Endpoint Security 10.6.0 - Web
Endpoint Security 10.6.0 - Web
Endpoint Security 10.6.0 - Web
0 - Web
Control Product Guide
(McAfee ePolicy Orchestrator)
COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Product overview 5
Overview of Endpoint Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How Endpoint Security works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Overview of Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Key features of Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
How Web Control works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Feature overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Supported and unsupported browsers . . . . . . . . . . . . . . . . . . . . . . . 10
Identifying threats while browsing . . . . . . . . . . . . . . . . . . . . . . . . . 11
Identifying threats while searching . . . . . . . . . . . . . . . . . . . . . . . . . 12
Site reports provide details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
How Web Control blocks or warns about a site or download . . . . . . . . . . . . . . . . 13
How Web Control and McAfee Client Proxy work together . . . . . . . . . . . . . . . . 13
How web gateway enforcement works . . . . . . . . . . . . . . . . . . . . . . . 14
How safety ratings are compiled . . . . . . . . . . . . . . . . . . . . . . . . . . 15
How file downloads are scanned . . . . . . . . . . . . . . . . . . . . . . . . . . 16
How McAfee GTI works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
How Web Control works with Web Reporter . . . . . . . . . . . . . . . . . . . . . 17
Information that the software sends to McAfee ePO . . . . . . . . . . . . . . . . . . 18
Web Control additions to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Permission sets and Web Control . . . . . . . . . . . . . . . . . . . . . . . . . 19
Client tasks and Web Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contents
Overview of Endpoint Security
How Endpoint Security works
Overview of Web Control
Key features of Web Control
How Web Control works
Feature overview
Web Control additions to McAfee ePO
Frequently asked questions
Endpoint Security enables multiple defense technologies to communicate in real time to analyze and protect
against threats.
• Threat Prevention — Prevents threats from accessing systems, scans files automatically when they are
accessed, and runs targeted scans for malware on client systems.
• Firewall — Monitors communication between the computer and resources on the network and the
Internet. Intercepts suspicious communications.
• Web Control — Monitors web searching and browsing activity on client systems and blocks websites and
downloads based on safety rating and content.
• Adaptive Threat Protection — Analyzes content from your enterprise and decides how to respond based
on file reputation, rules, and reputation thresholds. Adaptive Threat Protection is an optional Endpoint
Security module.
The Common module provides settings for common features, such as interface security and logging. This
module is installed automatically if any other module is installed.
All modules integrate into a single Endpoint Security interface on the client system. Each module works
together and independently to provide several layers of security.
See also
How Endpoint Security works on page 6
Overview of Web Control on page 7
McAfee ePO
® ® ® ™
You use McAfee ePolicy Orchestrator (McAfee ePO ) to deploy and manage Endpoint Security modules on
client systems. Each module includes an extension and a software package that are installed on the McAfee
ePO server. McAfee ePO then deploys the software to client systems.
®
Using McAfee Agent, the client software communicates with McAfee ePO for policy configuration and
enforcement, product updates, and reporting.
Client modules
The client software protects systems with regular updates, continuous monitoring, and detailed reporting.
It sends data about detections on your computers to the McAfee ePO server. This data is used to generate
reports about detections and security issues on your computers.
McAfee GTI
Threat Prevention, Firewall, Web Control, and Adaptive Threat Protection query McAfee GTI for reputation
information to determine how to handle files on the client system.
McAfee Labs
The client software communicates with McAfee Labs for content file and engine updates. McAfee Labs regularly
releases updated content packages.
To perform updates, the client software connects to a local or remote McAfee ePO server or directly to a site on
the Internet. Endpoint Security checks for:
• Updates to the content files that detect threats. Content files contain definitions for threats such as viruses
and spyware, and these definitions are updated as new threats are discovered.
See also
Overview of Web Control on page 7
A McAfee team analyzes each website and assigns a color-coded safety rating based on test results. The color
indicates the level of safety for the site.
Web Control uses the test results to identify web-based threats. Software installed on the client system adds
features that appear in the browser window and search results to notify users.
You use McAfee ePO to deploy and manage Web Control on client systems. Settings control access to sites
based on their safety rating, the type of content they contain, and their URL or domain name.
See also
Overview of Endpoint Security on page 5
Protect
Protect your systems from malicious websites and downloads using these Web Control features:
• Block and Allow List — Prevent users from visiting specific URLs or domains or always allow access to sites
that are important to your business.
• Rating Actions and Web Category Blocking — Use safety ratings and web categories defined by McAfee to
control user access to sites, pages, and downloads.
• Secure Search — Automatically block risky sites from appearing in search results based on their safety
rating.
• Self protection — Prevent users from disabling the Web Control plug-in or uninstalling or changing Web
Control files, registry keys, registry values, services, and processes.
