Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor

When are URL's/domains categorized by Anti-Virus?

Hi CheckMates,

I have a doubt about AntiVirus blade, hope someone can clarify this.

I need to know when a URL/domain is categorized by AntiVirus blade. According to "ATRG: Anti-Bot and Anti-Virus":

Accessed URLs are checked by the gateway's caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not.

I understand that all accessed URL's are checked against ThreatCloud repository (checking first local cache). But if that is true, if i have categorization mode to hold, every page should be blocked first time is accesed while categorization is done, and a log with action "detect" should be generated. That would be a problem with legitimate web sites like checkpoint.com or apple.com.

However, i tested that scenario, and legitimate pages are never blocked, and no AntiVirus logs are generated. I only get blocked when visiting a suspicious or malicious site/domain. So it seems that only sites/domains suspected to be malicious are categorized by AntiVirus? how is it determined if categorization is done or not by AntiVirus blade?

 

Checked the same behavior on R81 Jumbo 69 and R81.10 Jumbo 79

 

Regards

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee

For context how is DNS resource classification set in your environment currently?

Also topology wise where is the queried DNS server positioned relative to the end user and gateway?

sk92224: Optimizing the categorization of DNS traffic by changing the Resource Classification Mode, for Anti-Virus and Anti-Bot

sk89340: Traffic latency might be caused by Anti-Bot / Anti-Virus resource categorization mode set to 'Hold'

CCSM R77/R80/ELITE
0 Kudos
RS_Daniel
Advisor

Hello Chris and PhoneBoy,

 

DNS resource classification was by default:

 

[resource_classification_mode]
dns=bg
http=policy
smb=policy
smtp=policy
ftp=policy

 

Phoneboy does that mean that every new URL/domain will be categorized? including well known sites? in this case, a log should be generated? either it is on hold or bg?

 

Regards

Regards

0 Kudos
PhoneBoy
Admin
Admin

Yes, assuming the DNS query goes through the Security Gateway.
I don’t believe a log is generated in background mode unless the site is malicious, though.

0 Kudos
PhoneBoy
Admin
Admin

If the gateway sees the client's DNS lookup first, then that is used for classification.
Otherwise, it will categorize on the first page load.
This lookup usually happens fairly quick and you may not even notice it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events