User Guide
HOW WEB REPUTATION FILTERING WORKS
CHAPTER 14: WEB REPUTATION FILTERS 313
HOW WEB REPUTATION FILTERING WORKS
Web Reputation Scores are associated with an action to take on a URL request. The available
actions depend on the policy group type that is assigned to the URL request:
• Access Policies. You can choose to block, scan, or allow.
• Decryption Policies. You can choose to drop, decrypt, or pass through.
You can configure each policy group to correlate an action to a particular Web Reputation
Score.
Web Reputation in Access Policies
Table 14-1 describes the default Web Reputation Scores for Access Policies.
For example, by default, URLs in an HTTP request that are assigned a Web Reputation Score
of +7 are allowed and require no further scanning. However, a weaker score for an HTTP
request, such as +3, is automatically forwarded to the IronPort DVS engine where it is
scanned for malware. Any URL in an HTTP request that has a very poor reputation is blocked.
Table 14-1 Default Web Reputation Scores for Access Policies
Score Action Description Example
-10 to -6.0 Block Bad site. The request is blocked,
and no further malware scanning
occurs.
• URL downloads information without
user permission.
• Sudden spike in URL volume.
• URL is a typo of a popular domain.
-5.9 to 5.9 Scan Undetermined site. Request is
passed to the DVS engine for
further malware scanning. The
DVS engine scans the request
and server response content.
• Recently created URL that has a dynamic
IP address and contains downloadable
content.
• Network owner IP address that has a
positive Web Reputation Score.
6.0 to 10.0 Allow Good site. Request is allowed.
No malware scanning required.
• URL contains no downloadable content.
• Reputable, high-volume domain with
long history.
• Domain present on several allow lists.
• No links to URLs with poor reputations.