Today I switched on the "strict" Spyware anti-spyware policy on my outbound Domain Controller DNS policy - I'm seeing a lot (I mean a lot) of requests blocked for things like advertising networks.
Here are 3 DNS queries that were blocked, and they're indicative as I've picked them at random:
d.audienceiq.com
d.p-td.com
p.adsymptotic.com
Those flag as spyware domains.
So how come when I do a URL filtering query (using PAN-DB) on those domains that they show as Business & Economy, Financial, and Computer and Internet Info?
They don't show as adverts or malware or anything like that.
Surely if someone has put them into the vulnerability database they should be in the URL database under a "bad" category shouldn't they?
Does anyone have any suggestions please? 
Hulk, thanks and I get that I can do that, but I think the point for Palo Alto here is that I don't know if it's a good URL or a bad URL and Palo Alto are contradicting themselves with their behaviour IMO.
How am I supposed to know what those are? :smileylaugh:
Palo Alto must know it's bad else why is it in the vulnerability database as suspicious/spyware - someone at Palo Alto must have updated the database?
So if it's known bad why would it not be listed in a suitable category for URL filtering automatically?
You see what I'm saying hopefully?
Hello Networkadmin,
I do understand your query
The PAN-DB classification engine is based on machine learning, so we can and are constantly tweaking the individual category models to improve. In regards to URLs that are categorized as spyware, this is usually due to the fact that WildFire has detected malicious activity to/from this domain. Hence, we keep updating our database based on the wildfire result too.
A related discussion for your reference: Suspicious DNS Query ad nauseam
Thanks
