Allowed web page gets blocked by Malware/Spyware or similar

book

Article ID: 171502

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You have a Content Filtering policy to allow (or at least, no policy to deny) access to a certain website, but you are still receiving a Blocked result when trying to access it, usually stating that the webpage in question contains Spyware or other malicious software.

Many times, when trying to verify the URL in question with WebPulse Site Review Request, you won't see any abnormal result or malicious category.

Cause

This is because either the URL, or the IPs associated with it, are categorized under a malicious category ("Malicious Outbound Data / Botnets" or "Malicious Sources / Malnets", or "Placeholder" or not categorized at all, in case you are blocking unknown content and Placeholders)

To verify:

  1. Nslookup the website in question (Open a command prompt, and write: nslookup example.com).
  2. To verify where the problem is, use http://sitereview.bluecoat.com to test HTTP and HTTPS versions of all URLs and IPs available to the website. (For instance: https://1.2.3.4, http://1.2.3.4, http://www.example.com, https://www.example.com). It's usual to find at least one of these four possibilities to hold a malicious category, this can be caused by: 
  • A) A false-positive analysis of our antivirus systems.
  • B) The page holds a legacy category since it used to be infected or serve as a malnet at some point.
  • This can be verified with virtual antivirus analysis tools, such as virustotal.com, which will detail the scan results of more than 60 antivirus engines, and it will usually mention if the webpage in question is known to have had an infection in the past. Note that it's common for one or two antivirus engines to return a positive result for infection, but as long as +50 antivirus engines come up clean, we can probably conclude that positive results are just false-positives.

Resolution

Workaround

  • Add the site's URL and all known IPs into the Trusted Destinations list. (Login to the portal > Solutions > Threat Protection > Trusted Destinations scroll down and enter URLs in Trusted Domains and IPs in Trusted IPs/Subnets, a URL and or IP/subnet list may be created for this purpose from either the Object Library or the Trusted Destinations' own wizard).
    • NOTE: Be advised that this is only a workaround, and should only be applied if access to the resource is necessary and you are sure that the site is clean since this workaround will turn off the AV and categorization scan for those URLs / IPs.

To resolve

  • After verifying the problematic IP or URL with WebPulse Site Review Request, you can make a suggestion to change the current category of that IP or URL. A Threat Analyst from our team can verify the site and change the category if it's considered correct or safe. You can choose to be notified of the results through email.
  • If you continue to experience problems after receiving a reply, it's most likely that you have only asked for one IP or URL to be reviewed, and there is another one (or a different protocol) that needs to be changed as well. (For instance: You asked that 1.2.3.4 should be reviewed and re-categorized as "web hosting", by default, we'll check http://1.2.3.4, and if you go to sitereview.bluecoat.com, you may discover that httpS://1.2.3.4 is showing with the category that you consider incorrect. You must also let us know that we have to correct https://1.2.3.4, and the same applies to URLs, another case may be that IP 1.2.3.5 is also associated with the website according to the nslookup performed before, thus, http:// and https://1.2.3.5 also need to be reviewed).