Sites that are not categorized fit into one of these categories: (1) a legitimate enterprise that is too small to get noticed by the categorization service, (2) a malicious enterprise that changes its domain name regularly to evade categorization, (3) a typing error by the user which leads to an unintended site, or (4) a typing error by the user which produces a host name that does not exist, or (5) a bug in the classification logic's ability to evaluate a long URL.
Because of #2, Category none should never be configured for ALLOW, but the default configuration of XG is ALLOW. This should be fixed.
Because of #1, I recommend setting the category to WARN, but some sites might prefer BLOCK.
Because of #2, #3 and #4, I don't care about warnings where the user chose not to proceed. I do want to know about the sites where the user chose to proceed despite the warning, both to understand my risk and to simplify life for the user. I need to get these sites categorized. Ideally, this should be done automatically, with the device sending a periodic (perhaps daily) upload to Sophos.
After a site is categorized, the best response would be to check for any results that are flagged as malicious. Since I already know that the user proceeded to the site, I may need to find those users and PCs to assess the risk or reality of a compromise.
With XG, I don't see a way to download log results for analysis, and the interface does not seem amenable to identifying all unique URLs with Category None, so the problem does not seem solvable. Plus, the Sophos Reassessment site (as of my last check) only takes one URL at a time, then provides no feedback, so it is not viable if you have many uncategorized URLs within your evaluation period.
In UTM, the problem is hard but not impossible. I download the logs (about 2GB per day for my site), then parse them into a SQL database. I use SQL queries to find unique occurrences of URLS with three related log entries: a warn record, a choose-to-proceed record, and a site-accessed record. Then I submit those URLs to the TrustedSource.org website, in batches of up to 100. (Different parts of a site may have different categorizations, so it is important to submit every uncategorized URL for reclassification, not simply the host name.) McAfee/TrustedSource processes the results in one business day and sends a confirming email when they are done. UTM gets the results eventually (not more than 5 days, according to support.)
However, since many UTM installations will not be creating custom reporting tools to solve this problem, and may not even realize that uncategorized sites are a risk to be managed, Sophos should provide tools to make it easy for them to be safe, and hard for them to be foolish, with uncategorized sites.
(My understanding is that XG uses a different database, so the McAfee TrustedSource approach is not an option for getting sites categorized efficiently, even if someone figures out how to extract the relevant informaiton.)
This thread was automatically locked due to age.
