FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Article Id 216802

Description

 

This article describes how the web URL is blocked falsely positively by FortiGate Antivirus.

 

Scope

 

FortiOS 5.4 - 6.2.

 

Solution

 

The web browser shows the message that FortiGate is not permitted to open the page because it is infected with the virus.

 

Dhruvin_patel_0-1657029391890.png

 

Another way to get more information on the blocking is to check the ‘AV logs’ under ‘Logs & Report’.

 

For example, the below log entry on FortiGate Antivirus blocks the URL <http://www.koshersync.com/submit-an-event.html >.

 

date=2022-06-24 time=15:30:39 eventtime=1656099039399965078 tz="-0400" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=2 poluuid="0017c7ea-f3ef-51ec-3c82-03c70b9d5e13" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1096562 srcip=10.10.10.2 dstip=199.34.228.100 srcport=50090 dstport=80 srccountry="Reserved" dstcountry="United States" srcintf="port3" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" dstuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" proto=6 direction="incoming" filename="submit-an-event.html" quarskip="File-was-not-quarantined" virus="HTML/Agent.CKH!tr" viruscat="Virus" ref="http://www.fortinet.com/ve?vn=HTML%2**bleep**ent.CKH%21tr" virusid=10088653 url="http://www.koshersync.com/submit-an-event.html" profile="default" agent="Chrome/102.0.0.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"

 

This website was identified as a false positive.

To identify whether a URL is infected by checking the URL in an external website-checker, for example: www.virustotal.com.
It is possible to see there that this website is now shown as 'clean'.

 

One reason could be FortiGate’s web cache, because the cache may have saved the data of the previous infected version of the web page.

To clear the web cache, enter:

 

diagnose test application urlfilter 2

 

Or reboot the FortiGate (exec reboot).

Another reason is that the website checker is only displaying the homepage, and not attempting to access any links or download any files needed throughout navigation. In that case, the file may indeed be infected. The FortiGate logs will say exactly which file triggered the alert.


It is also possible to report a false alarm or categorization with FortiGuard: 


FortiGuard - Contact us