Sophos Web Appliance: Sophos URL Classifications

The WS1000 web appliance uses security risk classifications assigned by SophosLabs to assess the website requests made by your users. The classifications are defined in a list of URLs which is maintained by SophosLabs and is updated several times a day. The WS1000 stores a copy of the current classifications and checks for updates periodically.

The WS1000 takes different actions depending on the security risk classification of the requested URL:

High Risk: These sites have been analyzed by SophosLabs and host malicious content that can compromise network security. These sites are always blocked.

Medium Risk: These sites have been analyzed by SophosLabs and have a history of poor privacy or security practices that may compromise network security. By default, the WS1000 scans these sites before allowing access.  You can override this default action by setting the WS1000 to block access to these sites.

Low Risk: These sites have no recent history of malicious content or behavior. These sites are periodically reviewed by SophosLabs to verify site contents. When a low risk site is requested, the WS1000 scans it before allowing access.

Trusted: These sites are entered by the administrator and are not analyzed or reviewed by SophosLabs. Enter only sites that meet strict security criteria as they will not be scanned before access is granted.

Unclassified: These sites have not yet been analyzed or reviewed by SophosLabs and may compromise network security. By default, the WS1000 treats these sites as low risk sites.  The other choices are to treat them as medium risk or high risk sites.

Using the information in the Sophos URL Risk Classifications

Understanding this classification process can help you, as a WS1000 administrator, to decide:

• What action the WS1000 should take when it receives requests for medium risk and unclassified sites
• Which sites to enter into Add Local Classifications - this is the list that you can create to extend the coverage to sites not listed in the Sophos Classifications, or to override the threat severities and the categorizations of that list.

For more information about how to configure these settings, in the appliance software, click Help > Configuration > Global Policy, and read the 'Security Filter' and 'Add Local Classifications' sections.

Reviewing URL risk classification

A mechanism is available in the WS1000 that allows the administrators to submit URLs to Sophos that the end users have marked as being misclassified using the "allow user feedback" feature. These URLs are placed in a queue for manual review by SophosLabs and are reclassified, if appropriate.

To submit misclassified URLs to Sophos, go to the Configuration > Global Policy > General Options page and select the option to "Ensure sharing of non-user identifiable data with SophosLabs to improve protection". 

For more information about the allow user feedback feature, click Help > Configuration > Group Policy > Default Policy, and read the 'Allow User Feedback' section.