Detect
Detect malicious websites using these Web Control features:
• Web Control button in the browser window — The Web Control plug-in displays a button indicating the
safety rating for the site. Click the button for more information about the site.
• Web Control icon on search results pages — An icon appears next to each listed site. The color of the icon
indicates the safety rating for the site. Hover over the icon for more information about the site.
• Site reports — Details show how the safety rating was calculated based on types of threats detected, test
results, and other data.
• Dashboards and monitors — Display statistics about Web Control activity, including visits and downloads
from sites by rating, content type, and blocked or allowed list.
• Queries and reports — Retrieve detailed information about Web Control browser events, and save it in
reports.
Correct
Monitor and tune Web Control behavior using these features:
• Interlock with other McAfee products — Disable Web Control automatically if it detects a web gateway
appliance or if McAfee Client Proxy is installed and in redirection mode.
®
• File scanning for file downloads — Web Control sends files to Threat Prevention for scanning. If it detects
a threat, Threat Prevention responds with the configured action such as clean, and alerts the user.
• Dashboards and monitors — Monitor activity to understand browsing activity, then use that information to
tune Web Control settings.
• If the URL reputation is unrated but matches a category in McAfee GTI, Web Control allows or blocks
navigation to the URL, based on Content Actions settings.
4 If the request is a file download and the file reputation is not malicious, Web Control allows the download,
even if the URL reputation is malicious. If the file reputation is unknown, Web Control sends the file to
Threat Prevention for scanning by the on-demand scanner.
Threat Prevention checks the file against the AMCore content file. If it matches a signature or hash in
content, the file download is blocked. Otherwise, the file is downloaded.
5 Web Control logs the details, then generates and sends an event to McAfee ePO.
• Endpoint Security Client Status page shows Web Control status as Disabled.
• Endpoint Security Client Settings page indicates that Web Control is disabled because Client Proxy is
detected.
See also
Identifying threats while browsing on page 11
Identifying threats while searching on page 12
Site reports provide details on page 12
How Web Control blocks or warns about a site or download on page 13
How file downloads are scanned on page 16
How McAfee GTI works on page 17
Feature overview
Contents
Supported and unsupported browsers
Identifying threats while browsing
Identifying threats while searching
Site reports provide details
How Web Control blocks or warns about a site or download
How Web Control and McAfee Client Proxy work together
How web gateway enforcement works
How safety ratings are compiled
How file downloads are scanned
How McAfee GTI works
How Web Control works with Web Reporter
Information that the software sends to McAfee ePO
• Internet Explorer 11
• Chrome — Current version. Chrome doesn't support the Show Balloon option.
• Firefox ESR (Extended Support Release) — Current version and previous version
Because Google and Mozilla release new versions frequently, Web Control might not work with a new update. A
Web Control patch is released as soon as possible to support the changes from Google or Mozilla.
For the latest information about browsers that Web Control supports, see KB82761.
See also
Prohibit use of specific browsers on page 39
The safety rating applies to HTTP and HTTPS protocol URLs only.
See also
Get information about a site that you're viewing on page 48
Frequently asked questions on page 21
Tests revealed some issues that users might need to know about. For example, the site tried to change
the testers’ browser defaults, displayed pop-ups, or sent testers a significant amount of non-spam email.
Tests revealed some serious issues that users must consider carefully before accessing this site. For
example, the site sent testers spam email or bundled adware with a download.
A Web Control setting blocked this site.
See also
Get information about a site from search results on page 48
Online How aggressively the site tries to get you to go to other sites that McAfee flagged with a red
Affiliations rating.
Suspicious sites often associate with other suspicious sites. The primary purpose of feeder sites
is to get you to visit the suspicious site. A site can receive a red rating if, for example, it links
too aggressively to other red sites. In this case, Web Control considers the site red by
association.
Web Spam The overall rating for a website's email practices, based on the test results.
Tests McAfee rates sites based on how much email we receive after entering an address on the site,
and how much the email looks like spam. If either measure is higher than what is considered
acceptable, McAfee rates the site yellow. If both measures are high or one looks egregious,
McAfee rates the site red.
Download The overall rating about the impact a site's downloadable software had on our test computer,
Tests based on the test results.
McAfee gives red flags to sites with virus-infected downloads or to sites that add unrelated
software considered by many to people be adware or spyware. The rating also considers the
network servers that a downloaded program contacts during operation, and any changes to
browser settings or computer registry files.
See also
Get information about a site from search results on page 48
Get information about a site that you're viewing on page 48
• Warn — Web Control displays a warning to notify users of potential dangers associated with the site.
• Block — Web Control displays a message that the site is blocked and prevents users from accessing the site.
