Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Anna_Habert
Participant
Jump to solution

URL Filtering vs. URL Reputation

Hi there,

just a quick question about URL Reputation vs. URL Filtering.

We have an URL which Category is "Business/Economy" but it's URL Reputation is "malicious". AV-Blade blocks with "Access to site known to contain malware" (Sev: medium, Conf: medium).

Since this is the first time I see this kind of multiple Decision I am wondering if those are two different Databases? and why so? Shouldn't a bad reputation lead to the same bad categorization (eg: High Risk or Malicious Site)?

What is the correct way to handle the situation?

  • re-categorize with comment on urlcat-Site?
  • make a service request/TAC?
  • or just whitelist the site?
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

Opening a TAC request is indeed the best way to find your answer here. 

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin

Opening a TAC request is indeed the best way to find your answer here. 

0 Kudos
PhoneBoy
Admin
Admin

URL Reputation and URL Filtering use different databases delivered through ThreatCloud.
URL Reputation is Anti-Bot/Anti-Virus specifically, which means the exception would need to be added to the Threat Prevention policy.
If you feel the categorization is wrong, please report via the TAC.

0 Kudos
the_rock
Legend
Legend

Personally, but this is just me, I agree with @_Val_ , open TAC case to get an official statement. You do bring up, however, very valid points. I would not do any re-categorization for now, but you could always whitelist the website for the time being.

What is the site if you can provide it? I have very good https inspection lab, so happy to test it out.

Best regards,

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

Sorry to come in late on this one, but you have highlighted an area of overlap between Access Control and Threat Prevention that can lead to confusion when searching through Threat Prevention logs looking for a drop that was actually caused by URLF.  Access Control (including URLF) is always enforced first (with some exceptions for IP reputation drops that can happen very early for efficiency reasons) followed by Threat Prevention.  My impression is that the URL Filtering categories Spyware/Malicious Sites & Botnets are primarily for sites that were once a legit category (like Business/Economy) but have been hacked/infected and suddenly moved into this category; sites that are perennially in these categories tend to eventually get shut down by ISPs/providers unless they are in a hostile country.  These URLF categories can still provide some protection even if Threat Prevention is not enabled at all.

The reputation data for Threat Prevention is sourced from a number of open and closed sources, and it doesn't surprise me that occasionally it won't be in agreement with URL filtering.  Threat Prevention's database is much more dynamic and ever-changing than the URL filtering database.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events