Anyone else visit McAfee platinum partner http://accuvant.com/ through an MWG today?
Anyone in a position to fix that?
I'd also enjoy if Heuristic.BehavesLike.Win32.ModifiedUPX.C wouldn't fire on GotoAssistStarter.exe down under broker.gotoassist.com. Time to go manually grab, encrypt, scp, and try to find where to submit false positives in the way McAfee mandates.
on 1/31/13 3:00:10 PM CST
Well, it's pretty understandable why it would trigger on malware when the redirect page is using highly obfuscated code.
It seems a little excessive for a simple 302 redirect.
And keep in mind, these are the same techniques that real exploit pages use, so i'd rather have it blocked.
That's above our pay grade. The point is it's highly likely to be a false positive, or McAfee's preferred quickstart consulting partner for web gateway is... owned?
I almost forgot to add to my false positive rant of the quarter:
The venerable fiddler2 interactive debugging web proxy is also getting caught up in a heuristic detection (or at least it was yesterday) despite nothing on virustotal saying a word about it. Irony of course is that this tool is indispensible in figuring out what/when/why MWG is blocking a given bit of client web traffic.
But I suppose the onus is on us customers to report all those back.
on 1/31/13 3:55:06 PM CST
this ajax code redirects to an incapsula CDN network, which is outside of accuvant.com responsibility. The url is calculated during a runtime on a user side in the browser and cannot be statically set on the accuvaint's web server side with a 30x redirect :-(
So, was the heuristic actually blocking something malicious from the CDN?
Some time today, Accuvant apparently changed their web page code so this issue no longer exists.