Overview of the "Potentially Harmful" Security Category
Umbrella customers have different levels of risk tolerance when it comes to security. Depending on the industry and type of work you’re in, it can be beneficial to proactively monitor and block potentially harmful activity. The new "Potentially Harmful" security setting can be found under Prevent next to other Security Settings and is set to 'Allow' by default:
Potentially Harmful is a security category which contains domains that are likely to be malicious. It is different from our "malware" categories because we have ranked them with a lower level of confidence about whether they actually are malicious. Another way of phrasing it is that these domains are considered suspicious according to our research analysts and the algorithms we use to determine overall but not necessarily known to be malicious.
Use of this category depends on your tolerance for risk of blocking potentially good domains. If you have a highly secure environment, this is a good category to block and if your environment is looser, you can simply allow and monitor.
If you’re not sure which of these you might fall under, you can monitor activity that is confirmed as "Potentially Harmful" in your reports. Having this category available will provide additional granularity in classifying traffic, increasing visibility and delivering greater protection and improving incident response. For instance, if you believe a machine is infected with malware, having a look at the potentially harmful domains that it has been visiting can help you do a better job of assessing the level of compromise.
We determine what is "Potentially Harmful" by weighing several factors that indicate that although the domain is not clearly malicious, it could pose a threat. For example, there are various types of DNS tunneling services. Some of these services fall into the categories of benign, malicious, and DNS tunneling VPN, but some are more unclear and do not fall into any of these categories. If the use case for the tunneling is unknown and suspicious, the destination will fall into the Potentially Harmful category.
Another example comes from our Spike rank model. Our Spike rank model leverages massive amounts of DNS request data and detects domains that have spikes in their DNS request patterns using sound wave graphing. The traffic that hits high on the Spike rank domain will automatically be classified as malicious, and traffic that is lower on the threshold will fall into the Potentially Harmful category. To read more about Spike, check out our blog: https://blog.opendns.com/2015/11/19/opendns-cracks-predictive-security/
To report unwanted detections in either of these categories:
Please submit all requests for data categorization to Cisco Talos through: https://talosintelligence.com/reputation_center/support#reputation_center_support_ticket
For general steps on submitting requests to Cisco Talos, please see: https://support.umbrella.com/hc/en-us/articles/360059002632-How-To-Submit-A-Talos-Categorization-Request
For the Potentially Harmful category, we may not re-categorize it as safe without taking assurances that the domain is absolutely legitimate.
Both categories can be filtered against in your reports like any other security category.