Showing results for 
Show  only  | Search instead for 
Did you mean: 
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 3

How do we deal with obfuscation?

Just that. Emails sent in with a link are not flagged as malicous. We should not have to click the link to find if the location it takes you to is malcious. What is the way to deal with this?

2 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: How do we deal with obfuscation?

Hello @User27605043 

I have such requests very often. Sadly McAfee/SkyHigh URL database doesn't a separate URL category for url shorteners that can be blocked or put behind a coaching page.

When a user click on a link, the browser sends the request to proxy, the proxy will request the page and check the answer:


GET /bddsavr4 HTTP/1.1
Accept: */*

HTTP/1.1 301 Moved Permanently
Location: hxxp:/x/
Cache-Control: max-age=0, public, s-max-age=900, stale-if-error: 86400
Referrer-Policy: unsafe-url


As you can see, the proxy gets 301 redirect with an indication which url is behind the shortened link using a Location header.

The proxy doesn't check the Location header by default and send the answer to the client. The client's browser follows the 301 redirect and request the url from the location header. The proxy receives this request and now blocks it based on the url reputation.

The proxy protects the client in realtime when a user clicks the link to see the real url behind the tinyurl. 

You can configure proxy to block malicous redirects before it reaches the browser by placing this rule after the HTTPS Scanner:

Name: Block malicious redirects

Rule Criteria:
URL.ReputationForURL (Header.Response.Get ("Location")) greater than or equals 30

Action: Block



Was my response useful to you? If so, please consider marking it as an Accepted Solution and giving it a Kudo (click on the thumb up symbol) to help other community members. MWG+Splunk=❤
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 3

Re: How do we deal with obfuscation?

Thanks for the response. It is too bad that GTI does not automatically check obfustated URLs like tinyurl, that would make that tool and the ENS Web Control much more useful.

I always find it weird and concerning that no Trellix Engineer reviewed a post these days. I wonder if they are still monitoriing the forums? I always used to see an emplyee response.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community