Allowed web page gets blocked by Malware/Spyware or similar
search cancel

Allowed web page gets blocked by Malware/Spyware or similar


Article ID: 171502


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Content Filtering policy setup to allow (or at least, no policy to deny) access to a certain website, but users are still receiving a Blocked result when trying to access it, usually stating that the webpage in question contains Spyware or other malicious software.

Verifying the URL in question with WebPulse Site Review Request does not show any abnormal result or malicious category.


This is because either the URL, or the IPs associated with it, are categorized under a malicious category ("Malicious Outbound Data / Botnets" or "Malicious Sources / Malnets", or "Placeholder" or not categorized at all, in case you are blocking unknown content and Placeholders)

To verify:

  1. Nslookup the website in question (Open a command prompt, and write: nslookup
  2. To verify where the problem is, use to test HTTP and HTTPS versions of all URLs and IPs available to the website. (For instance:,,, It's usual to find at least one of these four possibilities to hold a malicious category, this can be caused by: 
    • A false-positive analysis of our antivirus systems.
    • The page holds a legacy category since it used to be infected or serve as a malnet at some point.
      • This can be verified with virtual antivirus analysis tools, such as, which will detail the scan results of more than 60 antivirus engines, and it will usually mention if the webpage in question is known to have had an infection in the past. Note that it's common for one or two antivirus engines to return a positive result for infection, but as long as +50 antivirus engines come up clean, we can probably conclude that positive results are just false-positives.



Add traffic to Trusted Destinations:

1. Navigate to the WSS portal
2. Select Policy from the left-hand menu
3. Select Threat Protection
4. Select Trusted Destinations (G2 rule)
5. Select traffic from the available list and select add OR Select "New" to define a new IP, domain, etc.
6. Click Save
7. Be sure to click "Activate Policy" to ensure that the changes are applied.

NOTE: Be advised that this is only a workaround, and should only be applied if access to the resource is necessary and you are sure that the site is clean since this workaround will turn off the AV and categorization scan for those URLs / IPs.

If desired, create a new policy in the Content Filtering Rules to restrict broad access to the site(s). The policy can be used to restrict the access to only certain users, groups or access method for specific sites listed under Trusted Destinations.

To resolve

  • After verifying the problematic IP or URL with WebPulse Site Review Request, you can make a suggestion to change the current category of that IP or URL. A Threat Analyst from our team can verify the site and change the category if it's considered correct or safe. You can choose to be notified of the results through email.
  • If you continue to experience problems after receiving a reply, it's most likely that you have only asked for one IP or URL to be reviewed, and there is another one (or a different protocol) that needs to be changed as well. (For instance: You asked that should be reviewed and re-categorized as "web hosting", by default, we'll check, and if you go to, you may discover that httpS:// is showing with the category that you consider incorrect. You must also let us know that we have to correct, and the same applies to URLs, another case may be that IP is also associated with the website according to the nslookup performed before, thus, http:// and also need to be reviewed).