cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
andrewfcone
Level 8
Report Inappropriate Content
Message 1 of 7
‎01-08-2020 04:13 PM

Block a URL string in Web Control ePO policy?

Jump to solution

We need to block any website URL's with a specific text string inside of them. For example, want to block access to any URL that contains "bob=123456" in it.

An example URL we would want to block would be afakeurl.com/dir/file.php?bob=123456

I've created a block policy where the site pattern is just bob=123456 but it doesn't seem to be working. Is this the correct method?

Labels (2)
0 Kudos
Reply
1 Solution

Accepted Solutions
patrakshar
Employee
Employee
Report Inappropriate Content
Message 7 of 7
‎01-08-2020 06:47 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi @andrewfcone 

Web Control doesn't check for matches in the middle or end of URLs as mentioned in the article https://docs.mcafee.com/bundle/endpoint-security-10.6.0-web-control-product-guide-windows/page/GUID-...

We can block only by fakesite.com/folder1/ or fakesite.com/folder2/. So if anything has fakesite.com/folder1/brb12344 will be blocked. 

Just tested it and it is working fine. So the way you need the pattern not supported at this point. This needs to be submitted as a product enhancement request.

View solution in original post

Reply
6 Replies
patrakshar
Employee
Employee
Report Inappropriate Content
Message 2 of 7
‎01-08-2020 04:49 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi @andrewfcone 

The site pattern you can used mentioned in below article.

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-web-control-product-guide-windows/page/GUID-...

 

 

Reply
andrewfcone
Level 8
Report Inappropriate Content
Message 3 of 7
‎01-08-2020 04:57 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi Patrakshar! Thank you for the reply!

So the only way to block that string is to have it include a / ?

So, it sounds like for afakeurl.com/dir/file.php?bob=123456 I would need to add block policy of /file.php?bob=123456

Unfortunately the filename isn't always consistent, but that string is. At least this can give us partial blocking as we find out the filenames.

0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 4 of 7
‎01-08-2020 05:10 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi @andrewfcone 

It will anything after the domain.

For afakeurl.com/dir/file.php?bob=123456 you will need pattern "/dir/"

The php file level block is not  possible . It will be good for a product enhancement request following the article https://kc.mcafee.com/corporate/index?page=content&id=KB60021

Reply
andrewfcone
Level 8
Report Inappropriate Content
Message 5 of 7
‎01-08-2020 05:18 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Thank you again for the fast reply!

Hmm. The scenario is that there is a phishing kit that is targeting us, and the target URL that the phishers want users to click will have a domain name and sub-folder that are always different... the only thing that is consistent is the file.php?bob123456

So if I create a block for /file.php?bob=123456 will it block access to these two potential URL's?

  • fakesite.com/folder1/file.php?bob=123456
  • fakesite.org/folder2/file.php?bob=123456

Or would that rule only block access to file.php?bob=123456 from the root of that domain? So only fakesite.com/file.php?bob=123456  ?

0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 6 of 7
‎01-08-2020 05:46 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi @andrewfcone 

The best way to block this URL will be using WebGateway. As per the Webcontrol pattern in question, it should be just /folder1/ or /folder2/ which should block fakesite.com/folder1/ and fakesite.com/folder2/. Let me see if I can find any other solution for you that might help blocking the URL. I will update this post. 

0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 7 of 7
‎01-08-2020 06:47 PM

Re: Block a URL string in Web Control ePO policy?

Jump to solution

Hi @andrewfcone 

Web Control doesn't check for matches in the middle or end of URLs as mentioned in the article https://docs.mcafee.com/bundle/endpoint-security-10.6.0-web-control-product-guide-windows/page/GUID-...

We can block only by fakesite.com/folder1/ or fakesite.com/folder2/. So if anything has fakesite.com/folder1/brb12344 will be blocked. 

Just tested it and it is working fine. So the way you need the pattern not supported at this point. This needs to be submitted as a product enhancement request.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC