What are Web Reputation Filters?

Web Reputation Filters analyze web server behavior and assign a reputation score to a URL to determine the likelihood that it contains URL-based malware. It helps protect against URL-based malware that threatens end-user privacy and sensitive corporate information. The Web Security appliance uses URL reputation scores to identify suspicious activity and stop malware attacks before they occur. You can use Web Reputation Filters with both Access and Decryption Policies.

Web Reputation Filters use statistical data to assess the reliability of Internet domains and score the reputation of URLs. Data such as how long a specific domain has been registered, or where a web site is hosted, or whether a web server is using a dynamic IP address is used to judge the trustworthiness of a given URL.

The web reputation calculation associates a URL with network parameters to determine the probability that malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation Score between -10 and +10, with +10 being the least likely to contain malware.

Example parameters include the following:

  • URL categorization data
  • Presence of downloadable code
  • Presence of long, obfuscated End-User License Agreements (EULAs)
  • Global volume and changes in volume
  • Network owner information
  • History of a URL
  • Age of a URL
  • Presence on any block lists
  • Presence on any allow lists
  • URL typos of popular domains
  • Domain registrar information
  • IP address information

For more information on Web Reputation Filtering, see ‘Web Reputation Filters’ in the IronPort AsyncOS for Web User Guide.

From the Web Reputation Filterspage, you can view the following information:

Details on the Web Reporting Web Reputation Filters Page

Section

Description

Time Range (drop-down list)

A drop-down list that can range from a day to 90 days or a custom range. For more information on time ranges and customizing this for your needs, see the Choosing a Time Range for Reports.

Web Reputation Actions (Trend)

This section, in graph format, displays the total number of web reputation actions (vertical) against the time specified (horizontal timeline). From this you can see potential trends over time for web reputation actions.

Web Reputation Actions (Volume)

This section displays the web reputation action volume in percentages by transactions.

Web Reputation Threat Types Blocked by WBRS

This section displays the types of threats found in transactions that were blocked by Web Reputation filtering.

Note: WBRS cannot always identify the threat type.

Threat Types Detected in Other Transactions

This section displays the type of threats found in transactions that were not blocked by Web Reputation filtering.

Reasons these threats might not have been blocked include:

  • Not all threats have a score that meets the threshold for blocking. However, other features of the appliance may catch these threats.
  • Policies might be configured to allow threats to pass through.

Note: WBRS cannot always identify the threat type.

Web Reputation Actions (Breakdown by Score)

If Adaptive Scanning is not enabled, this interactive table displays the Web Reputation scores broken down for each action.

Tip

To customize your view of this report, see Working with Web Security Reports.