URL categorization reasoning?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL categorization reasoning?

L3 Networker

Someone shared a link with me to a new startup company and I found it had been blocked and listed as malware by a PAN FW --  I am curious if there is a way to determine exactly what occurred that made that site categorized as malware -- and how I can lookup other URL's reason for categorization -- if available.

Thanks,

A

9 REPLIES 9

L0 Member

Hi Aron,

Are you using Bright cloud or Pan db for URL categorization?

ou can manually verify the  category of any URL by entering it on the following web page:

http://www.brightcloud.com/tools/url-ip-lookup.php

https://urlfiltering.paloaltonetworks.com/testasite.aspx

If you do not agree with the  categorization of an individual URL/website you can submit a recategorization request on this page:


http://brightcloud.com/support/changerequest.php

You can also clear the Url cache using below command

>clear url-cache url www.xyz.com

Also please check the below document for your reference.

https://live.paloaltonetworks.com/docs/DOC-2227

-regards

Rajiv

Rajiv,

Thanks,  I am specifically looking for the reason why a URL was chosen to be categorized as malware -- for example xyz.com is malware because software hosted on site was found to be distributing malware for command and control or Cryptolocker...

Hi Aron,

I dont think we can provide data on the classification history or how classification happens on the back-end.

If a  website was mis-categorized  and the best way to find out is look at what other vendors say about it.

You can go to www.virustotal.com and find out what vendors like Kaspersky. Fortinet , BitDefender etc say about the website.

If a majority of vendors classify the website as benign but PAN-DB does not , that means we mis-categorized it. At that point you could submit a request.

How to Submit a Mis-Categorized URL for PAN-DB

-regards

Rajiv

To add some color to rsriramoju's statement, we don't supply specific details most of the time because that is part of our detection algorithm.

Generally speaking, a domain is categorized as malware when there are malicious files hosted at the domain, a piece of malware makes calls to that domain, or similar actions.

More times than not I've seen a malicious file hosted on a compromised server on the domain. It could be a legitimate domain, but due to some unpatched (or zero-day) vulnerability, a malicious actor has planted malware on a directory reachable publicly. Incidentally, it's also why reputation-based systems can fail to protect you.

If you own the domain and have a Palo Alto Networks support contract, you can open a support ticket to uncover more specifics.

Best regards,

Greg Wesson

L4 Transporter

If you go to www.virustotal.com you can look up a url and it will have a date saying when it was last scanned and its rating against AV clients. This does not give you the reasons for its categorization nor is it inline with PA's categorization but sometimes can be beneficial when trying to understand a timeline.

L3 Networker

Thanks, everything in virus total said it was clean --> www.neucoin.org.

however PAN marks as Malware -- I have personal no evidence supporting it being malware or clean which is why I wanted to see reasoning from PAN.

is there a way to follow up with PAN to determine reasoning?  I do not want to submit a re categorization because I do not know that it is clean.

L4 Transporter

I am seeing it categorized as Stock Advice and Tools. Maybe they revisited this one for you.

L3 Networker

Yes it must have just changed within past day or two as my logs in PA show it as Malware on 05-04-2015 at 11:37 est.

however, I'm still curious as to why it was listed as malware for a brief period of time 🙂

ajr13,

The web site could have been hosting malware (thus being categorized as malware).  If the site administrator was informed and then removed the malware and patched their server to prevent further malware being placed on the server.  The site then get a re-categorization request and since the malware is not there anymore it gets classified as it normally should be.  This is how I expect it works.  Hope this helps.

Phil

  • 4755 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!