Threat Risk Levels Explained

book

Article ID: 169805

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Threat Risk Levels is a new Intelligence Service introduced as of SGOS 6.6.x (6.6.2.1 to be more precise). The Threat Risk Levels service assigns threat risk levels to URLs according to specific criteria.

Below is an overview of the risk levels and how they are represented within the Threat Risk Details report from the proxy Management Console (Statistics > Threat Risk Details).

  • Low (Levels 1-2) Report color is Green 
    • The URL has an established history of normal behavior and has no future predictors of threats; however, this level should be evaluated by other layers of defense (such as Content Analysis and Malware Analysis).
  • Medium-Low (Levels 3-4) - Report color is Green 
    • ​The URL has an established history of normal behavior, but is less established than URLs in the Low group. This level should be evaluated by other layers of defense (such as Content Analysis and Malware Analysis).
  • Medium (Levels 5-6) - Report color is Yellow
    • ​The URL is unproven; there is not an established history of normal behavior. This level should be evaluated by other layers of defense (such as Content Analysis and Malware Analysis) and considered for more restrictive policy.
  • Medium-High (Levels 7-9) - Report color is Orange
    • ​The URL is suspicious; there is an elevated risk. Symantec recommends blocking at this level.
  • High (Level 10) - Report color is Red
    • ​The URL is confirmed to be malicious. Symantec recommends blocking at this level.

 

Resolution

With a valid subscription, you can: 

  1.  Look up threat risks for a URL. In the Management Console, select Configuration > Threat Protection > Threat Risk Levels. 
  2.  Make policy decisions based on a URL's threat risk. Use the Threat Risk Visual Policy Manager (VPM) object or the url.threat_risk.level= condition in content policy language (CPL), where the value of url depends on the policy layer. Refer to the Content Policy Language Reference for syntax details. 
  3. Override a URL's threat risk level. Use the Set Effective Threat Risk Level VPM object. 
  4. View threat risk statistics over time. Select Statistics > Threat Risk Details. 

Additionally, you can determine individual use blocks on a per request basis via proxy policy traces (aside from the proxy Management Console "Statistics > Threat Risk Details" view).