browse
This article describes how Umbrella detects and blocks destinations considered as potentially harmful.
Background information:
'Potentially Harmful' is a security category which contains domains that are likely to be malicious. It is different from our "malware" categories because we have ranked them with a lower level of confidence about whether they actually are malicious. Another way of phrasing it is that these domains are considered suspicious according to our research analysts and the algorithms we use to determine overall but not necessarily known to be malicious.
Umbrella Secure Web Gateway (SWG) proxy uses Talos Web reputation to determine security category of a Web site (URL or domain).
Umbrella DNS protection also uses data from Talos to determine the security status of a destination. However the processes (SWG vs DNS policy) logic and how they use the data from Talos is very different.
How does Umbrella DNS determine if a destination is Potentially harmful?
1. A user enters a suspicious URL onto their browser.
2. DNS agent intercepts this request and sends the DNS requests to Umbrella (assuming exemption list allows this).
3. Umbrella DNS process checks the Security category of the destination with Talos.
Talos marks the destination as "Potentially harmful" on the Security category.
Note: Talos seldom marks destinations as Potentially harmful to avoid potential false positives.
How does Umbrella SWG determine if a site is Potentially harmful?
1. A user enters a suspicious URL onto their browser.
2. SWG agent intercepts this connection and sends the requests to Umbrella (assuming exemption list allows this).
3. Umbrella SWG process checks the Web reputation of the destination with Talos.
Talos uses reputation scoring system which determines the Web repetitional status of the destinations.
Destinations with a reputation score of -3.1 to -5.9 (Questionable) will be mapped to “Potentially Harmful”.
Note: The reputation scores are dynamic and subject to revision (from Questionable to Malware or back to Neutral/Favourable for example) by Talos Threat Intelligence when new data is received from the global security community and reputable 3rd-party vendors integrated with Talos.
4. If the destination has a Web reputation of "Questionable", umbrella translates this to "Potentially harmful".
What is required to block Potentially harmful destinations?
1. At the DNS level:
a. Ensure that the "Potentially harmful Domains" box is checked on the DNS security settings at on the image:
b. Apply this Security settings on the DNS policy configured:
c. For this block to work, the Security category of the domain must have been set to Potentially harmful by Talos. If it's not set then the domain will not be blocked by the DNS policy.
2. At the SWG/Proxy level:
a. SWG uses Remote Browser Isolation (RBI) to safely render a potentially harmful websites and block them, depending on the action set on the Web policy rule set. So RBI feature is required on the license applied to the org.
b. Ensure that the "Potentially harmful Domains" box is checked on the Web security settings as on the image:
c. Apply the Security settings to a Web policy with Isolate set as the Rule action:
How to check that the Potentially harmful sites are being blocked by SWG?
Check on Activity search using the destination as a filter: