Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1017 Views 9 Replies Latest reply: Jul 9, 2013 9:45 PM by rukmalf RSS
rukmalf Apprentice 64 posts since
Jun 11, 2013
Currently Being Moderated

Jun 11, 2013 10:52 PM

Displaying a block page regardless of the web application

Hi,

I'm configuring a MGW  and a DLP with ICAP. the DLP is the ICAP server. I have noticed that the  block page doesn't work with most of the web applications and they just  show 'error when connecting' (eg when uploading to mediafire) when the content is blocked by the DLP.  This is a major issue since we need to make the end user aware that  their content was blocked by the DLP.

Does anyone have a sugestion on how to get the block pages working for any situation (regardless of the dynamic content)

or  if that cannot be achieved i was planing on enabling email alerts to  the users who get their content block. the email should include which category was violated by the content. any comments on that?

 

Thanx in advance



Regards
Rukmal
  • Regis Champion 457 posts since
    Oct 6, 2010

    Hi Rukmalf,

     

    This question would get better attention in the McAFee Web Gateway forum, as the block page of which you speak is actually configured in the MWG interface, not in anything involving the network DLP goodies.

     

    That said, I'm experienced in both, and while block pages are relatively easy to figure out how to customize, it's a pretty involved procedure to modify email notifications...to the point I'd not advise anyone doing it alone the first time.

     

    You'd be well served opening a service request with the (in my experience) very helpful McAfee Web Gateway Team if you haven't already.  

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009

    Hello,

     

    the nature of the beast

    Most modern Web Applications use Ajax to upload data in the backend 'outside' of the visible content of the browser. What then happens is that the ICAP Server will issue a 403 which the ICAP client then sends back to the browser. As the file transfer happens outside of the visible portion of the web page, the page is not able to display the block message and can only state that 'something' happened while transferring the data.

    To expand further this behaviour is already implied by the term Ajax = Asynchronous JavaScript and XML. The back and forth between client (browser) and server is happening asynchronously so outside if the visible portion.

     

    Michael


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • asabban McAfee SME 1,351 posts since
    Nov 3, 2009

    I think the eMail notification is the easiest approach. Most peoply have their Mail client running all day long and will immediatly see the notifications. Much better would be a client side tool MWG could talk to to display an error message, but we don't have this at the moment.

     

    Best,

    Andre

  • Regis Champion 457 posts since
    Oct 6, 2010

    Andre Sabban wrote:

     

    I think the eMail notification is the easiest approach. Most peoply have their Mail client running all day long and will immediatly see the notifications. Much better would be a client side tool MWG could talk to to display an error message, but we don't have this at the moment.

     

    Best,

    Andre

     

    +1 to email notification... so long as some sort of throttling can be baked in as you wouldn't want to email DOS someone if some sort of uploader kept trying a bunch of times, or if  several post requests that get blocked are triggered.

     

    As for client software, I can see the lure from a technical end user communication and notification standpoint, but speaking on behalf of other multi-product administrators ... honestly I and our Windows admins want another piece of McAfee software on my endpoints like I need a hole in my skull.  ;-)    But you're right that out of band notification is definitely a plus in situations like these.

  • asabban McAfee SME 1,351 posts since
    Nov 3, 2009

    MWG has "duplicate mail prevention", which should do the job pretty good. You can tell it to send 1 mail within 10 minutes or similar :-)

     

    In a perfect world MWG would tell a locally install VirusScan Enterprise, ePO Agent or whatever already runs on a client to show a dialog or write something into a dashboard that is available for the end user... or windows provides an API who authenticated services could talk to (like the "net send" popups that were fun a few years ago :-)).

     

    I assume with all the Web2.0 stuff there will be something in the future.

     

    best,

    Andre

  • eelsasser McAfee SME 837 posts since
    Mar 24, 2010

    I incorporated a similar technique in one of my demonstration videos.

    https://mcafee.box.com/mwg-demo

    MWG7-FeatureDemo-Part 1.mp4

     

    At about the 8:00 mark, you will see me try to download an attachment but it is blocked and doesn't save because of malware. You'll notice that outlook notification pops up at that point and gives details of the blockage.

    I had recorded a similar segment for DLP, but it's on the cutting room floor and never made it into the final, but the mail notification was the same.

     

    The challenge to doing this is deriving the email address from the authenticated user. If the logon name is the same as the email address like:

    logonname@domain.tld

    Then it's pretty easy to derive the destination mail address with a string manipulation.

    However, if it's not the same as the logon,like:

    first_last@domain.tld

     

    you will probably have to do an LDAP lookup to get the email address attribute.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points