Virtual Secure Web Gateway

 View Only

  • 1.  Adding blacklists to the Symantec Messaging Gateway

    Posted Oct 02, 2012 11:28 AM
      |   view attached

      We are using Symantec Web Gateway, version 5.0.3.18. The questions I have regard adding blacklists to be blocked.

      First, I have noticed a suspect botnet detected on our domain controller. It shows that it is beng monitored and that three different command and control ip addresses have been detected. When I click on two of the three ips it shows a web address also and the location of the ip, but on one it shows unknown. I want to add these ips to the swg black list, but want to make sure I do it correctly. I have added blacklists before but it seems that one of the ips that is showing as a botnet suspect I have already added to the blacklist in swg, but since it is being detected as a botnet suspect again I assume it is not blocking. I have been adding the ip address to block, but do I need to also add the url?

     I have attached a word doc showing the suspected botnet detected and how I added it in the black list. Maybe I am not doing it right because it seems that even with me adding the ip address to block that some site are accessed by typing the url.

     Also, I have only added blacklist entries and have not done anything in the configuration section of policies.

     

    Attachment(s)

    docx
    SWG.docx   31 KB 1 version


  • 2.  RE: Adding blacklists to the Symantec Messaging Gateway

    Posted Oct 02, 2012 11:30 AM

    How to add a whitelist or blacklist entry to Symantec Web Gateway (SWG) 4.5.x and 5.0.x

    http://www.symantec.com/business/support/index?page=content&id=TECH97566



  • 3.  RE: Adding blacklists to the Symantec Messaging Gateway
    Best Answer

    Broadcom Employee
    Posted Oct 02, 2012 12:38 PM

    You should review our documentation on Betnet detections:

    www.symantec.com/business/support/index?page=content&id=TECH138303

    This sounds like a false positive to me. You should be adding any servers whose traffic passes through the Web Gateway to the Servers tab. When making these detections, the Web Gateway assumes the computer is a client PC, not a Domain Controller, so the traffic it sees is most likely legitimate traffic for a DC.



  • 4.  RE: Adding blacklists to the Symantec Messaging Gateway

    Posted Oct 02, 2012 04:20 PM

     Thanks for the info.

     I was thinking it is be possible that this could be a false positive, but I researched the IP's and the web sites are odd sites which doesn't seems like sites that our domain controller would be communicating with. I will research more.

    So by adding servers to the Servers tab it will be monitored differently and not as strict as with client PCs?



  • 5.  RE: Adding blacklists to the Symantec Messaging Gateway

    Broadcom Employee
    Posted Oct 02, 2012 04:41 PM

    Correct. For example, if the Web Gateway sees a bunch of email coming from an IP address, it is going to think it is a compromised PC sending out spam when in reality it is just your Messaging Gateway doing its job.



  • 6.  RE: Adding blacklists to the Symantec Messaging Gateway

    Broadcom Employee
    Posted Oct 02, 2012 04:48 PM

    .