Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmehl
New Contributor

False positive AV in URL/Website

Fortigate is blocking the website https://shop.meyco.eu/main/ :

 

High Security Alert

You are not permitted to download the file "" because it is infected with the virus "HTML/RedirBA.INF!tr".
URL https://shop.meyco.eu/main/
Quarantined File Name [disabled]
Reference URL https://fortiguard.com/encyclopedia/virus/8065247


Virustotal shows an clean state incl. Fortinet.
https://www.virustotal.com/gui/url/c798a22c5ab03d8c93c17795c08ca850cbdde956313717a9efcb4a417d89d05a


I have already tried to clear the web cache and reboot the Fortigate like it is describte in this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scenario-on-FortiGate-Antivirus-false-posi...

But it doesn't help. What can we do else?
Thanks in advance

10 REPLIES 10
AlexC-FTNT
Staff
Staff

When you access "https://shop.meyco.eu/main/" there is no download. So the site will show clean in all the virus testers. The AV check is done only when there is a file being downloaded - and I don't know what file you are trying to download from that website. 

It seems that the FortiGate is doing its job, but most importantly is to have the most recent FortiOS and AV signatures up to date - these are periodically changed and must be updated.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mmehl
New Contributor

We only open the Website. But the error message appears directly. We test it with 5 different Clients. But the behavior is identical
FortiOs is up to date (v7.4.4 build2662)
AV Definitions are Version 92.04824

 

AlexC-FTNT
Staff
Staff

Certainly something is wrong in your policy setup/settings. I can access this site without such log/warnings. The only warning I see is that of the certificate. Quick lab test with both versions (7.2.8/7.4.4):

 
 

Untitled.png

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mmehl

I change the AV profile to default in the proxy policy . Then i can open the website. But i don't unterstand what's wrong with our AV profile:

2024-06-03 11_35_56-FortiGate - Fortigate01 – Mozilla Firefox.png

 

 

AlexC-FTNT
Staff
Staff

flow-based mode -> check details about this mode. It only checks the packets as they pass, no reassembly. False detections, misidentifications are normal in this mode.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mmehl

I changed our AV profile from flow-based to proxy-based. But the error messages appears again. It must be another setting in our AV profile.

AlexC-FTNT
Staff
Staff

or something else entirely. Start with a new policy and remove all your customizations - add profiles one at a time (default profiles). Not lastly, try Firefox - Chrome may cache some certificates/sites,etc


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
mmehl

It only works when i completly deactivate the AV scan for HTTP in the profile. But this can't be the solution. In general i want AV scanning for HTTP.


Is there no white list or exempt list like in the ssl inspection profile? 

chengtu3
New Contributor

In this case it’s not complaining about the mining software itself. Read carefully where it says “safely aborted connection”. It’s blocking the connection to that url. If you are certain that the url is correct for your mining pool then go ahead and add an exception.

router login 192.168.l.l
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors