We are currently evaluating Ironport for our internet gateway. We are finding the product to be generally superb, but we've having a problem with getting false negatives results when we have Adaptive Scanning turned on. An example would be a recent phishing site of "click.emkt-uolhost.com". Using Adaptive Scanning this known bad site (with a WBRS of -3.9) was permitted (ie: a false negative result, as it is clearly a malicious host), however with Adaptive Scanning turned off, and WBRS turned on and set to block everything with a reputation below -3 it is now blocked.  The down side of this is that with WBRS set to -3 there are numerous common websites which are suddenly blocked as false positives (good sites which are failing the WBRS test); Bing images is currently such a site.

How do most of you handle it? Leave Adaptive Scanning turned on, and accept false negatives, or manually add the false positives to a "grey list" of sites which are actually ok but which are failing the WBRS test?

Cheers
Dave Stanley
IT Security Manager