Knowledge Center

FAQs for SiteAdvisor Enterprise 3.x
Technical Articles ID:   KB73457
Last Modified:  4/6/2017


McAfee SiteAdvisor Enterprise (SAE) 3.x

For details of SAE supported environments, see KB51244.


This article is a consolidated list of common questions and answers and is mainly intended for users who are new to SAE, but can be of use to all users.
General For product information including rating disputes, safe websites, and miscellaneous topics.
Compatibility Interaction between other products and software.
Installation/Upgrade For information about installing, upgrading, and removing.
Configuration Includes best practices, optimizing, configuring, and customizing.
Functionality Product features and functions, including reporting.


What Is SiteAdvisor Enterprise?
SAE is a free browser plugin that gives advice about websites before you access them. SAE adds small site rating icons, a browser button, and an optional search box to your search results. Together, these alert you to potentially risky sites and help you find safer alternatives. The site ratings are based on tests conducted by McAfee Labs using multiple computers that look for all kinds of threats.

What is an SAE Site Rating?
For a detailed explanation of SAE Site Ratings, see KB53369.

Why does SAE 3.5 not have the 'Plus' designation that was previously included with the SAE Plus 3.0?
SAE Plus 3.0 had a separate Enforce version. Instead, SAE 3.5 has in-built enforcement functionality to block known malicious sites. Use the Observe Mode in SAE 3.5 to receive advice only.

There is a separate web filtering extension you can purchase to block sites based on content categories rather than ratings for that URL.

NOTE: SAE 3.0 has reached EOL and is no longer supported. For more information on the SAE 3.0 EOL, see KB84554.

What is the SAE 3.5 SAELICeX_[SAE version number]_[build number].zip extension package used for?
This is the license extension for SAE 3.5. When you first install SAE 3.5, it licensed as evaluation software. With the license extension checked in to ePolicy Orchestrator (ePO), SAE will report back as being fully licensed after a policy enforcement. For additional information about the different SAE packages, see KB73520.

What is the IP address of the SiteAdvisor rating server?
The SiteAdvisor rating servers do not use a dedicated IP address. For SAE 3.0, use DNS to reach dss1.siteadvisor.com or dss2.siteadvisor.com.

NOTE: SAE 3.0 has reached EOL and is no longer supported. For more information on the SAE 3.0 EOL, see KB84554.

If you have an appliance that accepts only IP addresses, perform an nslookup on dss1.siteadvisor.com or dss2.siteadvisor.com to obtain an IP address. These IP addresses are subject to change without notice.

For SAE 3.5, perform an nslookup on saelist.gti.mcafee.com. This provides the IP addresses of all current GTI ratings servers. The FQDN of the GTI rating server used by SAE 3.5  is sae.gti.mcafee.com.

What are the differences between home use (consumer) versions of SiteAdvisor and SAE?
SAE has been modified for management by an administrator under ePO. In addition, the automatic update feature has been removed to ensure that administrators control the version of the software on managed systems.

How can a site owner dispute a site rating?
McAfee Labs welcomes feedback about its site ratings and encourages site owners to contact Technical Support if they believe one or more of our facts regarding their site are in error. We pledge to work cooperatively with those site owners and to respond reasonably to dispute inquiries as quickly as possible.

How do I submit a site rating dispute?
Submit your rating dispute via email to support@siteadvisor.com or online at http://www.siteadvisor.com/userfeedback.html.

During the evaluation of any dispute, McAfee Labs communicates with site owners via email.

How are disputes validated?
McAfee Labs acknowledges your dispute via email and begins to evaluate the concerns you raise. You can speed up the evaluation if you include details about your dispute. For example, inform McAfee Labs of the parts of the test results you are disputing and why you are disputing them. Review your site's test results profile by searching for it at http://www.siteadvisor.com/sites/.

Disagreements with site owners typically fall into two categories. The first can be described as "Our site never did what you say it does" and the second can be described as "Our site no longer does what it used to do."

