| Description | This article explains the web URL is blocked false positively by FortiGate Antivirus. |
| Scope | FortiGate v5.4 and above. |
| Solution |
The web browser shows the message that FortiGate is not permitted to open the page because it is infected with the virus. 
Another way to get more information on the blocking is to check the ‘AV logs’ under ‘Logs & Report’.
For example, below log entry on FortiGate AV blocking the URL <http://www.koshersync.com/submit-an-event.html>
date=2022-06-24 time=15:30:39 eventtime=1656099039399965078 tz="-0400" logid="0211008192" type="utm" subtype="virus" eventtype="infected" level="warning" vd="root" policyid=2 poluuid="0017c7ea-f3ef-51ec-3c82-03c70b9d5e13" policytype="policy" msg="File is infected." action="blocked" service="HTTP" sessionid=1096562 srcip=10.10.10.2 dstip=199.34.228.100 srcport=50090 dstport=80 srccountry="Reserved" dstcountry="United States" srcintf="port3" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" srcuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" dstuuid="e158a4da-f0b2-51ec-4cbe-d5f15428a24f" proto=6 direction="incoming" filename="submit-an-event.html" quarskip="File-was-not-quarantined" virus="HTML/Agent.CKH!tr" viruscat="Virus" ref="http://www.fortinet.com/ve?vn=HTML%2**bleep**ent.CKH%21tr" virusid=10088653 url="http://www.koshersync.com/submit-an-event.html" profile="default" agent="Chrome/102.0.0.0" analyticssubmit="false" crscore=50 craction=2 crlevel="critical"
This website was identified as false positive.
To identify whether a URL is infected by checking the URL in virustotal.com, https://www.virustotal.com/gui/url/db14bea5cf8571ff9eac5b5a35196fff5f2c295269c201c3175d46eb5e8d1006.
The reason could be FortiGate’s web cache, because the cache may have saved the data of previous infected version of the web page.
To clear the web cache, |