• Warn — Web Control displays a warning to notify users of potential dangers associated with the download
file and allows user to block or continue with the download.
• Block — Web Control displays a message that the site is blocked and prevents the download.
If the file reputation is not malicious, Web Control allows file downloads from a blocked site using the complete
URL.
See also
Warn about or block unknown URLs and file downloads on page 34
Block all internal sites on page 35
Manage blocked and allowed sites on page 37
Customize user notifications for blocked content on page 40
For Web Control to be disabled, the client system must meet the Client Proxy criteria set in the MCP Policy settings.
Web Control remains enabled unless both of the following are true:
• When the client system is outside the internal network, Web Control is disabled and Client Proxy redirects
network traffic.
• When the client system moves from outside to inside the internal network, Client Proxy stops redirecting
and Web Control is reenabled.
When Web Control is disabled because Client Proxy is present and redirecting:
• Endpoint Security Client Status page shows Web Control status as Disabled.
• Endpoint Security Client Settings page indicates that Web Control is disabled because Client Proxy is
detected.
Use one of these methods to configure Web Control to detect a web gateway.
If Web Control resolves the specified DNS name or IP addresses, it doesn't perform rating or enforcement
actions.
• If you enter the DNS name, Web Control performs a DNS query (doesn't check the local cache) on the
host name. If at least one IP address is detected, Web Control doesn't perform rating or enforcement
actions.
• If you enter IP addresses, Web Control resolves the name for each address. If at least one valid host
name is detected, Web Control stops processing and doesn't perform rating or enforcement actions.
• If you enter both a DNS name and IP addresses, Web Control performs a DNS query on the DNS host
name and checks the result against the specified IP addresses. If it detects a match, Web Control doesn't
perform rating or enforcement actions.
• Downloading files to check for viruses and potentially unwanted programs bundled with the download.
• Entering contact information into sign-up forms and checking for resulting spam or a high volume of
non-spam email sent by the site or its affiliates.
The team compiles test results into a safety report that can also include:
• Feedback submitted by site owners, which might include descriptions of safety precautions used by the site
or responses to user feedback about the site.
• Feedback submitted by site users, which might include reports of phishing scams or bad shopping
experiences.
See also
Specify rating actions and block site access based on web category on page 39
See also
Scan files before downloading on page 35
You can configure Endpoint Security to use a proxy server to retrieve McAfee GTI reputation information in the
Common settings.
See also
Frequently asked questions on page 21
Information that the software sends to McAfee ePO on page 18
How file downloads are scanned on page 16
Scan files before downloading on page 35
The Web Reporter server collects and processes log files and imports the data from the log file to the database.
After the data is transferred to the database, reports are generated. Log files are generated by running a Web
Control client task from the McAfee ePO server on all managed systems.
• Reporting administrator installs, configures, and maintains the Web Reporter server.
The reporting administrator uses the web-based interface to manage how Web Reporter is used in the
organization:
• Web Reporter is the server-based software with a web-based interface and configuration settings that
create detailed reports.
• Log sources are devices on the network that generate or store log files. Log files contain web filtering data,
including information such as user names, IP addresses, URLs, time stamps, and protocol types. Web
Reporter collects and processes the log files, then imports the data into its database. A log source can be a
directory on the Web Reporter server, an FTP server, or NetCache.
• Database stores data from each log source, and reports are generated using the data. Supported database
platforms include Microsoft SQL 2000 and 2005, MySQL 5.0, and Oracle 9 and 10.
See also
Send Web Control logs from McAfee ePO to Web Reporter on page 36
• Time
• Domain
• URL
• Whether the event’s site or site resource is on the Block and Allow List
The software sends the complete URL of the website to the McAfee GTI server.
When a managed system visits a website, Web Control tracks the URL. The URL is the smallest amount of
information required for the software to uniquely identify the URL being rated for security. The focus of Web
Control is protecting your managed systems; no attempt is made to track personal Internet use.
Web Control doesn't send information about your company’s intranet sites to the McAfee GTI server.
See also
Track browser events to use for reports on page 34
How McAfee GTI works on page 17
Events and responses • Events for which you can configure automatic responses.
• Event groups and event types that you can use to customize automatic responses.
Managed system Properties that you can review in the System Tree or use to customize queries.
properties
Permissions sets Web Control permission category, available in all existing permission set.
Policies Block and Allow List, Content Actions, Enforcement Messaging, and Options policy
categories in the Endpoint Security Web Control product group.
Queries and reports • Default queries that you can use to run reports.
• Custom property groups based on managed system properties that you can use to
build your own queries and reports.
