Skip to main content
mmehl
mmehl
New Member
May 30, 2024
Question

False positive AV in URL/Website

  • May 30, 2024
  • 6 replies
  • 4947 views

Fortigate is blocking the website https://shop.meyco.eu/main/ :

 

High Security Alert

You are not permitted to download the file "" because it is infected with the virus "HTML/RedirBA.INF!tr".
URL https://shop.meyco.eu/main/
Quarantined File Name [disabled]
Reference URL https://fortiguard.com/encyclopedia/virus/8065247


Virustotal shows an clean state incl. Fortinet.
https://www.virustotal.com/gui/url/c798a22c5ab03d8c93c17795c08ca850cbdde956313717a9efcb4a417d89d05a


I have already tried to clear the web cache and reboot the Fortigate like it is describte in this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scenario-on-FortiGate-Antivirus-false-positive/ta-p/216802

But it doesn't help. What can we do else?
Thanks in advance

6 replies

AlexC-FTNT
Staff
AlexC-FTNT
Staff
May 30, 2024

When you access "https://shop.meyco.eu/main/" there is no download. So the site will show clean in all the virus testers. The AV check is done only when there is a file being downloaded - and I don't know what file you are trying to download from that website. 

It seems that the FortiGate is doing its job, but most importantly is to have the most recent FortiOS and AV signatures up to date - these are periodically changed and must be updated.

    mmehl
    mmehlAuthor
    New Member
    June 3, 2024

    We only open the Website. But the error message appears directly. We test it with 5 different Clients. But the behavior is identical
    FortiOs is up to date (v7.4.4 build2662)
    AV Definitions are Version 92.04824

     

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    June 3, 2024

    Certainly something is wrong in your policy setup/settings. I can access this site without such log/warnings. The only warning I see is that of the certificate. Quick lab test with both versions (7.2.8/7.4.4):

     
     

    Untitled.png

     

      mmehl
      mmehlAuthor
      New Member
      June 3, 2024

      I change the AV profile to default in the proxy policy . Then i can open the website. But i don't unterstand what's wrong with our AV profile:

      2024-06-03 11_35_56-FortiGate - Fortigate01 – Mozilla Firefox.png

       

       

      AlexC-FTNT
      Staff
      AlexC-FTNT
      Staff
      June 3, 2024

      flow-based mode -> check details about this mode. It only checks the packets as they pass, no reassembly. False detections, misidentifications are normal in this mode.

        mmehl
        mmehlAuthor
        New Member
        June 5, 2024

        I changed our AV profile from flow-based to proxy-based. But the error messages appears again. It must be another setting in our AV profile.

        AlexC-FTNT
        Staff
        AlexC-FTNT
        Staff
        June 5, 2024

        or something else entirely. Start with a new policy and remove all your customizations - add profiles one at a time (default profiles). Not lastly, try Firefox - Chrome may cache some certificates/sites,etc

          mmehl
          mmehlAuthor
          New Member
          June 12, 2024

          It only works when i completly deactivate the AV scan for HTTP in the profile. But this can't be the solution. In general i want AV scanning for HTTP.


          Is there no white list or exempt list like in the ssl inspection profile? 

          chengtu3
          chengtu3
          New Member
          June 12, 2024

          In this case it’s not complaining about the mining software itself. Read carefully where it says “safely aborted connection”. It’s blocking the connection to that url. If you are certain that the url is correct for your mining pool then go ahead and add an exception.

          mmehl
          mmehlAuthor
          New Member
          June 12, 2024

          But where can i add an exception?

          Terms & ConditionsAccessibility statement