What’s new in the latest major WebMonitor update?

A new release for GFI WebMonitor is available today so we caught up with Calin Ghibu, product manager, to learn more about the release and what makes this update truly special.

1. What is exciting for businesses in this release?

I am very excited about this release because we have taken the intelligent web activity-monitoring feature in GFI WebMonitor to the next level. While the product does great in accurately reporting on how the Internet is being used company-wide, we believe that in order to further simplify IT admins’ lives, we need to help them understand the context around the data delivered by the product. This is why we introduced WebInsights; a new analytics engine that performs behavioral analysis for the entire web activity and then puts a historical context around three main areas of interest: bandwidth consumption, security concerns and potential productivity loss areas.

2. This means it would be unfair to classify WebInsights as a reporting tool. Can you explain why?

WebInsights is definitely not a reporting tool. It performs two main functions. The data analytics engine uses a series of averages calculated using historical data to define what is “normal” for a specific environment in terms of bandwidth, security and productivity loss. WebInsights also has a new selection of interactive dashboards that present the results of the analytics engine in conjunction with the current web activity monitoring parameters. The great thing about these dashboards, and a key differentiator, is that they are interactive. IT admins may choose the analytics parameters in order to see where they stand on an hourly, daily, weekly or monthly basis when compared to the “normal trend”. WebInsights allows the admin to create a baseline against which future comparisons are made. At the same time, the dashboards give you the ability to drill-down, allowing IT admins to interact with the graphs and learn more about particular points of interest without generating reports or manually filtering the data.

3. What are the benefits of having access to such data in near real time?

The main benefit of WebInights, and what makes it a key differentiator from competitors’ products, is the ability to understand what the numbers mean and in turn, help the sysadmin decide what action to take. In the past IT admins could see certain values for bandwidth consumption or security concerns but these figures were not analyzed in a historical context. If they had to do so manually, they would not know if numbers are normal or abnormal, and more importantly, if the numbers are a sign that they need to take action. Here is a simple example:

Without WebInsights (how competitors’ software reports on data):

Today you have consumed 35 GB of bandwidth and there were 12 security concerns identified by the product (as blocked access to malicious websites or infected downloads).

An IT admin would not know if this activity is normal for his environment and would have to look through significant volumes of data in order to notice if something is wrong and some action is required.

With WebInsights:

Today you have consumed 35 GB of data and there were 12 security concerns identified. You are 20% below (or above) your daily (or hourly/weekly/monthly) average, here are the peak hours (or days/weeks) and the top contributing users.

Equipped with such information, an IT admin knows immediately where he stands from the point of view of web activity. If the current data reads above (or close to) normal, he immediately sees the peak periods and top users contributing to current status. The IT admin can also take this further and drill down by period or user in order to identify specifics that led to the situation at hand. All this with just a few clicks. Based on this information, the IT admin can then take immediate action and further restrict access to certain websites or adjust quotas for certain users. This way, the situation is addressed and web activity returns to normal. Same goes for the security concerns. Having the ability to identify periods and users generating peak security concerns is critical in order to identify potentially compromised computers. If you normally have 50 malicious websites blocked per day, and 20 attempts to download infected files, you would need to be alerted if half way through the day, 500 malicious URLs were blocked and 200 infected files were detected. Peaks in security-related activity are usually generated by malware penetrating defenses and running at endpoint level, or by malicious users operating the endpoints. The ability to identify immediately those users and/or computers generating peaks is very important when the admin needs to mitigate and address security risks.

4. Are there other new features?

Yes, this new release comes with significant improvements particularly when it comes to the accuracy and performance of our HTTPS inspection technology. With more than 65% of websites already using HTTPS, the ability to maintain functionality and scalability when dealing with HTTPS websites is very important. Products which do not perform HTTPS inspection accurately cannot cover for 65% of web activity. At the same time, we improved the way policy exceptions are being handled in the product. In previous versions, if a user believed he was erroneously prevented from accessing a website, or if he or she needed exceptional access to a certain web resource, the only way to request it was by calling or emailing the IT admin. With this release, we have included functionality to request access to websites via a button in the blocking page being served to a user when he or she is prevented from accessing a web resource. Users can now request access with a single click and this action will fire an alert in the notification center of the main console. The IT admin can then see the request in real time, as well as the website requested. Like that, (and with a single click) access is granted or denied for a configurable period without having to edit policies manually.

5. What can we expect in future versions of GFI WebMonitor?

We have already started working on delivering a web filtering and security functionality as a transparent proxy, with major benefits in terms of ease of use. We will also be enhancing the product’s intelligence to enable GEO IP-based filtering use cases: i.e. block requests to websites hosted in certain countries and deliver insights into which are the counties “visited” by the users. Next, we will be expanding on our application control abilities and handle applications connecting to the internet on any port or protocol, not just HTTP/HTTPS, with major benefits for DLP, security and productivity use cases.

For more information about GFI WebMonitor or to try the latest version free for 30 days click here.

Konstantin Lemzikov April 2, 2015 at 4:26 pm
Thanks for describing the new features of the new WebMonitor release. I’m not sure if WebInsights will be really helpful in our company environment, but deep SSL inspection and application control are highly demanded features. I’m going to install and test this release immediately.
I’ve been GFI customer since 2003, starting from GFI DownloadSecurity. It had a very useful feature — checking archive (i.e. zip, rar etc) contents against file type polcy. For example, if the administrator denies download of music and video, DownloadSecurity was able to open .zip files downloaded by user and stop them if they contained .mp3. There are lots of pirate sites where anyone could get counterfeight music files packed in zip or rar archives. This GFI DownloadSecurity feature greatly helped not only to save bandwidth, but also ensure law compliance. Moreover, it could prevent from new malware spreading by blocking archived executebles. It really saved our systems many times.
Alas, starting from WebMonitor 4 release this feature is unavailable. Every year since 2007 I ask GFI representatives to implement this feature back but it haven’t done so far. I wonder why? Every time they replies “yes, it’s useful, we’ll implement it in service pack or the next release” but…
There are many products on the market with comparable features as GFI WebMonitor but this simple addon could add a lot of value for WebMonitor. And push the sales, too.
1. Melanie Hart April 6, 2015 at 2:05 pm
  Hi Konstantin,
  Thank you for your feedback!
  The ability to look into archives implies (actually enforces) you to have the entire file available, meaning you cannot unzip chunks of a zip file yet. Maybe compression will evolve into that at some point similar to how AV software evolved into being able to find malicious code in chunks of files without having the entire file available. This means our product would have to download all files, including infected ones, thus consuming bandwidth and going against its own nature since the product is there to save bandwidth and keep your network secure.
  In order to deliver what you are requesting, GFI WebMonitor would need to download each and every file (when file type is an archive) for each and every one of your users, then unzip it, look into whatever there is inside, and figure out if to block it or not. Some files can be GB large and would take tens of minutes to download. This in turn would affect the end user where they would have to wait for the 5GB zip to download before the software figures out whether it is legitimate or not.
  The entire point of the product is to save bandwidth (decide if a file is to be blocked BEFORE it is download entirely) and keep malicious files away from the premises (and not download them on your internet gateway). Consequently, the product does real file type checking and real time AV scanning on the fly, as chunks of files are being downloaded. This allows us to know a file type or know if a file is infected (or suspicious) out of several few Kb chunks – well before the file is completely downloaded.
  These are the reasons why this feature did not yet get implemented in the form you request it. However, the above does not mean that ability to look into archive is not important. It is and we know it is, especially since some well-known file formats like docx are in fact archives of xml files.
  So, as the product evolves, it will include more caching features which will allow us to implement this functionality, while we also deliver additional value (caching reduces bandwidth when the same content is downloaded by multiple users). At that point, the option to look into archives will be available. However, we do not have a public timeline of when this is going to happen.
  Sergey Poptsov April 16, 2015 at 11:33 am
  Hello, thx for reply.
  I understand that for AV checking you should download archived file etc, but I think AV checking and file type checking are different functions, no? Why you cant check only file types in archive, without AV checking and If its allowed , you can download file and check with AV too.
  Melanie Hart April 22, 2015 at 12:29 pm
  Hello Sergey,
  Many thanks for your comment. I’ll be sending you an email to explain this in more detail.
Konstantin Lemzikov April 7, 2015 at 3:39 pm
Hi Melanie,
Thank you for such comprehensive answer. Alas, I hear absolutely the same arguments every year, and I still disagree.
First of all, as I was told by GFI engineers, all file checking is performed on the step-by-step basis. Is the site legit for this user? – Yes, proceed further. Is the file name and extension allowed? – Ok, let’s start to download. – Is the real file type the same as extension? – Well, test it with AV engines. – No problems? – Save to the cache and give the file to user. Of course, this description is simplified and the order could slightly differ from implementation. And put somewhere in between bandwidth control, protocol analysis, time restrictions, DLP and other features. I do hope the real algorithm is not as simple and linear to provide both security and performance. And I believe GFI programmers are able to put more steps into this to improve the product, right?
Second, as IT security specialist I do know how modern malicious code looks like. You could catch the malicious script written on JS or PHP on the fly, but to find an encrypted trojan or virus in the executable you SHOULD have the complete file, or your protection is just profanation. So, there is a step when the system can process the file and decide is it worth to continue the processing or it’s time to stop it.
Third, as you said, WebMonitor includes caching feature to save the bandwidth. So, it’s possible to check archive contents before caching the file and, if it doesn’t comply to the download policy, don’t give the rest of the file to user.
Finally, there are a lot of ways how to implement this feature. I think the main objection is not technical but political decision. A time ago somebody said “we don’t need it” and this point is kept, giving the same arguments with every WebMonitor release. The feature I asking for WORKED in the GFI DownloadSecurity! See WebMonitor review at http://www.shortinfosec.net, in 2010 they mentioned that download control could be easily evaded by putting the forbidden files in archive or embedding into .doc file. Anybody cares? Nope.
When the product was changed to WebMonitor I was told “we rewrite it from the scratch and not all features are returned yet”. It seems GFI management decided not to focus on security features and bug fixing but rather implement all-new-and-shiny drag-and-drop interface (which is quite slow and glitchy btw). Even a cursory glance at feedback.gfi.com shows that there are a lot of things to improve and fix. Unfortunately it won’t lead to the new version and sales growth. All I want is make WebMonitor better or at least not less functional than 7 years ago.
1. Melanie Hart April 22, 2015 at 12:32 pm
  Hello Konstantin,
  Once again, thank you for your feedback. I will be sending you an email with some more information on this matter.

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.

What’s new in the latest major WebMonitor update?

1. What is exciting for businesses in this release?

2. This means it would be unfair to classify WebInsights as a reporting tool. Can you explain why?

3. What are the benefits of having access to such data in near real time?

4. Are there other new features?

5. What can we expect in future versions of GFI WebMonitor?

About the Author: Melanie Hart

6 Comments

What’s new in the latest major WebMonitor update?

1. What is exciting for businesses in this release?

2. This means it would be unfair to classify WebInsights as a reporting tool. Can you explain why?

3. What are the benefits of having access to such data in near real time?

4. Are there other new features?

5. What can we expect in future versions of GFI WebMonitor?

Get your free 30-day trial

Get your free 30-day trial

About the Author: Melanie Hart

6 Comments