截屏视频帮助
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Adding blacklists to the Symantec Messaging Gateway

创建时间: 02 10 月 2012 • Updated: 02 10 月 2012 | 5 条评论
此问题已解决。 请查看解决方案。

  We are using Symantec Web Gateway, version 5.0.3.18. The questions I have regard adding blacklists to be blocked.

  First, I have noticed a suspect botnet detected on our domain controller. It shows that it is beng monitored and that three different command and control ip addresses have been detected. When I click on two of the three ips it shows a web address also and the location of the ip, but on one it shows unknown. I want to add these ips to the swg black list, but want to make sure I do it correctly. I have added blacklists before but it seems that one of the ips that is showing as a botnet suspect I have already added to the blacklist in swg, but since it is being detected as a botnet suspect again I assume it is not blocking. I have been adding the ip address to block, but do I need to also add the url?

 I have attached a word doc showing the suspected botnet detected and how I added it in the black list. Maybe I am not doing it right because it seems that even with me adding the ip address to block that some site are accessed by typing the url.

 Also, I have only added blacklist entries and have not done anything in the configuration section of policies.

评论 条评论跳转至最新评论

Ashish-Sharma 的图片

How to add a whitelist or blacklist entry to Symantec Web Gateway (SWG) 4.5.x and 5.0.x

http://www.symantec.com/business/support/index?page=content&id=TECH97566

Thanks In Advance

Ashish Sharma

TSE-JDavis 的图片

You should review our documentation on Betnet detections:

www.symantec.com/business/support/index?page=conte...

This sounds like a false positive to me. You should be adding any servers whose traffic passes through the Web Gateway to the Servers tab. When making these detections, the Web Gateway assumes the computer is a client PC, not a Domain Controller, so the traffic it sees is most likely legitimate traffic for a DC.

解决方案
valley_girl1919 的图片

 Thanks for the info.

 I was thinking it is be possible that this could be a false positive, but I researched the IP's and the web sites are odd sites which doesn't seems like sites that our domain controller would be communicating with. I will research more.

So by adding servers to the Servers tab it will be monitored differently and not as strict as with client PCs?

TSE-JDavis 的图片

Correct. For example, if the Web Gateway sees a bunch of email coming from an IP address, it is going to think it is a compromised PC sending out spam when in reality it is just your Messaging Gateway doing its job.