When enabled, MSME scans each URL in the email body, gets the reputation score, compares the score with the defined threshold, and takes appropriate action.
The software processes the message before it enters the organization by removing the URLs from the email body. If an email contains multiple URLs, and one URL among them exceeds the defined threshold, action is taken on the email according to the configuration.
Enabling this feature protects your system from threats such as denial-of-service (DoS) attack, phishing links, URLs that contain malware, or unwanted URLs.
The Mail URL reputation feature is available for these policies:
• |
On-Access
|
• | On-Demand default, and |
• |
On-Demand (Full Scan)
|
Depending on the configuration option that you selected during the software installation, the mail URL reputation is enabled or disabled by default for policies:
• | For the Default configuration — Disabled for all policies. |
• | For the Enhanced configuration — Enabled only for on-access scanning policies. |
When you enable the Mail URL Reputation for first time, the software downloads the local cache of URLs from the McAfee GTI server.
For each URL, the software checks with the local database for reputation score and takes appropriate action according to the configuration. If the reputation score is not available in the local database, the software gets the score from the McAfee GTI server. The software checks with the McAfee GTI server and updates the local database at regular intervals. If the local database is not updated for 30 days, the software downloads the entire database during the next update. Otherwise, the update is incremental. By default, the local database is updated once everyday. You can't modify the storage location of the database.
| You can't update the local database using ePolicy Orchestrator because the server needs direct Internet connections. However, if you use the proxy server to download anti-spam rules, the same configuration can be used to download the URL database. |