- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
False positive AV in URL/Website
Fortigate is blocking the website https://shop.meyco.eu/main/ :
High Security Alert
You are not permitted to download the file "" because it is infected with the virus "HTML/RedirBA.INF!tr".
URL https://shop.meyco.eu/main/
Quarantined File Name [disabled]
Reference URL https://fortiguard.com/encyclopedia/virus/8065247
Virustotal shows an clean state incl. Fortinet.
https://www.virustotal.com/gui/url/c798a22c5ab03d8c93c17795c08ca850cbdde956313717a9efcb4a417d89d05a
I have already tried to clear the web cache and reboot the Fortigate like it is describte in this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scenario-on-FortiGate-Antivirus-false-posi...
But it doesn't help. What can we do else?
Thanks in advance
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you access "https://shop.meyco.eu/main/" there is no download. So the site will show clean in all the virus testers. The AV check is done only when there is a file being downloaded - and I don't know what file you are trying to download from that website.
It seems that the FortiGate is doing its job, but most importantly is to have the most recent FortiOS and AV signatures up to date - these are periodically changed and must be updated.
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We only open the Website. But the error message appears directly. We test it with 5 different Clients. But the behavior is identical
FortiOs is up to date (v7.4.4 build2662)
AV Definitions are Version 92.04824
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Certainly something is wrong in your policy setup/settings. I can access this site without such log/warnings. The only warning I see is that of the certificate. Quick lab test with both versions (7.2.8/7.4.4):
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I change the AV profile to default in the proxy policy . Then i can open the website. But i don't unterstand what's wrong with our AV profile:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
flow-based mode -> check details about this mode. It only checks the packets as they pass, no reassembly. False detections, misidentifications are normal in this mode.
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed our AV profile from flow-based to proxy-based. But the error messages appears again. It must be another setting in our AV profile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or something else entirely. Start with a new policy and remove all your customizations - add profiles one at a time (default profiles). Not lastly, try Firefox - Chrome may cache some certificates/sites,etc
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It only works when i completly deactivate the AV scan for HTTP in the profile. But this can't be the solution. In general i want AV scanning for HTTP.
Is there no white list or exempt list like in the ssl inspection profile?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case it’s not complaining about the mining software itself. Read carefully where it says “safely aborted connection”. It’s blocking the connection to that url. If you are certain that the url is correct for your mining pool then go ahead and add an exception.