Go to the table of contents Go to the previous page Go to the next page View or print as PDF
URL analysis
Administrator Help | Forcepoint Email Security | Version 8.5.x
URL analysis examines email content for embedded URLs and classifies them according to a Forcepoint database of known spam URLs. When the filter detects a URL in a message from a selected category, it applies any configured filter response, such as removing the URL or modifying the URL to neutralize it. Configure the URL analysis filter on the page Main > Policy Management > Filters > Add (or Edit) Filter.
This filter uses one of the following services to perform URL analysis:
*
*
*
The Filtering Service URL analysis performance can be more efficient than the Linking Service because the Filtering Service can perform bulk URL queries, whereas the Linking Service cannot. See URL analysis for more information about selecting a URL analysis service and integrating with Forcepoint Web Security solutions.
Dashboard charts summarize the instances of embedded URLs detected by the filter. A URL Analysis message type appears in the message type or message analysis result fields in presentation reports and dashboard charts. See Available dashboard charts.
When the URL analysis filter triggers, the default action is to drop the message and save it to the spam queue, where it may be released and delivered by a Personal Email Manager user. As a result, a message that contains a malicious link may be delivered to an inbox in your network.
Multiple URL analysis policy rules can be configured to detect and contain malicious URLs so that they cannot be released by a Personal Email Manager end user. When you configure a URL Analysis filter for this case, ensure that all Security URL categories are selected in the URL Categories list. See Managing filter actions to create a URL analysis filter action for handling email that may contain a malicious URL.
Note 
Configure URL analysis filter
1.
Expand top-level categories; click the plus sign.
Select all sub-categories in a top-level category; when the category is expanded, click select all.
Deselect all sub-categories in a top-level category; click unselect all.
Select all categories; at the top of the URL Categories list, click All Categories.
 
Note 
See Managing filter actions for information about creating a URL analysis filter action for handling email that may contain a malicious URL.
1.
From Filter response, mark the check box for one or both of the following filter responses; Modify matching URLs and Bypass URL analysis if message size exceeds.
*
Selection displays options for modifying and neutralizing URLs. Select the desired response and notification options when a malicious URL is detected:
*
Neutralize URLs by rewriting the scheme and bracketing the last dot of the URL domain.
Selection changes a malicious URL as follows:
Before neutralization: http://www.malicious.com.ca/index.html
After neutralization :hXXp://www.malicious.com[.]ca/index.html
*
Enter the rewritten URL in the text field Rewritten URL or leave the field blank to remove URLs.
Enter the rewritten link text label in the text field Rewritten link text label or leave the field blank to remove link text labels.
*
(Optional) From the section Options, mark the check box Notify recipient when an email contains a modified URL.
In the text box, enter the desired notification text.
Maximum length of 8192 characters total, up to 990 characters per line; a line break is two characters. The %CATEGORY% variable can be used in the notification message to inform the recipient about the specific categories triggered by the filter.
Select where the notification should appear; Insert notification at top of message or Insert notification at bottom of message.
The default location is at the top of the message.
*
In the text field, enter a message size in KB (default is 3072).
Selection indicates to use message size to determine whether URL analysis is bypassed.
2.
The URL analysis filter is saved.
Custom URLs and link text labels
The following variables can be used to rewrite URLs and link text labels with custom settings:
*
*
*
*
*
*
*
The following table details examples of HTML links, HTML text, and plain text rewritten using the available variables.
 
Remove URL and neutralize URL
The following table details examples of removed and neutralized HTML links, HTML text, and plain text using the available variables.
 
Customize URL and customize link text
The following tables detail examples of customized HTML links, HTML text, and plain text using the variables %URI% or %LINKTEXT%. URLs and link text labels are removed when the text fields Rewritten URL or Rewritten link text label are left blank.
Keep original URL and keep link text
 
Neutralize URL and keep link text
 
Customize URL and customize link text
 
Remove URL and keep link text
 
Customize URL and keep link text
 
Remove URL and customize link text
 
Analysis of URLs in file attachments
URLs in supported attachments can be scanned and classified by the on-premises Email Security system according to the configured filter options. Classifiable URLs in attachments triggered by the filter settings are handled like any other email content by the URL analysis filter action. A file attachment that triggers the URL filter is classified as a URL analysis message. Only the first 50KB of content in the email attachment is scanned. Functionality is not available for the Email Security Hybrid module. URLs can be extracted and analyzed from within the following file types:
*
*
*
*
*
*
*
*
*
*
*

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2022 Forcepoint. All rights reserved.