Created on 07-05-2022 09:24 AM Edited on 05-30-2024 01:17 AM By Jean-Philippe_P
Description
This article describes how the web URL is blocked falsely positively by FortiGate Antivirus.
Scope
FortiOS 5.4 - 6.2.
Solution
The web browser shows the message that FortiGate is not permitted to open the page because it is infected with the virus.
Another way to get more information on the blocking is to check the ‘AV logs’ under ‘Logs & Report’.
For example, the below log entry on FortiGate Antivirus blocks the URL <http://www.koshersync.com/submit-an-event.html >.
date=2022-06-24 time=15:30:39 eventtime=1656099039399965078 tz="-0400" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=2 poluuid="0017c7ea-f3ef-51ec-3c82-03c70b9d5e13" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1096562 srcip=10.10.10.2 dstip=199.34.228.100 srcport=50090 dstport=80 srccountry="Reserved" dstcountry="United States" srcintf="port3" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" dstuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" proto=6 direction="incoming" filename="submit-an-event.html" quarskip="File-was-not-quarantined" virus="HTML/Agent.CKH!tr" viruscat="Virus" ref="http://www.fortinet.com/ve?vn=HTML%2**bleep**ent.CKH%21tr" virusid=10088653 url="http://www.koshersync.com/submit-an-event.html" profile="default" agent="Chrome/102.0.0.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
This website was identified as a false positive.
To identify whether a URL is infected by checking the URL in an external website-checker, for example: www.virustotal.com.
It is possible to see there that this website is now shown as 'clean'.
One reason could be FortiGate’s web cache, because the cache may have saved the data of the previous infected version of the web page.
To clear the web cache, enter:
diagnose test application urlfilter 2
Or reboot the FortiGate (exec reboot).
Another reason is that the website checker is only displaying the homepage, and not attempting to access any links or download any files needed throughout navigation. In that case, the file may indeed be infected. The FortiGate logs will say exactly which file triggered the alert.
It is also possible to report a false alarm or categorization with FortiGuard:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.