See also
Permission sets and Web Control on page 19
Client tasks and Web Control on page 20
Policies and Web Control on page 29
Dashboards, monitors, and Web Control on page 41
Queries, reports, and Web Control on page 43
Server tasks and Web Control on page 45
Events, responses, and Web Control on page 46
Permission groups define the access rights to the features. McAfee ePO grants all permissions for all products
and features to global administrators. Administrators then assign user roles to existing permission sets or
create new permission sets.
For information about managing permission sets, see the McAfee ePO documentation.
See also
Client tasks and Web Control on page 20
Policies and Web Control on page 29
Dashboards, monitors, and Web Control on page 41
Queries, reports, and Web Control on page 43
Server tasks and Web Control on page 45
Events, responses, and Web Control on page 46
Your managed product adds these client tasks to the Client Task Catalog. You can use client tasks as is, edit
them, or create new ones.
Because large amounts of data that can be transferred when the logs are sent, we
recommend setting the client task to run on a randomized schedule.
See the settings for Event Logging in the Options policy to configure the Web Reporter server
settings.
Web Control leverages the following default McAfee Agent client tasks.
For information about client tasks and the Client Task Catalog, see the McAfee ePO documentation.
See also
Permission sets and Web Control on page 19
Send Web Control logs from McAfee ePO to Web Reporter on page 36
Policy enforcement
How can users circumvent policy settings for Web Control and hide their browsing behavior?
• Disabling the plug-in from the Choose Add-ons pop-up window that Internet Explorer displays after
Web Control is installed.
• Disabling Web Control in Chrome or Firefox by managing add-ons or extensions in the browser.
• Enable Self Protection for Web Control in the Common Options policy to keep users from disabling in
Web Control Internet Explorer.
• Assign a policy to a group to automatically enable the Web Control plug-in in Internet Explorer and
Chrome.
For information, see KB87568.
• Use queries that track browsing behavior and usage. Queries alert you when managed systems show
no browsing data or less browsing data than expected.
• Check the compliance status of the client software using the Endpoint Security Web Control:
Compliance Status query. This query indicates when the software is disabled.
By setting up monitors that use the applicable queries, or frequently checking reports generated by
queries, you know when users circumvent policy settings. You can then take immediate steps to ensure
compliance.
Color coding
Why is the Web Control button gray?
Several causes are possible:
• The site is not rated.
General
Is it safe to use Web Control as my only source of security against web-based threats?
No. Web Control tests many threats, and constantly adds new threats to its testing criteria, but it can't
test for all threats. Users must continue to use traditional security defenses, such as virus and spyware
protection, intrusion prevention, and network access control.
See also
Guidelines for creating a strategy on page 23
Identifying threats while browsing on page 11
Supported and unsupported browsers on page 10
Configuring browsers to force-enable the Web Control plug-in on page 33
Dashboards, monitors, and Web Control on page 41
Queries, reports, and Web Control on page 43
Contents
Guidelines for creating a strategy
Selecting the right policy options and features
3 Create policies.
Configure settings based on the browsing behavior revealed in the query results. Block or warn any sites or
downloads that present threats, and allow sites that are important to your users.
• Verify that Web Control is enabled on all computers and is functioning properly by running the
Functional Compliance query.
• Check whether any required sites or site resources, such as download files, are blocked.
See also
Evaluating policy settings with Observe mode on page 32
Policies and Web Control on page 29
Queries, reports, and Web Control on page 43
Dashboards, monitors, and Web Control on page 41
Specify enforcement behavior for specific actions on page 34
• Assess the security concerns and vulnerabilities that apply to your business.
• Carefully consider any domains and sites that must be accessible to your managed systems and any sites to
block.
Use this list to identify which product features can help meet your security or productivity goals.
See also
Using URLs or domains to control access on page 25
Using safety ratings to control access on page 26
Using web categories to control access on page 27
Policies and Web Control on page 29
• Allow indicates that users can always access the site, regardless of safety rating or content type. Use allowed
sites to make sure that managed systems can access sites that are important to your business. The button
in the upper-right corner of the browser appears white for allowed sites.
Exercise caution when adding allowed sites to Block and Allow List policies.
You can also specify actions for resources, such as file downloads, in allowed sites. For example, if your
users aren't vulnerable to potential threats on a yellow site, add the site as allowed to a Block and Allow List.
If the site contains a red download file, allow access to the site, but block access to those resources. This
strategy makes sure that sites important to your business are accessible, while protecting your users from
potential threats on those sites.
• Block indicates that users can never access the site. Use blocked sites to deny access to sites that aren't
needed to your business or don't conform to company security standards. The button in the upper-right
corner of the browser appears black for blocked sites.
By default, if the same site appears as both blocked and allowed, the block action takes precedence. You can
configure a policy option for allowed sites to take priority.
