Recently upgraded to 22.214.171.124
I have a user who is doing searches and being redirected and blocked. When doing a search for "web filtering software" on google the first result after the ads is http://www1.k9webprotection.com. Upon clicking on the link he gets block like so:
First, I don't know why he's veing redirected to google ads when it's not an ad link. Second, when is google ads Malicious? Third, Malicious and Minimal Risk? Somethings not right here.
Using the internal check URL (thanks e²!) I get the same result:
For the grand finale Trusted Source shows no category:
Where's the disconnect?
Solved! Go to Solution.
Running the virus scans did the trick. The user hasn't had any problems since thier removal. As I stated earlier a local scan removes most of the infections, but a remote scan with users logged out of the machine seems to clean everything up and resolved the issue.
Thanks everybody for your assistance!
Take a look and ensure that you are not being redirected to an SSL version of Google - it appears that when my users are not 'properly' authenticated and they try to hit Google (and its the httpS) it chokes on me as well.
No, it's not HTTPS as far as I can tell. The original block screen shows HTTP. That's a good thought though, I'll keep it in mind and double check on the user's side.
Can't currently replicate
Also, don't have the access.logs anymore. Would a detailed web report help? Or can they be recovered from the Web Reporter?
I see this fairly often with a lot of different sites though Goggle is a fairly common culprit.
The site it's self it known to be minimal risk, however that server, or URI may have had something on it that McAfee have classed as Malicious. From what I can tell, this is an automated process by Trusted Source. The incidents of this are normally transient, though when I do see it, I always report the link to Trusted Source and it is quickly resolved.
BTW, the block pages have some potentially sensitive internal details of your network, such as the users User ID, and the departments they work for. you might want to remove it.
thanks for the insight. I can confirm that from time to time I have seen reports about something being blocked, whille a few moments later the issue did not show up again. I am very interested in catching examples of "known good websites" being rated as malicious, but it is very rare that I get an example I can replicate (thats why I asked if you can replicate it).
Basically we do not only categorize the URL, but also Paths or Parameters can influence the result. Additionall Category and Reputation are independent from each other, so it could happen that a specific piece of the URL leads to a malicious rating, while the overall reputation of the domain is still good.
We have around 20 URL filter updates a day and usually such issues are resolved very quickly. I personally would ask the user to check if the issue persists. If it does we should replicate the problem and find out what causes the block. If the issue is gone most likely a URL filter database update has resolved the issue magically. It would require the URL and the exact URL filter database version to replicate the problem.
@tris - I thought about reporting it to Trusted Source, but since I couldn't replicate it on a different PC today I figured I should wait. Thanks for the sensitive info heads up, too! I usually do my best to edit , but I must've been in a rush; I don't see a way to edit my post though
@andre - I've asked the user to be on the lookout and try it on his free time. The strangest thing was yesterday afternoon (of course this happened at 4:50pm!) that as I watched this happen, I asked the user to try out Bing. So, we searched Bing for web filtering software and found the K9 listing in the results. When he clicked on the link we got the same googleads/malicious sites block page! I still can't figure that one out.
Sounds like a browser hijack.
The URL that it's referring to is googleads.l.doubleeclick.net rather than doubleclick.net. doubleeclick.net is a malicious domain.
There's some discussion here: