2 Replies Latest reply: May 17, 2013 11:55 AM by consoul RSS

    Request:  Put Malvertisers in their own category


      I frequently look at my access_denied logs (either via the CLI during investigations or via Web Reporter) for Malicious sites (i.e. cat access_denied.log | grep -i malicious | more) On a number of occasions I've found signs that a machine is infected and attempting to reach out to sites categorized as Malicious by McAfee.  So yes, the connection is blocked, but only while the machine is on the corporate network. 


      The problem is that 'Malvertisers' (Malicious Advertisers) are also lumped into the same category, thus 'polluting' the logs and hiding the otherwise obvious signs of infection.  These include sites like doubleclick.net, zedo, serving-sys.com, lijit.com, to name but a few.  These log entries are not the 'phone homes' of an infected machine, they're typically just included as potential ads on relatively benign and/or unsuspecting web sites.


      It would be great if malvertisers were put in a different category to help differentiate them from truly malicious sites and/or phone-homes.