The settings for the Block and Allow List policy override those in the Content Actions policy.
See also
How policies work on page 31
How site patterns work on page 25
Warn about or block unknown URLs and file downloads on page 34
Manage blocked and allowed sites on page 37
A site pattern consists of a URL or partial URL, which Web Control interprets as two distinct components:
• Path
/us/enterprise The path includes everything that follows the slash (/) after the domain.
Web Control matches path information from the beginning. A matching URL path must
begin with the site pattern’s path.
Site patterns must be at last three characters in length and must not include wildcard characters. Web Control
doesn't check for matches in the middle or end of URLs.
Use the "." character at the beginning of a site pattern to match a specific domain. For convenience, the "."
character causes Web Control to ignore the protocol and introductory characters.
To block file downloads on allowed sites, change the settings on the Advanced Settings tab of the Block and
Allow List settings.
Best practice: To make sure that users can access specific sites that are important to your business, no matter
how they are rated, add them to an allowed list. Users can access sites that appear on an allowed list even if you
configured other actions with their ratings.
See also
How policies work on page 31
Specify rating actions and block site access based on web category on page 39
When a client user accesses a site, the software checks the web category for the site. If the site belongs to a
defined category, access is blocked or allowed, based on the settings in the Content Actions settings. For sites
and file downloads in the unblocked categories, the software applies the specified Rating Actions.
See also
How policies work on page 31
Specify rating actions and block site access based on web category on page 39
Contents
Policies and Web Control
Enable and disable Web Control
Track browser events to use for reports
Specify enforcement behavior for specific actions
Warn about or block unknown URLs and file downloads
Scan files before downloading
Block all internal sites
Configure Secure Search
Send Web Control logs from McAfee ePO to Web Reporter
Manage blocked and allowed sites
Prohibit use of specific browsers
Specify rating actions and block site access based on web category
Customize user notifications for blocked content
Policies are collections of settings that you create, configure, and apply, then enforce. Most policy settings
correspond to settings that you configure in the Endpoint Security Client. Other policy settings are the primary
interface for configuring the software.
Your managed product adds these categories to the Policy Catalog. The available settings vary in each category.
Browser Control Configures settings to prohibit specific supported and unsupported browsers.
Enforcement Messaging Specifies messages and explanations, which can include your own image, to display
when users attempt to access:
• Sites blocked and warned by Rating Actions
• File downloads blocked and warned by Rating Actions
• Phishing pages
• Blocked sites on the Block and Allow List
• Sites blocked when McAfee GTI is unreachable
• Sites blocked and warned that McAfee GTI has not yet verified
Customizing policies
Each policy category includes default policies.
You can use default policies as is, edit the My Default default policies, or create new policies.
Multiple-instance policies
The Content Actions and Block and Allow List policies are multiple instance policies. You can assign more than
one policy instance to a client. For the policies that have multiple instances, an Effective Policy link provides a
view of the details of the combined policy instances.
User-based policies
User-based polices (UBP) enable policies to be defined and enforced using McAfee ePO policy assignment rules
with an LDAP server. These assignment rules are enforced on the client system for the user at log-on,
regardless of the McAfee ePO group.
User-based polices are enforced when a user with a matching assignment rule logs on to the client system on
the console. System-based polices (SBP) are enforced when two or more users are logged on to a system. Policy
assignment rules take precedence over polices defined in the System Tree.
The user policy supersedes the system policy. All system policies apply and any user-based policy overrides the
system policy.
Policy assignment rules are enforced only if the user logs on as the interactive user. The system policy, rather
than the user policy, is enforced if the user logs on:
• With a runas command
• To a remote desktop or terminal service where the user's logon is not set to interactive
For more information about user-based policies and policy assignment rules, see the McAfee ePO Help.
Comparing policies
You can compare all policy settings for the module using the Policy Comparison feature in McAfee ePO. For
information, see the McAfee ePO Help.
For information about policies and the Policy Catalog, see the McAfee ePO documentation.
See also
Assign multiple instances of a policy on page 32
How policies work on page 31
Evaluating policy settings with Observe mode on page 32
Multiple-instance policies
Multiple-instance policies, such as Block and Allow List and Content Actions, support combining multiple
policies under a single effective policy.
Multiple-instance policies obey the McAfee ePO laws of inheritance within a System Tree. See the McAfee ePO
Help.
You can use multiple-instance policies to apply a default list of sites, and add entries for a particular group or all
groups. Instead of updating the entire list with the new entries, create a second policy instance for the new
entries. Then, apply it and the default list together. The effective policy is then the combination of the two
policies.
