Fortigate is blocking the website https://shop.meyco.eu/main/ :
High Security Alert
You are not permitted to download the file "" because it is infected with the virus "HTML/RedirBA.INF!tr".
URL https://shop.meyco.eu/main/
Quarantined File Name [disabled]
Reference URL https://fortiguard.com/encyclopedia/virus/8065247
Virustotal shows an clean state incl. Fortinet.
https://www.virustotal.com/gui/url/c798a22c5ab03d8c93c17795c08ca850cbdde956313717a9efcb4a417d89d05a
I have already tried to clear the web cache and reboot the Fortigate like it is describte in this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scenario-on-FortiGate-Antivirus-false-posi...
But it doesn't help. What can we do else?
Thanks in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When you access "https://shop.meyco.eu/main/" there is no download. So the site will show clean in all the virus testers. The AV check is done only when there is a file being downloaded - and I don't know what file you are trying to download from that website.
It seems that the FortiGate is doing its job, but most importantly is to have the most recent FortiOS and AV signatures up to date - these are periodically changed and must be updated.
We only open the Website. But the error message appears directly. We test it with 5 different Clients. But the behavior is identical
FortiOs is up to date (v7.4.4 build2662)
AV Definitions are Version 92.04824
Certainly something is wrong in your policy setup/settings. I can access this site without such log/warnings. The only warning I see is that of the certificate. Quick lab test with both versions (7.2.8/7.4.4):
I change the AV profile to default in the proxy policy . Then i can open the website. But i don't unterstand what's wrong with our AV profile:
flow-based mode -> check details about this mode. It only checks the packets as they pass, no reassembly. False detections, misidentifications are normal in this mode.
I changed our AV profile from flow-based to proxy-based. But the error messages appears again. It must be another setting in our AV profile.
or something else entirely. Start with a new policy and remove all your customizations - add profiles one at a time (default profiles). Not lastly, try Firefox - Chrome may cache some certificates/sites,etc
It only works when i completly deactivate the AV scan for HTTP in the profile. But this can't be the solution. In general i want AV scanning for HTTP.
Is there no white list or exempt list like in the ssl inspection profile?
In this case it’s not complaining about the mining software itself. Read carefully where it says “safely aborted connection”. It’s blocking the connection to that url. If you are certain that the url is correct for your mining pool then go ahead and add an exception.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.