ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection Host IPS blocks a URL but Symantec does not block the same URL

book

Article ID: 172210

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) IPS blocks URL http://www.unitedpowerbd.com/ 
False Positive submission [89731]: Upon further analysis and investigation we have determined that the URL(s) in question meet the necessary criteria to be detected by our products and as such, the detection cannot be revoked.  If malicious, the customer is asking why Symantecis not blocking it too as malicious or suspicious. 

Cause

The website is blocked by Symantec.

The website was blocked for [SID: 28821] Web Attack: Mass Injection Website 19, and when we went and looked, security response verified the site was, indeed, attempting a mass injection attack. Basically, The site is injected with a script that redirects the viewer to malicious domains.
 
Symantec is not blocking the same url.

Resolution

ProxySG and WSS use the Symantec GIN services to categorize and classify URLs. It is possible that SEP and GIN do not use the same criteria for URL classification.