For example, you configure one Block and Allow List policy for Group A, another for Group B, and another for
Group C. If Group A contains Group B, and Group B contains Group C, the Block and Allow List policy
incorporates elements from the three policies. The allowed list for Group C might contain all sites listed for
Group A and Group B, and extra sites specific to Group C. By using an effective policy, you don't have to re-enter
all sites from Group A and Group B into the allowed list for Group C.
For more information about using policies, see the McAfee ePO Help.
See also
Assign multiple instances of a policy on page 32
Selecting the right policy options and features on page 24
Task
1 Select Menu | Systems | System Tree and select a group in the System Tree.
For one system, select a group in the System Tree that contains the system. Then, on the Systems tab, select
the system and select Actions | Agent | Modify Policies on a Single System.
2 Under Assigned Policies, select Endpoint Security Web Control in the Product list.
3 Click Edit Assignments for one of the multiple-instance policies (Block and Allow List or Content Actions).
4 On the Policy Assignment page, click New Policy Instance, then select a policy from the Assigned Policy drop-down
list for the additional policy instance.
To view the combined effect of multiple policies, click View Effective Policy.
You can view the effective policy at any time from the Assigned Policies tab of the System Tree.
5 Click OK.
See also
How policies work on page 31
Information compiled in Observe mode is available by running queries, then viewing the results in reports or
monitors.
If current settings adversely affect network browsing patterns, adjust settings before disabling Observe mode.
When you disable Observe mode, Web Control enforces policy settings.
See also
Specify enforcement behavior for specific actions on page 34
How policies work on page 31
Best practice: Only disable Web Control to perform tests or troubleshoot network connection problems. Make
sure to re-enable Web Control when you are done.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
5 Click Save.
6 Run an agent wake-up call to apply the setting immediately, or wait for the next automatic agent-server
communication.
See also
Policies and Web Control on page 29
How web gateway enforcement works on page 14
How Web Control and McAfee Client Proxy work together on page 13
• The CLSID for the Web Control Browser Helper Object (BHO) is
{B164E929-A1B6-4A06-B104-2CD0E90A88FF}.
• Chrome
For information, see Set Chrome policies for devices.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
6 Click Save.
See also
Dashboards, monitors, and Web Control on page 41
Queries, reports, and Web Control on page 43
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
5 Click Save.
See also
Policies and Web Control on page 29
How McAfee GTI works on page 17
Scan files before downloading on page 35
Evaluating policy settings with Observe mode on page 32
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
4 In Action Enforcement, select the action (Allow, Warn, or Block) for sites not yet verified by McAfee GTI.
5 Click Save.
See also
Policies and Web Control on page 29
How McAfee GTI works on page 17
Customize user notifications for blocked content on page 40
If users specify the complete URL to a file whose reputation is not malicious, Web Control allows the file
download, even if the site is blocked.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
4 Select Enable file scanning for file downloads, then select the sensitivity level.
See also
How file downloads are scanned on page 16
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
5 Click Save.
See also
Policies and Web Control on page 29
Manage blocked and allowed sites on page 37
Web Control uses Yahoo as the default search engine and supports Secure Search on Internet Explorer only.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
4 Select Enable Secure Search, select the search engine, then specify whether to block links to risky sites.
If you change the default search engine, restart the browser after enforcing the policy on the client system.
The next time the user opens Internet Explorer, Web Control displays a pop-up prompting the user to
change to McAfee Secure Search with the specified search engine. For Internet Explorer versions where the
search engine is locked, the Secure Search pop-up doesn't appear.
5 Click Save.
See also
Policies and Web Control on page 29
Task
1 Configure Web Reporter settings.
a Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
e In Event Logging, select Send browser page views and downloads to Web Reporter and configure the Web Reporter
server settings.
b From Endpoint Security Web Control , select Send Web Reporter Logs, and create and assign the new task.
c On the Schedule page, set the schedule for the task. Select Enable Randomization and set the randomization
period.
Best practice: Because large amounts of data can be transferred when the logs are sent, set the client
task to run on a randomized schedule.
For information about client tasks and the Client Task Catalog, see the McAfee ePO documentation.
See also
How Web Control works with Web Reporter on page 17
Client tasks and Web Control on page 20
How policies work on page 31
Use the policy options for Enforcement Messaging to customize the message that is displayed to users for
blocked and warned downloads.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
Action Steps
Add allowed or blocked sites to the Block and On the Block and Allow List tab:
Allow List.
1 Click Add.
Delete sites from the Block and Allow List. On the Block and Allow List tab, select the checkbox next to a
site, then click Delete.
Action Steps
Change information (URL, site pattern, or On the Block and Allow List tab:
comment) for a site.
1 Select the checkbox next to a site, then click Edit.
Search the Block and Allow List. On the Block and Allow List tab:
This feature is useful for finding sites in large 1 Enter a URL, site pattern, or text in the Search field.
lists.
