1 Reply Latest reply on Jun 9, 2017 3:00 PM by johnaldridge

    Malware Detected best practice?

    Travler

      When I attempt to access the Logon page of a particular website, I get a Block page stating:

       

      Malware Detected

      The transferred file contained a virus and was therefore blocked.

      URL: http://scipn.org/

      Media Type: text/html

      Virus Name: BehavesLike.HTML.Obfuscated.nq

      User Name [Client IP]: <redacted>

      Rule Name: Gateway Anti-Malware - Block If Virus was Found

       

      The site's home page is accessable (scipn.org), but the Block page appears when clicking on the page's Login link.

       

      I've contacted the website administrators (who also happen to use McAfee Web Gateway in their environment, fwtw) and was told they'd check out their site for any problems.

       

      I've not heard back from them and in the meantime we have some service lines that must access this website.

       

      Odds are this is a false positive, and while I can easily put an exclusion for scipn.org in the Anti-Malware URL Whitelist, I'm not sure this is the best way to go about handling the situation.  For instance, would it be better to somehow exclude this particular "virus name" for this website as opposed to simply whitelisting the website?

       

      Does anyone have any suggestions or best practices to share for such situations?

        • 1. Re: Malware Detected best practice?
          johnaldridge

          That BehavesLike guy sure is the most prolific of false positive authors

           

          A white list is possible, but it might well be the white list that you want to have the strictest policy about, full URL paths, no pattern matching (too bad for URL parameters), full security reviews, keep it short, periodic review, age out the entries, etc.