DNS Spyware Vulnerabilities - Why aren't the FQDNs in Malware Category?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DNS Spyware Vulnerabilities - Why aren't the FQDNs in Malware Category?

L4 Transporter

Today I switched on the "strict" Spyware anti-spyware policy on my outbound Domain Controller DNS policy - I'm seeing a lot (I mean a lot) of requests blocked for things like advertising networks.

Here are 3 DNS queries that were blocked, and they're indicative as I've picked them at random:

d.audienceiq.com

d.p-td.com

p.adsymptotic.com


Those flag as spyware domains.


So how come when I do a URL filtering query (using PAN-DB) on those domains that they show as Business & Economy, Financial, and Computer and Internet Info?


They don't show as adverts or malware or anything like that.


Surely if someone has put them into the vulnerability database they should be in the URL database under a "bad" category shouldn't they?


Does anyone have any suggestions please? Smiley Happy

3 REPLIES 3

L7 Applicator

Hello Networkadmin,

In the event that a URL has been mis-categorized, a change request can be submitted in one of two ways: Please follow the KB doc mentioned below.

How to Submit a Mis-Categorized URL for PAN-DB

Hope this helps.

Thanks

Hulk, thanks and I get that I can do that, but I think the point for Palo Alto here is that I don't know if it's a good URL or a bad URL and Palo Alto are contradicting themselves with their behaviour IMO.

  • d.audienceiq.com
  • d.p-td.com
  • p.adsymptotic.com

How am I supposed to know what those are? :smileylaugh:

Palo Alto must know it's bad else why is it in the vulnerability database as suspicious/spyware - someone at Palo Alto must have updated the database?

So if it's known bad why would it not be listed in a suitable category for URL filtering automatically?

You see what I'm saying hopefully? Smiley Happy

Hello Networkadmin,

I do understand your query Smiley Happy

The PAN-DB classification engine is based on machine learning, so we can and are constantly tweaking the individual category models to improve.  In regards to URLs that are categorized as spyware, this is usually due to the fact that WildFire has detected malicious activity to/from this domain. Hence, we keep updating our database based on the wildfire result too.

A related discussion for your reference: Suspicious DNS Query ad nauseam

Thanks

  • 2062 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!