The detection method varies by product.
BrowserShield holds a keyword and website library locally on each device. It monitors search engine queries and web page visits in real time. When a search or URL matches a harmful term, an intervention is triggered. The library is updated automatically every 24 hours.
NetworkShield in DNS mode monitors DNS requests and intercepts attempts to reach known harmful websites. In cloud proxy mode with decryption enabled, it can also read search engine queries as they are typed, enabling detection of harmful search intent.
MobileShield uses the same cloud proxy and DNS technology as NetworkShield, delivered as an app on corporate mobile devices via a per-app VPN proxy.
