Threat Protect leverages data from reputable third-party sources to provide protection against malicious domains and sites that employ malware, botnets, exploits, and spam. Conventional tools and software focus on securing the end device or the communication layer.
Threat Protect domain lists are categorized into the following feed categories:
- High—a list of suspected domains that have been associated with malicious activity within the last 60 days.
- Medium—a list of suspected domains that have been associated with malicious activity within the last 60–120 days.
- Low—a list of suspected domains that have been associated with malicious activity exceeding 120 days.
- Unverified—a list of possible suspected domains that have not yet been reviewed and classified.
- DoH—a list public servers known to perform DNS resolution over HTTPS (DoH).
MDDS appliances in Micetro can consume these feeds and use them to block DNS queries for the specified domain names.
BlueCat Threat Protect uses DNS response policies to allow administrators to define hosts and zones they want to block. You can manually define DNS response policies from the Threat Protect section of the Admin page's Configuration tab.
For instructions on how to define response policies, refer to Creating response policies. Once you define response policies, you can configure Micetro to log related events, and configure these logs to be forwarded to a syslog server for further examination.
Activating Threat Protect
To activate and use Threat Protect, you need to upload a license. To upload a Threat Protect license:
- On the Configuration tab of the Admin page, select Threat Protect in the left sidebar.
- Select Upload license.
- Use the Select file button to select the license file from your local drive.
- Select Upload.
If the selected file does not contain a valid license, an error message will be displayed.