Showing results for 
Search instead for 
Did you mean: 
Level 10

Malware Detected best practice?

When I attempt to access the Logon page of a particular website, I get a Block page stating:

Malware Detected

The transferred file contained a virus and was therefore blocked.


Media Type: text/html

Virus Name: BehavesLike.HTML.Obfuscated.nq

User Name [Client IP]: <redacted>

Rule Name: Gateway Anti-Malware - Block If Virus was Found

The site's home page is accessable (, but the Block page appears when clicking on the page's Login link.

I've contacted the website administrators (who also happen to use McAfee Web Gateway in their environment, fwtw) and was told they'd check out their site for any problems.

I've not heard back from them and in the meantime we have some service lines that must access this website.

Odds are this is a false positive, and while I can easily put an exclusion for in the Anti-Malware URL Whitelist, I'm not sure this is the best way to go about handling the situation.  For instance, would it be better to somehow exclude this particular "virus name" for this website as opposed to simply whitelisting the website?

Does anyone have any suggestions or best practices to share for such situations?

0 Kudos
1 Reply
Level 10

Re: Malware Detected best practice?

That BehavesLike guy sure is the most prolific of false positive authors

A white list is possible, but it might well be the white list that you want to have the strictest policy about, full URL paths, no pattern matching (too bad for URL parameters), full security reviews, keep it short, periodic review, age out the entries, etc.

0 Kudos