2 Click Search.
Web Control searches all site patterns and comments in
the list and shows matches.
To remove the search criteria and redisplay the list, click
Clear.
Test whether specific sites or site patterns are On the Block and Allow List tab:
included in the Block and Allow List.
1 Enter a URL or partial URL in the Search field.
For example, when a Block and Allow List is
implemented as a multiple-instance policy, 2 Click Test Pattern.
use these steps to test the resulting effective
policy. Web Control displays any site patterns that match your
entry. If no site patterns are displayed, the list allows
access to the specified URL.
To remove the test criteria and results, click Clear.
5 Click Save.
See also
How site patterns work on page 25
Policies and Web Control on page 29
Customize user notifications for blocked content on page 40
The Browser Control settings require that Self Protection is enabled in the Common settings.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
4 Select the browsers to block from being started on the client systems.
5 Click Save.
See also
Policies and Web Control on page 29
Supported and unsupported browsers on page 10
Specify rating actions and block site access based on web category
Specify actions, based on safety ratings, to apply to sites and file downloads in the Content Actions settings. You
can also block or allow sites in each web category.
Web Control applies the rating actions to sites in the unblocked categories specified in the Web Category
Blocking section under Advanced.
Use the settings in Enforcement Messaging to customize the message to display for blocked and warned sites
and file downloads, and blocked phishing pages.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
4 In the Web Category Blocking section, for each Web Category, enable or disable the Block option.
For sites in the unblocked categories, Web Control also applies the rating actions.
5 In the Rating Actions section, specify the actions to apply to any sites and file downloads, based on safety
ratings defined by McAfee.
These actions also apply to sites that web category blocking doesn't block.
6 Click Save.
See also
Policies and Web Control on page 29
Using safety ratings to control access on page 26
Using web categories to control access on page 27
The notification appears on client systems in the language configured for the client software, if you create the
notification in that language.
Task
1 Select Menu | Policy | Policy Catalog, then select Endpoint Security Web Control from the Product list.
5 Add an image, such as your company logo, to warn or block pages by specifying the URL link to the image.
6 Click Save.
See also
Policies and Web Control on page 29
How Web Control blocks or warns about a site or download on page 13
Contents
Dashboards, monitors, and Web Control
Queries, reports, and Web Control
Server tasks and Web Control
Events, responses, and Web Control
Dashboards are collections of monitors that track activity in your McAfee ePO environment.
In addition to the default Web Control dashboards, Web Control contributes monitors to several Common
dashboards.
Custom dashboards
Depending on your permissions, you can create custom dashboards and add monitors using default Endpoint
Security queries.
See also
Frequently asked questions on page 21
Permission sets and Web Control on page 19
Track browser events to use for reports on page 34
Queries are questions that you ask McAfee ePO, which returns answers as charts and tables. Reports enable you
to package one or more queries into a single PDF document, for access outside of McAfee ePO.
Similar information is available by accessing activity logs from the Endpoint Security Client on individual
systems.
You can view query data only for resources where you have permissions. For example, if your permissions grant
access to a specific System Tree location, your queries return data only for that location.
Default queries
The module adds default queries to McAfee Groups. Depending on your permissions, you can use them as is,
modify them, or create custom queries from events and properties in the McAfee ePO database.
• Endpoint Security Web Control: Top 100 Red Sites on Allow List
• Endpoint Security Web Control: Web Content Categories that Caused the Most Infections in the Last 7 Days
Custom queries
The module adds default properties to the Endpoint Security feature group. You can use these properties to
create custom queries.
For information about queries and reports, see the McAfee ePO documentation.
See also
Frequently asked questions on page 21
Permission sets and Web Control on page 19
Track browser events to use for reports on page 34
Server tasks are scheduled management or maintenance tasks that you run on your McAfee ePO server. Server
tasks enable you to schedule and automate repetitive tasks. Use server tasks to monitor your server and
software.
Depending on your permissions, you can use default server tasks as is, edit them, or create new server tasks
using McAfee ePO.
Export Policies Downloads an XML file that contains the associated policy.
Export Queries Creates a query output file that can be saved or emailed.
Roll Up Data Rolls up system or event data from multiple servers at the same time.
Select Endpoint Security Web Control Rolled-Up Events, Endpoint Security Web Control Rolled-Up
Systems, or Endpoint Security Rolled-Up Threat Events for the Data type.
For information about server tasks, see the McAfee ePO documentation.
See also
Permission sets and Web Control on page 19
Roll up system or event data for Endpoint Security on page 45
Events, responses, and Web Control on page 46
Task
1 Select Menu | Automation | Server Tasks, then click New Task.
2 On the Description page, type a name and description for the task, and select whether to enable it, then
click Next.
• Selected registered servers — Select the servers you want, then click OK.
b Select the Additional Types: Configure link, and select the Endpoint Security types you want to include.
b Click Additional Types: Configure, and select the Endpoint Security types you want to include.
In McAfee ePO, you can define which events are forwarded to the McAfee ePO server. To display the complete
list of events in McAfee ePO, select Menu | Configuration | Server Settings, select Event Filtering, then click Edit.
Set up a Purge Threat Event Log server task to purge the Threat Event Log periodically.
For information about Automatic Responses and working with the Threat Event Log, see the McAfee ePO Help.
See also
Server tasks and Web Control on page 45
Contents
Enable the Web Control plug-in from the browser on a client system
Get information about a site that you're viewing
Get information about a site from search results
Enable the Web Control plug-in from the browser on a client system
Depending on settings, you must manually enable the Web Control plug-in to be notified about web-based
threats when browsing and searching.
Plug-ins are also called add-ons in Internet Explorer and extensions in Firefox and Chrome.
When you first start Internet Explorer or Chrome, you might be prompted to enable plug-ins. For the latest
information, see Knowledge Base article KB87568.
Task
• Depending on the browser, enable the plug-in.
3 Restart Firefox.
In Internet Explorer, if you disable the Web Control toolbar, you are prompted to also disable the Web Control
plug-in. If policy settings prevent uninstalling or disabling the plug-in, the Web Control plug-in remains
enabled even though the toolbar isn't visible.
See also
Enable Web Control and configure its options on a client system on page 51
• The Hide the toolbar on the client browser option in the Options settings must be disabled.
Task
1 Display the menu:
Internet Explorer
Click the button in the toolbar.
Firefox
When Internet Explorer is in full-screen mode, the Web Control toolbar doesn't appear.
Chrome
Click the button in the address bar.
Safari
2 (Internet Explorer and Firefox only) Display a summary of the safety rating for the site: Hover the cursor over
the button in the browser.
3 Display details about the site, including analysis results, rating, and category:
a Click the button on the browser and select View Site Report.
The View Popular Domains page opens in another browser window.
See also
Identifying threats while browsing on page 11
Site reports provide details on page 12
Task
1
Hover the cursor over the safety icon, such as .
A balloon displays a high-level summary of the safety report for the site.
2 Display details about the site, including analysis results, rating, and category:
a Click Read site report in the balloon.
The View Popular Domains page opens in another browser window.
See also
Identifying threats while searching on page 12
Site reports provide details on page 12
Contents
Enable Web Control and configure its options on a client system
Specify rating actions and block site access based on web category on a client system
Task
1 Open the Endpoint Security Client.
Or, from the Action menu , select Settings, then click Web Control on the Settings page.
4 Click Options.
5 Select Enable Web Control to make Web Control active and change its options.
7 Click Apply.
See also
How file downloads are scanned on page 16
How McAfee GTI works on page 17
Enable the Web Control plug-in from the browser on a client system on page 47
Specify rating actions and block site access based on web category on a
client system
Specify actions, based on safety ratings, to apply to sites and file downloads in the Content Actions settings. You
can also block or allow sites in each web category.
Task
1 Open the Endpoint Security Client.
Or, from the Action menu , select Settings, then click Web Control on the Settings page.
5 In the Web Category Blocking section, for each Web Category, enable or disable the Block option.
For sites in the unblocked categories, Web Control also applies the rating actions.
6 In the Rating Actions section, specify the actions to apply to any sites and file downloads, based on safety
ratings defined by McAfee.
These actions also apply to sites that web category blocking doesn't block.
7 Click Apply.
See also
Using web categories to control access on page 27
Using safety ratings to control access on page 26
How safety ratings are compiled on page 15
Contents
Check the Event Log for recent activity
Web Control log file names and locations
Task
1 Open the Endpoint Security Client.
The page shows any events that Endpoint Security has logged on the system in the last 30 days.
If the Endpoint Security Client can't reach the Event Manager, it displays a communication error message. In
this case, reboot the system to view the Event Log.
3 Select an event from the top pane to display the details in the bottom pane.
To change the relative sizes of the panes, click and drag the sash widget between the panes.
By default, the Event Log displays 20 events per page. To display more events per page, select an option
from the Events per page drop-down list.
See also
Web Control log file names and locations on page 55
All activity and debug log files are stored in the following default location:
%ProgramData%\McAfee\Endpoint Security\Logs
Each module, feature, or technology places activity or debug logging in a separate file. All modules place error
logging in one file, EndpointSecurityPlatform_Errors.log.
Enabling debug logging for any module also enables debug logging for the Common module features, such as
Self Protection.
See also
Check the Event Log for recent activity on page 55