McAfee Security for Microsoft Exchange 8.6.0

Configure mail URL reputation settings

Configure the Mail URL reputation settings to detect malicious URLs in the email body.

When enabled, MSME scans each URL in the email body, gets the reputation score, compares the score with the defined threshold, and takes appropriate action.

The software processes the message before it enters the organization by removing the URLs from the email body. If an email contains multiple URLs, and one URL among them exceeds the defined threshold, action is taken on the email according to the configuration.

Enabling this feature protects your system from threats such as denial-of-service (DoS) attack, phishing links, URLs that contain malware, or unwanted URLs.

The Mail URL reputation feature is available for these policies:
On-Access
On-Demand default, and
On-Demand (Full Scan)
Depending on the configuration option that you selected during the software installation, the mail URL reputation is enabled or disabled by default for policies:
For the Default configuration — Disabled for all policies.
For the Enhanced configuration — Enabled only for on-access scanning policies.

When you enable the Mail URL Reputation for first time, the software downloads the local cache of URLs from the McAfee GTI server.

For each URL, the software checks with the local database for reputation score and takes appropriate action according to the configuration. If the reputation score is not available in the local database, the software gets the score from the McAfee GTI server. The software checks with the McAfee GTI server and updates the local database at regular intervals. If the local database is not updated for 30 days, the software downloads the entire database during the next update. Otherwise, the update is incremental. By default, the local database is updated once everyday. You can't modify the storage location of the database.

You can't update the local database using ePolicy Orchestrator because the server needs direct Internet connections. However, if you use the proxy server to download anti-spam rules, the same configuration can be used to download the URL database.
Task
1 From Policy Manager, select a submenu item that has the Mail URL Reputation scanner.
The Mail URL Reputation protection is available only for On-Access, On-Demand (Default), and On-Demand (Full Scan) policies.
2 Click Master policy or any Sub-policy that you want to configure, click List All Scanners tab, then click Mail URL Reputation.
3 From Activation, select Enable.
If you are configuring settings for a subpolicy, select Use configuration from parent policy to inherit settings from the parent policy.
If you add a scanner to the policy, you can specify when to enable the scanner, using What time would you like this to apply drop-down list.
4 From the Options drop-down list, you can select:
Default Mail URL Settings — To apply the default threshold values.
Create new set of options — To define the thresholds value as required.
If you edit the existing settings, make sure that you provide a unique Instance name for the scanner settings.
5 To define the scanner settings, select Create new set of options.
6 On the Mail URL Reputation page, define these values, then click Save.
Instance name Lower URL reputation threshold
Higher URL reputation threshold Maximum number of URLs per email
The Higher URL reputation threshold value must always be greater than the Lower URL reputation threshold value.

If a URL appears multiple times, the URL counted is 1 and not the number of occurrence. For example, if the email contains 50 URLs and one URL appears 20 times, the sum of URL is 31 and not 50.

7 From the Actions to take section, click Edit to define the actions.
You can also apply the default settings.
8 On the Mail URL Reputation Actions page, define these settings for When Mail URL reputation score is above the higher threshold, When Mail URL reputation score is above the lower threshold, and When Mail URL lookup count exceeds the limit.
a From the Take the following action drop-down list, select:
Replace item with an alert.
Delete message.
Allow through.
When you select Replace item with an alert, select the alert format:
Default Mail URL Reputation Alert — To use the default alert message.
Create — To define the alert message as you required. Type a unique name for the Alert name, define the alert message, define the text format from the Show drop-down list, then click Save.
McAfee recommends that you save the alerts in plain text format, so that the text content can be viewed by all email client.
b From the And also section, define these options:
Log Notify internal sender
Quarantine Notify external sender
Forward Quarantined email Notify internal recipient
Notify administrator Notify external recipient
For definitions of each of these options, see Actions you can take on detections.
9 Click Save to apply the settings and return to the policy settings page.
10 Click Apply to implement these settings to a policy.
You can view the detected URLs from the Detected Items | Mail URL Reputation page. Under View Results section, you can view the list of detected URLs. Click the Blocked URLs under the Banned Phrases column for detailed view.

Higher and Lower URL reputation threshold examples

Set the Higher URL reputation threshold value to 80 and the Lower URL reputation threshold value to 50. If the reputation score of the URL is:
GTI reputation score is Action
Greater than 80 Action is taken according to the Mail URL reputation settings.
Lesser than 50 MSME allows the email with the URL.
Between 50 and 80 MSME suspects that the URL could be malicious and takes action according to the settings.
The Highly Suspect threshold value detects the most dangerous malicious URLs. As you decrease the threshold value, the chances to get false positive are high. False positive – A URL might be legitimate, but the database considers it as a potential malicious URL.