New categories and category changes will automatically be updated in your product on April 3, 2010 for CyBlock Versions 6.0.0 and later or Cyfin Versions 8.0.0 and later.  If you do not have these versions of the product, you will need to upgrade to the most current version in order to get the new categories and category changes.

For CyBlock, these categories will be allowed by default. Therefore, you will need to go to your Advanced Settings - Filter Settings - Block Web Categories screen and alter your policies.  For reporting and monitoring purposes, you may also want to change the new category’s classification statuses at the Advanced Settings - Category Setup - Classification screen to match your organization’s Acceptable Use Policy.

See the Category Update Data Sheet for a full list of categories and their descriptions.

Facebook has set up their site so that if a user types “www.www.facebook.com”, they will be able to access it through any Web filtering proxy blocking www.facebook.com.  Users can even type in variations, such as “www.www.www.facebook.com” or “hello.www.www.facebook.com” to get access to Facebook.

If users are accessing Facebook by using one of these many variations, it will not show up in reports under the category of Social Networking.  Instead, the URL is categorized as “Other” and is displayed this way in reports.

For now, to prevent users from accessing the site using these variations and to categorize these variations as Social Networking, you need to add the URL as a wildcard to the Social Networking category. To do this, follow the below instructions.

1. Go to Advanced Settings – Category Setup and click on the Edit URLs link.
2. Use the Select Category pulldown and select Social Networking.
3. In the text entry area for Custom URLs, type in the wild card URL *.facebook.com.  If you want to block any time the term facebook shows up in a URL, type in the wild card *.facebook.*

The Wavecrest Development Team is currently looking into alternatives to better handle these types of site variations within the Wavecrest Control List while maintaining speed and scalability in our products.

From time to time we are asked, “What is the purpose of the ‘IP Address’ category used by Wavecrest products?” The short answer is — it’s used to capture and segregate the IP addresses of Web sites that the product was unable to associate with ‘regular’ categories. Customers can then analyze them to identify network security threats, traffic to intranet sites, or other patterns of interest.

Here’s a bit more detail.

First note that our products identify many IP addresses and place them in content categories. The Wavecrest URL (control) list contains many such addresses.

Unfortunately though, initially unidentifiable IP addresses still appear from time to time. Generally speaking, we see three types, i.e., addresses associated with:

1. Internal (and partner) Web pages
2. Innocent links on Web sites
3. Possible malware or virus servers

When the product encounters any of these three types, it places them in a special ‘IP Address’ category. Customers can then run reports on that category the same way they do on any other category. In addition, if the customer runs a Top Non-Categorized report, the uncategorized IP addresses will be listed along with uncategorized domain names.

Because the traffic associated with unidentified IP addresses can be important or even dangerous, it’s obviously desirable to pursue the matter further. So what can be done? Well, with a bit of work—and in some cases with some help from Wavecrest—it is possible to:

• determine the source and purpose of most of the addresses
• categorize the legitimate ones
• isolate/neutralize the malicious ones

Let’s see how this is done. We’ll take it one ‘type’ at a time.

1. Internal and Partner Web Pages. Some unidentified IP addresses may have resulted from users going to internal (intranet) or partner sites. (These normally would not be in the Wavecrest URL list.) To address this issue, start by running a Top Non-Categorized Sites Report or IP Address Category Report. Using your local knowledge, try to determine the IP addresses of those sites and then enter the information in one or more custom categories. (Instructions on how to create custom categories can be found in our manual.)
2. Innocent links on Web Sites. These addresses could be associated with image or ad servers. If you want to address this issue, send a copy of a Top Non-Categorized Sites (“OtherWise”) Report to Wavecrest (sites@wavecrest.net). Our categorization team will then research and categorize the unidentified IPs for you the same way they categorize domains. If you would like to identify the IPs yourself, you can use IP address lookup tools such as the one available from http://www.networksolutions.com. This tool will provide you with information about the owner of the IP address(es) of interest. For example, the owner of the IP address could be a marketing company that serves ads, or it could be an image server. Once identified, if you desire, you can add the addresses to one or more custom categories.
3. Possible Malware or Virus Servers. Some of the unidentified IP addresses could be associated with malware, spyware or virus servers. The clue here is very high around-the-clock traffic. This is an indication that the user’s computer has been infected or attacked. The solution in these cases is to isolate the internal computer(s) and remove the malware/spyware or virus. Here’s an approach you can use to help solve this problem.

• Using the Dashboard, run a Trend report on the IP Address category and look for any unusual spikes. If you see anything suspicious then …
• Run a category audit on the IP Address category and look for large amounts of activity coming from a particular PC(s). Make a note of the IP address(es) and then scan for infected files.

Summary. The IP address category was created to be a ‘red flag.’ Its purpose is to alert you that further action may be needed to resolve problems or to simply give you a more complete and comprehensive picture of all Web activity.