Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mmehl
New Contributor

Created on ‎05-29-2024 11:34 PM

False positive AV in URL/Website

Fortigate is blocking the website https://shop.meyco.eu/main/ :

 

High Security Alert

You are not permitted to download the file "" because it is infected with the virus "HTML/RedirBA.INF!tr".
URL https://shop.meyco.eu/main/
Quarantined File Name [disabled]
Reference URL https://fortiguard.com/encyclopedia/virus/8065247


Virustotal shows an clean state incl. Fortinet.
https://www.virustotal.com/gui/url/c798a22c5ab03d8c93c17795c08ca850cbdde956313717a9efcb4a417d89d05a


I have already tried to clear the web cache and reboot the Fortigate like it is describte in this technical tip:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Scenario-on-FortiGate-Antivirus-false-posi...

But it doesn't help. What can we do else?
Thanks in advance

Labels:
1658
0 Kudos
10 REPLIES 10
AlexC-FTNT
Staff
Staff

Created on ‎05-30-2024 12:51 AM

When you access "https://shop.meyco.eu/main/" there is no download. So the site will show clean in all the virus testers. The AV check is done only when there is a file being downloaded - and I don't know what file you are trying to download from that website. 

It seems that the FortiGate is doing its job, but most importantly is to have the most recent FortiOS and AV signatures up to date - these are periodically changed and must be updated.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1445
mmehl
New Contributor

Created on ‎06-03-2024 01:03 AM

We only open the Website. But the error message appears directly. We test it with 5 different Clients. But the behavior is identical
FortiOs is up to date (v7.4.4 build2662)
AV Definitions are Version 92.04824

 

1373
0 Kudos
AlexC-FTNT
Staff
Staff

Created on ‎06-03-2024 02:11 AM

Certainly something is wrong in your policy setup/settings. I can access this site without such log/warnings. The only warning I see is that of the certificate. Quick lab test with both versions (7.2.8/7.4.4):

 
 

Untitled.png

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1362
mmehl
New Contributor
In response to AlexC-FTNT

Created on ‎06-03-2024 02:43 AM

I change the AV profile to default in the proxy policy . Then i can open the website. But i don't unterstand what's wrong with our AV profile:

2024-06-03 11_35_56-FortiGate - Fortigate01 – Mozilla Firefox.png

 

 

1356
0 Kudos
AlexC-FTNT
Staff
Staff

Created on ‎06-03-2024 03:07 AM

flow-based mode -> check details about this mode. It only checks the packets as they pass, no reassembly. False detections, misidentifications are normal in this mode.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1352
mmehl
New Contributor
In response to AlexC-FTNT

Created on ‎06-05-2024 07:25 AM

I changed our AV profile from flow-based to proxy-based. But the error messages appears again. It must be another setting in our AV profile.

1277
0 Kudos
AlexC-FTNT
Staff
Staff

Created on ‎06-05-2024 08:40 AM

or something else entirely. Start with a new policy and remove all your customizations - add profiles one at a time (default profiles). Not lastly, try Firefox - Chrome may cache some certificates/sites,etc


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1272
mmehl
New Contributor
In response to AlexC-FTNT

Created on ‎06-12-2024 03:36 AM

It only works when i completly deactivate the AV scan for HTTP in the profile. But this can't be the solution. In general i want AV scanning for HTTP.


Is there no white list or exempt list like in the ssl inspection profile? 

1137
0 Kudos
chengtu3
New Contributor

Created on ‎06-12-2024 05:06 AM

In this case it’s not complaining about the mining software itself. Read carefully where it says “safely aborted connection”. It’s blocking the connection to that url. If you are certain that the url is correct for your mining pool then go ahead and add an exception.

router login 192.168.l.l
router login 192.168.l.l
1128
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.