Possible web reputation filtering false positive

gregburgess · ‎05-26-2016

We have had several web sites which are being blocked by our Ironport content filters with a web reputation score of -5.9 - -5.8 (see below) -

Based on your organization's access policies, this web site ( ) has been blocked because it has been determined by Web Reputation Filters to be a security threat to your computer or the organization's network. This web site has been associated with malware/spyware.

Date: Thu, 26 May 2016 01:39:54 GMT Username: COJ\gregb@COJ Source IP: 172.20.2.203 URL: GET xxxxxxxxx Category: Uncategorized URLs Reason: UNKNOWN Threat Type: othermalware Threat Reason: Domain reported and verified as serving malware. Notification: WBRS

Looking at the web tracking report I can see that the sites have web reputation scores of around -5.9 but when I check the URL reputation on

https://securityhub.cisco.com/web/submit_reputation_urls the result comes back as neutral. The notification indicates that the domain has been "reported and verified as serving malware" which indicates to me that it should be blocked. The website owners insists they are clean and want me to whitelist (as expected).

What is the recommendation here? Can the domain owner request the site be re-assessed?

Thanks,

Greg.

Raed Boshmaf · ‎05-26-2016

Hi, I would suggest opening a TAC "support" ticket so that the WBRS team can review the URL in question to see if an enhance for the score is possible or not.

Also "In case you opening a ticket isn't an option" another option would be to WHITELIST the URL in question check the following How do I manually whitelist a webpage on the Cisco Web Security Appliance (running 5.2.0 and above) so that WBRS, WebRoot or McAfee scanning is bypassed?

gregburgess · ‎05-26-2016

Thanks for the response.

We were reluctant to whitelist based on the site being "reported and verified as serving malware". The web site owner claims not to have changed anything but the rating has changed and the site is now accessible. We haven't change our WBRS thresholds or whitelist.

Is it possible that the hosting service provider was compromised and this caused the poor rating? I noticed that other URL with IP addresses in the same range had poor ratings also.

Regards,

Greg.

Raed Boshmaf · ‎05-26-2016

Possible, As i know the status is based on the history > up-to-date behavior of the site. This is why i suggested to open a TAC/Support if possible so that the WBRS team would review the site and see if an enhance to it's score is possible or not.

From Senderbase "just go to web > My website's reputation is poor"

Regards,

Raed

Handy Putra · ‎05-29-2016

The default values for reputation score in Cisco WSA are:

-10 to -6 action block

-5.9 to 5.9 action monitor/scan

6 to 10 action allow.

scoring of -5.9 still falls under "neutral" zone which means by default the appliance will perform further scanning with its scanning engines such as webroot, mcafee/sophos.

If you are getting block page for scoring of -5.9, means that you have changed the default reputation scoring in your environment and been set as block. Please note, changing this scoring might result to increase number of false positive case.

However you can always open a case to TAC for them to escalate to the URL team to get the site manually review.