5 Replies Latest reply on Dec 2, 2013 2:01 PM by cryptochrome

    Whitelisting for AntiMalware

    cryptochrome

      Hi,

       

      in Webwasher 6 I was able to exactly tell which Antivirus component has blocked something (Proactive Scanning, Heuristic, normal AV engine). And I was able to whitelist URLs. For example, if Proactive Scanning heuristics blocked something, I was able to whitelist that URL only for Proactive Scanning while keeping the other AV engine active.

       

      How would I accomplish this with MWG 7? I am using the default Antimalware Ruleset, which doesn't contain a whitelist at all. I could add a simple whitelist rule on top of the ruleset (match URL.host -> stop ruleset), but how can I make more granular decisions here?

       

      Thanks

      Sascha

        • 1. Re: Whitelisting for AntiMalware
          cryptochrome

          I have to correct myself: The default Antimalware ruleset does contain a whitelist. But the rest of my post still applies.

          • 2. Re: Whitelisting for AntiMalware
            Jon Scholten

            You just apply different antimalware scanning based that URL and make sure to not apply the default scanning.

             

            So you could have different settings for "light scanning", "medium scanning", "heavy scanning" etc...

             

            See this thread:

            https://community.mcafee.com/message/280395#280395

             

            Disregard my comments on there. Erik had a good example:

             

            Rule Criteria:

            URL.IsMinimalRisk<Default> equals true AND

            Antimalware.Infected<Anti-Malware: Standard Setting> equals true

             

            Rule Criteria:

            URL.IsMinimalRisk<Default> equals false AND

            Antimalware.Infected<Anti-Malware: High Setting> equals true

             

            The URL.IsMinimalRisk will always be true or false, so you will always get one or the other.

             

            Best,

            Jon

            • 3. Re: Whitelisting for AntiMalware
              cryptochrome

              Thanks Jon. So there is no way to really differentiate between the different engines like before (MWG6), right?

               

              Let's say a URL is blocked because of heuristics (is "Proactive scanning" still in use at all?) and I am sure it's false positive. There is no way I could disable heuristics for the URL while still pushing the content throuhg the AV engine?

               

              Thanks

              Sascha

              • 4. Re: Whitelisting for AntiMalware
                Jon Scholten

                The questioning was confusing but I'll try to clarify.

                 

                Yes, you can disable heuristics for the URL, while still pushing content through the AV engine.

                 

                You would use the method above.

                 

                URL.Host is in list [Disable Hueristics] AND

                Antimalware.Infected<Anti-Malware: Heuristics disabled> equals true

                 

                Rule Criteria:

                URL.Host is not in list [Disable Hueristics] AND

                Antimalware.Infected<Anti-Malware: Default> equals true

                 

                Best,

                Jon

                • 5. Re: Whitelisting for AntiMalware
                  cryptochrome

                  Thanks Jon. I should have read the other thread you linked to before asking more questions. That other thread was exactly what I was looking for. I will play with this tomorrow.

                   

                  Thanks!