Targeted Threat Protection - URL Protect - Loading Times

Updated March 19, 2025 10:24

This article explains the factors within Targeted Threat Protection (TTP) that may influence loading times during the URL scanning process, providing insights into how the system operates to maximize user safety. It is intended for Administrators

Introduction

Mimecast's Targeted Threat Protection offers advanced security measures, including URL Protect, to safeguard users from malicious content.
Targeted Threat Protection URL Protect employs a variety of scanning techniques to ensure user safety while navigating the web. Factors such as network topology, the complexity of scanning layers, and the content of web pages can all influence loading times. Understanding these factors can help users set expectations regarding performance while benefiting from robust security measures.

Factors Influencing Loading Times

Scanning Techniques

URL Identification Process

Mimecast employs various scanning techniques to determine the destination and link/site map. This ensures that any potential redirection chains are followed completely.

Deep Scans

The most complex scenario involves deep scans, where the system fetches and loads all remote content linked to the URL. This includes:

Content from the original website.
Content from any redirects associated with the URL.
Related content from other sites linked from the original destination as part of comprehensive content inspection.

Sandboxing

In addition, sandboxing is utilized for URLs linked to potentially malicious file downloads. This adds another layer of security but may also influence loading times.

Network Considerations

Network Topology

The topology of networks plays a crucial role in URL scanning and redirection. Various factors can introduce latency as traffic travels from the client to the server, including:

Geographical distance between the client and server.
Network congestion and performance issues.
Firewalls and security measures that may intercept and analyze traffic.

Scanning Layers

The primary function of URL Protection is to rewrite links found in emails and scan them in real-time. This action involves several distinct types of scans that must occur in parallel before the content is presented to the user.
The different scanning layers include but are not limited to:

Reputation Block Lists (RBLs): To check if URLs are known threats.
Categorization Scans: To classify URLs and assess their safety.

Comprehensive Scanning

To maximize security, Targeted Threat Protection not only scans the initial URL, but also follows and inspects all links present on the webpage.
This means that pages with numerous links will take longer to scan due to the increased amount of content and potential threats that need evaluation.

A common strategy used by malicious actors is to alter the contents hosted through their links. Initially, the contents will be benign and any entrance scans will come back as safe. However, they will then swap out that "clean" content with their intended malicious data (malware, credential harvesting, etc.). To combat this, Targeted Threat Protection not only scans during arrival at the gateway but also upon every click, in real-time. This means that Mimecast does not cache any URL scan verdict and always performs a new scan.