the URL filtering rule set.

    The default rules and the rules library contain the rule set "Dynamic Content Classification", which shows how to use the DCC.

     

    When a site is categorized via DCC, the site's FQDN gets classified and cached for a period (I think it's either 5 or 15 minutes, i forget).

    Yes, the result is cache for 5 minutes using the FQDN.

     

    They will expand the category list eventually, but they have only completed the dictionaries for the 6 specified categories. When they do, the updates will come as part of the normal engine updates that occur when DAT or URL DB updates occur.

    In 7.3.2 we will add support for "Updatable System Lists" so that new categories will become available to the user with normal engine updates. Until then we will publish new categories as part of the maintenance releases.

     

    You may have also noticed a new feedback capability that you can opt-in to. When sites are dynamically classified, they can send the results into the GTI cloud to have them processed more permanently for everyone else.

    It's an opt-out, to be precise. The feedback will also serve to fine tune the internal DCC rules.

     

    Ciao

    Felix

  • cryptochrome Apprentice 97 posts since
    May 19, 2010
    Currently Being Moderated
    5. Oct 2, 2013 1:52 PM (in response to satbir)
    Re: Dynamic content classification (DCC) Clarification

    Hi,

     

    I am kind of clueless about the placement of the default DCC rule. Let's say I have had a nested ruleset for URL-Filtering. That ruleset has always been triggered in the request cycle only, because it doesn't make sense to do URL-filtering in the response cycle. That's how it was always recommended in various posts and documents here in the community.

     

    (I basically have it like recommended in this document: https://community.mcafee.com/docs/DOC-3649)

     

    In order for the DCC to kick in, I need to enable it in the response cycle. How does that fit in with the existing (request-only cycle) URL filtering rule sets?

     

    I guess I have two options:

     

    1. Enable the response cycle in my existing URL-Filter rulesets. I am guessing this will be a huge hit on performance.

    2. I re-create the existing URL-Filter rulesets, put them in response cycle mode (disable request cycle) and only put DCC rules in there.

     

    But that's probably not right, is it?

     

    So what are we supposed to do?

  • pbrickey McAfee Employee 79 posts since
    Oct 13, 2011

    Hi Sascha,

     

    You can pretty much do whatever you want, so long as it applies to the request cycle. In the default rule set, it is placed at the very bottom after the antimalware rule set - there's a screenshot here: https://community.mcafee.com/docs/DOC-3348#Changes_from_730_to_731. It makes sense to keep it towards the bottom of the policy after all other filtering is performed.

     

    -Patrick

  • cryptochrome Apprentice 97 posts since
    May 19, 2010

    Thanks Patrick,

     

    let my try and rephrase (not a native english speaker here): I know the default DCC rule, I already have it in place. However, this is a rule that hits every user. What if we have a complex URL filtering ruleset that has it's own filtering ruleset for each user group? All these group-based rules only work on the request cycle, as recommended by McAfee and the community.

     

    How does DCC fit in there, since it needs to work in the response cycle? If I want a user/group based approach with DCC...

  • pbrickey McAfee Employee 79 posts since
    Oct 13, 2011

    Hi Sascha,

     

    You can use the Cycle.Name criteria in the rules and then apply the rule set to both the request and response cycles.

     

    for example, add 'Cycle.Name equals REQUEST' as a criteria to your existing rules and then put 'Cycle.Name equals RESPONSE' as a criteria for your new DCC rule in that rule set.

     

    -Patrick

  • cryptochrome Apprentice 97 posts since
    May 19, 2010

    Thanks Patrick. I guess that would work. But it's cumbersome and admins will probably forget about it (adding that property to every new URL filter rule).

     

    I think for now we will just use one global DCC rule that blocks access to categories that we want globally blocked.

     

    The feature could use some work..

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points