An end user enters one or more entries into the /etc/hosts file of their local machine. This appears to permit them to connect directly to a site which would otherwise be blocked by SWG appliance.
When hostname entries are typed in the /etc/hosts file, the local machine translates the hostname to the IP address of the domain name. The client browser then sends an HTTP request to the IP address of the domain. The HTTP request contains the path and filename requested, and the HTTP request contains the hostname in the HTTP Host: header. SWG appliance in turn performs malware IP lookup against the IP address and a Content Filtering lookup against the domain in the Host header and the rest of the URL specified in the HTTP GET or HTTP POST request. If the IP address is not a noted malware site, it does not appear on the IP reputation list. If the domain name in the HTTP Host: header and the URI requested in the HTTP GET or HTTP POST request do not correspond to a listing in the Rulespace ruleset, the SWG appliance will permit access to the site without logging an event entry.
This behavior is by design.
An enhancement request has been filed to ask that reverse DNS lookup occur for HTTP and/or HTTPS traffic IP addresses when those IP addresses would normally fall within fields that would specify a hostname. An enhancement request is exactly that, a request, and does not imply any commitment on the part of Symantec Corporation or its Engineering or Marketing teams.
The original design of SWG appliance was for span/tap mode, followed by INLINE mode. Historically, these modes both had support for latency that was measured in milliseconds. DNS lookups would add to the delay of processing and relaying traffic to an extent that would vary from environment to environment.
Additional options for detecting and avoiding hosts file based bypasses: