Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Adding blacklists to the Symantec Messaging Gateway

Created: 02 Oct 2012 • Updated: 02 Oct 2012 | 5 comments
This issue has been solved. See solution.

  We are using Symantec Web Gateway, version 5.0.3.18. The questions I have regard adding blacklists to be blocked.

  First, I have noticed a suspect botnet detected on our domain controller. It shows that it is beng monitored and that three different command and control ip addresses have been detected. When I click on two of the three ips it shows a web address also and the location of the ip, but on one it shows unknown. I want to add these ips to the swg black list, but want to make sure I do it correctly. I have added blacklists before but it seems that one of the ips that is showing as a botnet suspect I have already added to the blacklist in swg, but since it is being detected as a botnet suspect again I assume it is not blocking. I have been adding the ip address to block, but do I need to also add the url?

 I have attached a word doc showing the suspected botnet detected and how I added it in the black list. Maybe I am not doing it right because it seems that even with me adding the ip address to block that some site are accessed by typing the url.

 Also, I have only added blacklist entries and have not done anything in the configuration section of policies.

 

Comments 5 CommentsJump to latest comment

Ashish-Sharma's picture

How to add a whitelist or blacklist entry to Symantec Web Gateway (SWG) 4.5.x and 5.0.x

http://www.symantec.com/business/support/index?page=content&id=TECH97566

Thanks In Advance

Ashish Sharma

 

 

TSE-JDavis's picture

You should review our documentation on Betnet detections:

www.symantec.com/business/support/index?page=conte...

This sounds like a false positive to me. You should be adding any servers whose traffic passes through the Web Gateway to the Servers tab. When making these detections, the Web Gateway assumes the computer is a client PC, not a Domain Controller, so the traffic it sees is most likely legitimate traffic for a DC.

SOLUTION
valley_girl1919's picture

 Thanks for the info.

 I was thinking it is be possible that this could be a false positive, but I researched the IP's and the web sites are odd sites which doesn't seems like sites that our domain controller would be communicating with. I will research more.

So by adding servers to the Servers tab it will be monitored differently and not as strict as with client PCs?

TSE-JDavis's picture

Correct. For example, if the Web Gateway sees a bunch of email coming from an IP address, it is going to think it is a compromised PC sending out spam when in reality it is just your Messaging Gateway doing its job.