Malicious URL Categories
Focus
Focus

Malicious URL Categories

Table of Contents
End-of-Life (EoL)

Malicious URL Categories

We strongly recommend that you block the URL categories that identify malicious or exploitive content. To get started, you can clone the default URL Filtering profile which blocks malware, phishing, and command-and-control URL categories by default. The default URL Filtering profile also blocks the abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block these URL categories depends on your business requirements. For example, a university probably won’t want to restrict student access to most of these sites because availability is important, but a business that values security first may block some or all of them.
  • command-and-control
    —Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data.
  • malware
    —Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.
  • phishing
    —Known to host credential phishing pages or phishing for personal identification. This includes web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware are also included as phishing.
  • grayware
    —Websites and services that do not meet the definition of a virus or pose a direct security threat but displays obtrusive behavior and influences users to grant remote access or perform other unauthorized actions. Grayware includes scams, illegal activities, criminal activities, get rich quick sites, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or hijackers that change the elements of the browser. Typosquatting domains that do not exhibit maliciousness and is not owned by the targeted domain will be categorized as grayware. Prior to Content release version 8206, the firewall placed grayware in either the malware or questionable URL category. If you are unsure about whether to block grayware, start by alerting on grayware, investigate the alerts, and then decide whether to block grayware or continue to alert on grayware.
  • dynamic-dns
    —Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.
  • unknown
    —Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate the alerts.
    PAN-DB Real-Time Updates learns unknown sites after the first attempt to access an unknown site, so unknown URLs are identified quickly and become known URLs that the firewall can then handle based on the actual URL category.
  • newly-registered-domain
    —Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.
  • copyright-infringement
    —Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.
  • extremism
    —Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.
  • proxy-avoidance-and-anonymizers
    —URLs and services often used to bypass content filtering products.
  • questionable
    — Websites containing tasteless humor, offensive content targeting specific demographics of individuals, or groups of people.
  • parked
    —Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.
For categories that you decide to alert on, instead of block, you can very strictly control how users interact with site content. For example, give users access to the resources they need (like developer blogs for research purposes or cloud storage services), but take the following precautions to reduce exposure to web-based threats:
  • Follow the Anti-Spyware, Vulnerability Protection, and File Blocking best practices. A protective measure would be to block downloads of dangerous file types and blocking obfuscated JavaScript for sites that you are alerting on.
  • Target decryption based on URL category. A good start would be to decrypt high-risk and medium-risk sites.
  • Display a response page to users when they visit high-risk and medium-risk sites. Alert them that the site they are attempting to access is potentially malicious, and advise them on how to take precautions if they decide to continue to the site.
  • Stop credential theft by blocking users from submitting their corporate credentials to sites including those that are high-risk and medium-risk.

Recommended For You