SEP URL Reputation FAQ
search cancel

SEP URL Reputation FAQ

book

Article ID: 218110

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You would like to learn more about the URL Reputation option in the IPS policy, which is available in the 14.3 RU1 or later Symantec Endpoint Protection Manager.

Resolution

Q: What is URL reputation?

A: URL reputation detections identify threats from domains and URLs which can host malicious content like malware, fraud, phishing, spam, etc. URL reputation blocks access to the web addresses that are identified as known sources of the malicious content. The information from visited URLs is sent to Broadcom to retrieve a reputation rating. 

Q: Does URL reputation use definitions?

A: URL reputation detections require SymPlatform definitions and IPS definitions downloaded from Symantec LiveUpdate.

Q: Which IPS signatures are used for URL reputation detections?

A: SID 60501 detections are for browser based detections, and SID 29565 detections are triggered from non-browser sources.

Q: Can you provide examples of log entries?

A: The following are examples of possible log entries for each of the detections:

[SID: 29565] Web Attack: Webpulse Bad Reputation Domain Request attack blocked. Traffic has been blocked for this application: <path>

[SID: 60501] URL reputation: Browser navigation to known bad URL attack blocked. Traffic has been blocked for this application: <path>

Q: Why is SID 29565 not visible in the IPS Exceptions list?

A: This is a known defect resolved in 14.3 RU3.

Q: Which browsers support URL reputation?

A: Google Chrome and Microsoft Edge (as of 14.3 RU8) support URL reputation.  Support for Firefox is being considered for a future client release.

Q: How can I test URL reputation?

A: The following URLs can be used to create sample URL detections:

http://testrating.webfilter.bluecoat.com/Malicious%20Sources/Malnets?locale=en_US
http://testrating.webfilter.bluecoat.com/Malicious%20Outbound%20Data/Botnets?locale=en_US
http://testrating.webfilter.bluecoat.com/Phishing?locale=en_US

Note: URL Reputation detections are asynchronous (to preserve browser performance).  You will need to access each sample page 2-3 times to produce the test detections.

Q: Do Trusted Web Domain Exceptions apply to URL Reputation detections?

A: Yes, websites listed as Trusted Web Domain Exceptions will be allowed by URL reputation.

Q: URL reputation is triggering on a known good URL.  How can I resolve this?

A: This document outlines the process for submitting through the URL Reputation False Positive Process.

Powered by Wolken Software