search cancel

Allowed web page gets blocked by Malware/Spyware or similar

book

Article ID: 171502

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Content Filtering policy setup to allow (or at least, no policy to deny) access to a certain website, but users are still receiving a Blocked result when trying to access it, usually stating that the webpage in question contains Spyware or other malicious software.

Verifying the URL in question with WebPulse Site Review Request does not show any abnormal result or malicious category.

Cause

This is because either the URL, or the IPs associated with it, are categorized under a malicious category ("Malicious Outbound Data / Botnets" or "Malicious Sources / Malnets", or "Placeholder" or not categorized at all, in case you are blocking unknown content and Placeholders)

To verify:

  1. Nslookup the website in question (Open a command prompt, and write: nslookup example.com).
  2. To verify where the problem is, use http://sitereview.bluecoat.com to test HTTP and HTTPS versions of all URLs and IPs available to the website. (For instance: https://1.2.3.4, http://1.2.3.4, http://www.example.com, https://www.example.com). It's usual to find at least one of these four possibilities to hold a malicious category, this can be caused by: 
    • A false-positive analysis of our antivirus systems.
    • The page holds a legacy category since it used to be infected or serve as a malnet at some point.
      • This can be verified with virtual antivirus analysis tools, such as virustotal.com, which will detail the scan results of more than 60 antivirus engines, and it will usually mention if the webpage in question is known to have had an infection in the past. Note that it's common for one or two antivirus engines to return a positive result for infection, but as long as +50 antivirus engines come up clean, we can probably conclude that positive results are just false-positives.

Resolution

Workaround

Add traffic to Trusted Destinations:

1. Navigate to the WSS portal
2. Select Policy from the left-hand menu
3. Select Threat Protection
4. Select Trusted Destinations (G2 rule)
5. Select traffic from the available list and select add OR Select "New" to define a new IP, domain, etc.
6. Click Save
7. Be sure to click "Activate Policy" to ensure that the changes are applied.

NOTE: Be advised that this is only a workaround, and should only be applied if access to the resource is necessary and you are sure that the site is clean since this workaround will turn off the AV and categorization scan for those URLs / IPs.

If desired, create a new policy in the Content Filtering Rules to restrict broad access to the site(s). The policy can be used to restrict the access to only certain users, groups or access method for specific sites listed under Trusted Destinations.

To resolve

  • After verifying the problematic IP or URL with WebPulse Site Review Request, you can make a suggestion to change the current category of that IP or URL. A Threat Analyst from our team can verify the site and change the category if it's considered correct or safe. You can choose to be notified of the results through email.
  • If you continue to experience problems after receiving a reply, it's most likely that you have only asked for one IP or URL to be reviewed, and there is another one (or a different protocol) that needs to be changed as well. (For instance: You asked that 1.2.3.4 should be reviewed and re-categorized as "web hosting", by default, we'll check http://1.2.3.4, and if you go to sitereview.bluecoat.com, you may discover that httpS://1.2.3.4 is showing with the category that you consider incorrect. You must also let us know that we have to correct https://1.2.3.4, and the same applies to URLs, another case may be that IP 1.2.3.5 is also associated with the website according to the nslookup performed before, thus, http:// and https://1.2.3.5 also need to be reviewed).