When I attempt to access the Logon page of a particular website, I get a Block page stating:
The transferred file contained a virus and was therefore blocked.
Media Type: text/html
Virus Name: BehavesLike.HTML.Obfuscated.nq
User Name [Client IP]: <redacted>
Rule Name: Gateway Anti-Malware - Block If Virus was Found
The site's home page is accessable (scipn.org), but the Block page appears when clicking on the page's Login link.
I've contacted the website administrators (who also happen to use McAfee Web Gateway in their environment, fwtw) and was told they'd check out their site for any problems.
I've not heard back from them and in the meantime we have some service lines that must access this website.
Odds are this is a false positive, and while I can easily put an exclusion for scipn.org in the Anti-Malware URL Whitelist, I'm not sure this is the best way to go about handling the situation. For instance, would it be better to somehow exclude this particular "virus name" for this website as opposed to simply whitelisting the website?
Does anyone have any suggestions or best practices to share for such situations?
That BehavesLike guy sure is the most prolific of false positive authors
A white list is possible, but it might well be the white list that you want to have the strictest policy about, full URL paths, no pattern matching (too bad for URL parameters), full security reviews, keep it short, periodic review, age out the entries, etc.