Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

ES 10.0.6 URL Testing Fails To Identify Threats

Since upgrading to ES 10.0.6 we have noticed URL Analysis (while appearing to do it) no longer turns up any results(we were seeing positives almost everyday).

Monitor -> Total URL's Analysed vs Malicious URL's caught.

While only Thumbprint testing for bad URL's this would still indicate a failure of the product to do its job.


Has anyone else experienced that?

Category: Email Security Appliances
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Halon5,

    I had ToC disabled (which does not seem to be involved in the DUP), but enabled to check. Indeed the graphs were empty on my appliance as well, I switched to table view, set the time to 30 days, switched back to line chart and now the graphs show up correctly.

    --Michael@BWC

  • Halon5Halon5 Newbie

    Hey @BWC ,

    We also have TOC disabled. Its been pretty buggy.

    And yep. Going to 1/ 7 /30 days does seem to reveal the graphs(why it doesn't default to 1 day ??) but I have no data for "Malicious URL's Caught" since the 10.0.6 upgrade.

    I am of the opinion that it is broken for some people at least.

    The actual capture of URL positives doesn't appear to be reliable. I have a case open and will update this thread... I do see that I had brought this up some time ago with the product team on another case.


    Are you on 10.0.6 yet ?


    Best, Steph

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Halon5,

    I'am running 10.0.6 on a few deployments, but always on my appliance first to be sure to advice for or against an update to my customers.

    ToC does not seem to be rock-solid, on one deployment I'am struggling with exclusions, they don't work, or only work in part, it's annoying but IMHO already addressed in an upcoming release.

    I checked with a bigger deployment of mine and I saw some entries in the Malicious URLs clicked graph, not many. But it seems to work in general. BTW, I can't see WHO clicked the UR, which URL or to which mail it was related, can I?

    --Michael@BWC

  • Halon5Halon5 Newbie

    Hiya @BWC ,

    Yep It sure is a shame you cant just drill down from the monitor tables/graphs into the message log to present a filtered list of items.

    Hopefully development continue to improve the message logs and include the ability to filter by Malicious URL. Since they represent a large portion of threats it warrants the efforts.

    It'd also be nice if you could add to the allow / blocklists by using a button.

    Also looking forward to 10.1

    Thanks for the feedback :)

    Cheers, Steph.

  • Halon5Halon5 Newbie
    edited April 2

    oh great. now I've been told that it never worked without TOC turned on (not true).

    below seems to contradict this..

    well lets face it , t wasn't that great but it was SOMETHING.. It was a START. It was doing some thumbprint test ON ENTRY at least.


    IMHO CAPTURE SHOULD actively attempt to DETONATE EVERY URL.


    it doesn't.


  • AnkurAnkur Moderator

    Hi @Halon5 , we tested on a couple of systems. The Malicious URLs Caught graph would get populated both in case you have enabled or disabled URL rewriting. URL rewriting is whether you want your URL to be rewritten for ToC URL Protection. However, the Malicious URL graph is populated based on detection of bad URL in the email. This is working in ES 10.0.6. I have asked the Support team to run a few tests with you on your Support case.

  • Halon5Halon5 Newbie

    Hi @Ankur ,

    Thanks for your speedy reply.

    As above the screenshot seems illustrates the before and after upgrade. It was clearly working(somewhat) on the earlier release we had in place. It just stopped dead.

    I can't comment on your suggestion around URL rewriting is enabled/disabled. It's interesting that it brings about that behavior.

    We do not use TOC (limited value IMHO), and all while we do understand that the issue by which TOC that was breaking the DKIM and affecting ES filters is now fixed.


    All the same we are looking forward to 10.1 now which we understand fixes many other problems.

    The fixes for address books in 10.0.6 are certainly welcome and thanks to you team.


    On the other hand it would appear that occasional, loaded and armed emails are still being caught by our "simple" dictionary based filters, they should have been scanned and caught by Capture ATP.


    I have a sample if you would like to follow up.


    Best to your day.


    Kindly, Steph.

Sign In or Register to comment.