Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 810 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint sees Amazon S3 as Mal/HTMLGen-A

rventura

We run a portal that uses Amazon S3 as the place holder for PDFs and other files, since this morning around 10AM, my users can no longer access anything with Amazon S3.

Sophos reports: Action = Block, Reason = Threat(Mal/HTMLGen-a)

Anyone else experiencing this problem??

CSV Export (partial):

"6/20/2012 11:43:59 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:43:17 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:41:33 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:40:42 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:38:32 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:25:00 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:24:43 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:20:36 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:20:22 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 11:20:04 AM",USER AND SYSTEM,"72.21.194.22","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:42:45 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:41:25 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:38:56 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:38:53 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:26:09 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:24:56 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:24:52 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:23:34 AM",USER AND SYSTEM,"72.21.214.199","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:04:09 AM",USER AND SYSTEM,"72.21.215.75","Block","Threat (Mal/HTMLGen-A)",""
"6/20/2012 10:04:06 AM",USER AND SYSTEM,"72.21.215.75","Block","Threat (Mal/HTMLGen-A)",""

Thanks for any help.

:26121


This thread was automatically locked due to age.
  • 0

    Hello rventura,

    Sophos blocks these addresses - and when I turn off Block access to malicious websites then Web Control kicks in and blocks them with category Hacking. For me they just return a redirect (307) to aws.amazon.com/s3 (which displays without problem) but this might depend on the origin and specific contents of the request (in my case just "/").

    If you look at the detailed analysis if Mal/HTMLGen-A it says: Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be used in an infection chain used to infect users with malware. Guess you'd have to contact Support - it might be a false positive like here or it might not.

    You can exempt these sites/addresses in the AV and HIPS policy under Authorization - but to be on the safe side you should contact Support.

    Christian

    :26135