There are many different cases, but here are two typical examples:

  • A site owner reports that the file offered for download is not a virus.
  • A site owner reports that the site no longer offers the download found in a previous test, or that the download behavior itself has been modified.

How long does the evaluation process take?
McAfee Labs acknowledges your dispute within one business day of receipt and initiates an evaluation within five business days. After evaluation has started, it is typically completed within the following time frames:

  • Claims that a site has changed: Five business days from the start of the evaluation.
    Exception: Email practices. Evaluating changed email practices takes 60 calendar days after the evaluation begins because McAfee Lbs must give the new test email address significant time to see what kind of email it receives, if any.
  • Claims that McAfee Labs has made a mistake: 10 business days from the start of the evaluation.

What happens after the evaluation is done - when will my site's rating change?
McAfee Labs emails the site owner to share the results of its evaluation. If the evaluation confirms that the test data was in error, the site's rating is changed within one business day after evaluation. In some cases, the overall rating for a site might remain red or yellow even if one of the test results used for that rating was wrong.

Example: A site with multiple, red rated downloads will remain red even if one of those download ratings is found to be mistaken. Sites that were accurately rated red or yellow as a result of our previous tests but have now improved will undergo a re-assessment period before the site rating is changed.

How long does this re-assessment period last?
The re-assessment period can be anything from 10 to 365 calendar days depending on the site's historical test information and the severity of the issues found during previous tests.

Example: Sites that were rated red or yellow and have no history of risky behavior will be rated as green faster than sites that have been rated red or yellow multiple times. Sites that re-engage in behavior that is risky will be rated green slower the next time. Sites that engage in particularly risky behavior like hosting exploit code will also be rated green more slowly.

There are many different cases, but here is a typical example:

  • A site that is rated red for the first time for posting links to a few red rated downloads disputes their site rating and removes the links. The site rating could become green in as few as 10 days after tests show that the links are gone and no other issues are discovered.
  • If a subsequent test of that site finds new links to red rated downloads or finds other risky behavior, the site rating will remain red for at least 30 days after tests show that the links and other risky behavior have been removed.

What if my site is rated risky due to TrustedSource?
SiteAdvisor ratings now incorporate web reputation analysis from the TrustedSource system. To contact McAfee Labs about this analysis, follow the same procedure described in How do I submit a site rating dispute.

How can I contact Technical Support over a SiteAdvisor dispute issue?
Site owners can email support@siteadvisor.com. Email inquiries generate a Support ticket and your query is assigned to a Technical Support Engineer. The engineer directs site owners to begin the dispute resolution process by submitting their objections at http://www.siteadvisor.com/userfeedback.html. The fastest and best way to check on the status of a dispute, submit additional information, or express additional concerns is by emailing your Technical Support Engineer.

What can I do as a site owner to help keep my websites safe?
As a site owner and webmaster you face many challenges to keep your site(s) and visitors safe from malicious hackers. The following are some best practices for webmasters to maintain the good reputation of their site(s). This list is not comprehensive and following it does not guarantee a green site rating.

  • Hosting files for download
    You are encouraged to perform simple checks on downloadable files, such as scanning a file with a reputable anti-virus scanner before you make it available. One option is to upload the file to VirusTotal, a free service that scans the file and provides detection information from multiple anti-virus software vendors including McAfee. Note that the file is only checked for those detections that exist at the time you submit the file. When you remove a risky program from your site, remove all links to the program and remove the program itself from your public server. Removing only the link is often not enough because users may still be able to access the program.
  • Email practices
    You are encouraged to safeguard information submitted to your site. For example, posting email addresses in a manner that allows them to be harvested by third parties, or sharing data with partners who might be spammers or who might pass the information on to spammers are considered poor data handling. Poor data-handling practices can cause users to receive unexpected and unwanted email.

    The email test used by SiteAdvisor technology is an action-result test. The action is providing a unique email address to forms found on the site; the result is the email received. The email test does not attempt to identify either the reasons for, or the source of, the emails received. McAfee Labs counts the email received by that address and scores it for spam-like characteristics.
  • Browser exploits
    You are encouraged to routinely monitor your website(s) for browser exploits--content that attempts to control a visitor's computer in an unauthorized manner. One important best practice is to implement change-control and content-management procedures so that webmasters know when files change on their sites. You should be suspicious of any files that change outside of the accepted processes. Other best practices include conducting routine security assessments. Use these assessments to check and patch vulnerabilities in the server operating system and web, database, and application servers. A good place to start for security best practices is on the Open Web Application Security Project.
  • Online affiliations
    Links to external domains are powerful tools, but you should be aware that linking to other sites on the Internet might be seen as an endorsement or collaboration between the sites. Malicious site owners use these relationships to their advantage by creating their own 'safe' sites or leveraging the links posted on third-party sites to drive traffic to a specific location. This technique can drive traffic to risky sites from a site that is otherwise benign. You are encouraged to use SiteAdvisor site ratings or other sources to review periodically the sites to which your sites link.
  • Pop-up messages
    These are often considered a nuisance by users. You are encouraged to limit the number of pop-up messages or windows that open when users interact with the site. Pop-up messages may also be used to deliver malicious code to site visitors or to drive traffic to malicious sites. When using certain advertising companies and tools, you may not be in full control of how many ads of this nature are shown or of the exact contents of the ads. You are encouraged to present to your users only content that is under your control or content from trusted third parties that have strict controls in place.
  • E-commerce promotions
    If your sites host promotions or links to promotions from other sites, you are encouraged to pay attention to the product offering. For example, promotions can be considered misleading in situations where the offer's description, the fine print, and the terms and conditions are contradictory or unclear, or where there is credible information that the claims are suspect or require very careful consideration. Some promotions could even be malicious; these include free offers that collect personal information and sell or use this data in ways other than what the user understood.

What operating systems does SAE 3.5 support?
To view the supported environments for SAE, see KB51244.

What processes does SAE use?
The following is a list of processes installed by SAE with brief descriptions of what they do:

  • mcchhost.exe: Used by mcsacore.exe to communicate with the Google Chrome SAE extension
  • mcsacore.exe: The SAE core service
  • sahookmain.exe: Used for email annotations
  • saui.exe: Used to create the Graphical User Interface (GUI) during installs and upgrade

Can I manage SAE using ePO?
Yes. There are currently three functions available for managing SAE through ePO:

  • Deployment of SAE through ePO to computers
  • Reports that show which computers do or do not have SAE
  • Uninstallation of SAE through ePO from computers

Can I manage SAE using ePO Cloud?
No. SAE cannot be managed by ePO Cloud.

What search engines does SiteAdvisor Safe Search integrate with?
You can obtain the most current list of Safe Search supported browsers here: http://www.siteadvisor.com/howitworks/index.html.

What causes no annotations to show in search results when I perform the search with a supported search engine?
SAE uses scripts to annotate web pages. If a search engine makes changes to the web page it uses to present the search results, SAE might not be able to annotate the page ( see KB68222).

For example, www.yahoo.tw does not currently display search results with SAE for this reason.

Can I use SAE hardening to block users from disabling SAE in Google Chrome?
No. The SAE hardening policy does not block users from disabling SAE in Chrome. See KB77685 for information on how to add a Google administrative template to active directory and force enable the SAE extension.

Can I use SAE hardening to block Google Chrome incognito mode?
No. SAE does not block Chrome incognito mode.

Can I use SAE hardening to stop file downloads in Google Chrome?
No. The SAE File Download Enforcement policy does not work with Google Chrome.

Can I use SAE hardening to block users from disabling SAE in Firefox?
No. The SAE hardening policy does not block users from disabling SAE in Firefox. 

The SAE extension did not previous display under Firefox extension management. Because of changes in Firefox, this extension now displays and can be disabled by the user on the endpoint.

Back to Contents


Does SAE integrate into a web browser that is installed after SAE is installed?
If you install an additional web browser such as Firefox after initially installing SAE to Internet Explorer, or if you upgrade your existing browser after SAE is installed, SAE will be present and functioning in either the new or upgraded browser.

Can the SAE extension be disabled in Firefox?
Yes. The SAE extension for Firefox can be disabled by the end user. The SAE service will mark the extension to re-enable the next time the browser is launched.

Can I install an earlier version of SAE over a later version?
No. You must first uninstall the latest version because the installation process does not support overwriting a more recent version of SAE. After you uninstall the newer version, you can install the older version of SAE by using the normal installation process.

Can I install SAE over Endpoint Security (ENS)?
No. SAE is not supported with ENS.

If you attempt to install SAE on systems running ENS, it will generate errors in the McAfee Agent logs. You may need to use the SAE removal tool in KB79933 to clean up an attempted installation of SAE on systems with ENS.

What port does SAE 3.5 use to get ratings from the GTI server?
SAE uses Secure Sockets Layer port 443 when communicating to the GTI rating server.

Why does the SAE 3.5 install task result in a prompt for a reboot?
SAE cannot upgrade if a browser window is open. If the install detects a browser open, the installer prompts for a reboot. If a browser is opened immediately after a reboot and before the SAE install completes, another reboot prompt will appear. See KB79591.

The appearance of the reboot dialog box is configured through MA policy. There is a checkbox to force reboot or suppress reboot prompt.

What port does SAE 3.5 install fail?
Do not have SAE 3.5 patch 1, SAE 3.5 patch 2, and any SAE hotfixes in the repository. Only have SAE 3.5 patch 2 in the repository along with SAE hotfixes.

Back to Contents


Why can I add the Content Action Policy only once to an ePO policy assignment rule, but I can add other SAE policies multiple times? 
You can add multi-slot policies multiple times to the policy assignment rule, but you can add single instance policies only once. SAE 3.5 allows for multiple content action policies.

Can I hide the SiteAdvisor Toolbar?
Yes. This feature is available in SAE 3.5 Patch 2 and later.

Back to Contents

Can SAE rate on embedded frames?
SAE 3.5 Patch 1 adds a feature to allow SAE to enforce in all frames on the page.

NOTE: This is disabled by default.

What is rated, and how is it rated?
For a detailed explanation of ratings, see KB53369.

How can I test SAE category ratings?
McAfee Labs has sites for testing category rating actions and also has a third-party testing site configured for Green, Yellow, and Red ratings. For details, see KB72563.

How often does the SiteAdvisor service contact the sadownload.mcafee.com website?
The SiteAdvisor service contacts sadownload.mcafee.com once a day to retrieve new updates. Additional details:

  • The updates from sadownload.mcafee.com keep Safe Search ratings current with any changes on the search engines. If a search engine changes the layout of its web page, McAfee Labs updates SiteAdvisor so the ratings display correctly.
  • The update obtains the latest websites known to have browser exploits. SiteAdvisor does not allow content from a site known to have browser exploits to display web content.
  • The update is done over HTTP on port 80.

Does SiteAdvisor block websites in browser windows without toolbars?
Yes. Some hyperlinks launch a new browser window without a toolbar. Even though the SiteAdvisor plugin is not viewable on the screen because the browser is not displaying toolbars, SiteAdvisor still blocks content.

What are the differences between the red site icons in a SAE Safe Search?
SAE Safe Search shows site ratings after a search using a search engine. Search ratings for red rated sites can have two icons:
When SAE is set to:
Icon description
Block for red sites
Gray circle with a red slash
Allow or Warn for red sites
Red circle with a white X

What time is displayed in the logs for SAE events?
SAE logs are displayed in Greenwich Mean Time (GMT) with an offset for the local system time.
NOTE: SAE logs are always sent to an ePO server for reporting purposes. If the Web Filtering for Endpoints Module is also installed, the SAE logs are also sent to Web Reporter.

What do the values in the SAE functional report mean?
In the ePO console, the SAE functional report can have the following values:
SAE has been disabled by a user on the system.
SAE could not determine the functional state of SAE in the browser.
SAE is enabled for all users.

Does SAE provide ratings on IP addresses?
In addition to providing ratings for domain names, SAE does provide ratings on some website IP addresses. Not all addresses are stored on the SiteAdvisor rating server because they change so frequently.

How does SAE determine if a site is private IP?
SAE does not take action on private IP/internal IPs. Private/internal sites on a prohibit list are not blocked.

Default IPV4 Private IP range: – – –
localhost or
Default IPV6 Private IP Range :
Site-local and Link-local addresses start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB

Can SAE send logs to Web Reporter using HTTPS?
Although Web Reporter can accept log files through HTTP or HTTPS ports, SAE currently can send logs to Web Reporter only through HTTP. A Product Enhancement Request (PER) has been submitted to allow SAE send logs to Web Reporter via HTTPS. To submit a PER, see the Related Information section.

Does SAE collect information when users navigate to intranet sites?
No. If your intranet uses private or non-routable IP addresses, no information is sent to or requested from the SiteAdvisor servers.

Does SAE track Internet usage on client computers?
No. SAE compiles a list of websites visited for all SAE software installations. No data is collected for specific computers or companies.

What SAE events are uploaded to the ePO server and how are they uploaded?
SAE does not generate events immediately while browsing. It takes approximately 30 minutes for SAE events to be created. SAE stores the events in the saevisits.dat file until the SAE service creates a single xml file with all of the browsing history in the McAfee Agent  Events folder.

Where does SAE obtain its ratings, is it from the ePO Server?
Ratings do not come from the ePO server. SAE 3.5 ratings come from sae.gti.mcafee.com on port 443.

What data is sent by SAE to the GTI rating servers?
SAE sends the following data to content rating servers to get the web reputation score for a URL:
  • Product serial number: A number assigned by GTI for SAE. In this case TSFA-KVNH-EMGI-OBQG.
  • Device ID: Device ID is passed as follows:

    Security Center managed: szMachineID (SOFTWARE\\McAfee\\ManagedServices\\Agent) is used for the Device ID.
    ePO managed: AgentGUID (SOFTWARE\\Network Associates\\ePolicy Orchestrator\\Agent) is used for the Device ID.

    If neither are present on a machine, the string DeviceID will be used for the Device ID.
  • Product name: In this case, SAE.
  • Product version: In this case 3.5 for RTW. All other SAE patch versions are 3.5.1.
  • GTI URL: In this case, sae.gti.mcafee.com.
  • Certificates and keys: Client certificate, client private key, and CA certificate.
  • Configuration Settings: Number of connections, timeout, and the number of attempts.
  • The Local IP address is not passed explicitly, but is known through the source IP address field of the outgoing packet.
  • Source IP, Destination IP, and file checksum are passed to get the file reputation.

    To get the file rating from its checksum, SAE passes source IP = and destination IP = (along with file checksum).

Where is the browsing list cached?
SAE caches the rating in memory for a period of time. The time is based on a value from the rating server. The default is 30 minutes.

How does it handle timeouts?
SAE performs an asynchronous rating lookup when a new web site is browsed. If the browser times out while connecting to the web page, it does not affect SAE because SAE still attempts to retrieve the rating from the rating server.

What version of MSXML is required to parse SAE events?

SAE 3.5 patch 2 and prior clients require the ePO server to have MSXML 4 installed. SAE 3.5 patch 3 and later clients no longer require ePO to have MSXML 4 installed. For more information, see ePO article KB83232.

Can SAE work with only Transport Layer Security (TLS) 1.2 in the browser?
No. TLS 1.0, 1.1, and 1.2 are required.

Can SAE events be filtered in the ePO console?
No. SAE events 18600 (browser navigation) and 18601 (browser file download) cannot be filtered. The next version of SAE, Endpoint Security Web Control, allows filtering of the 18600 and 18601 events.

Back to Contents

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.