Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV false positive?

Stupots
Hi,

Anyone else getting a content blocked error (HTML/Crypted.Gen virus found) when they try to go to www.tandberg.com

I'm currently using single-scan with pattern version 10223.

Regards,
Stuart


This thread was automatically locked due to age.
Parents
  • 0
    I get it too... I guess it's possible their site got hacked.  I'll take a look at the log and see what content is triggering that.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0
    I get it too... I guess it's possible their site got hacked.  I'll take a look at the log and see what content is triggering that.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent
    Hmm... The Astaro Content Filter log doesn't reveal the specific content that triggered the detection.  I did notice that Data Backup, Storage & Protection Solutions | Tandberg Data works fine... not sure if that's the same company though.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Bruce,

    I get it too... I guess it's possible their site got hacked.  I'll take a look at the log and see what content is triggering that.


    We don't use the Astaro IPS here, but if you do, can you turn AV off and see if it trips anything there, like double-decoding?  I'm wondering whether the AV has simply picked up content that may be normal content that has been obfuscated through encoding by one of the methods described here: HTML URL Encoding Reference

    Thanks,
    Stuart
  • 0 in reply to Stupots
    Bruce,

    I'm wondering whether the AV has simply picked up content that may be normal content that has been obfuscated through encoding


    Actually, I've managed to partly answer my own question.

    If you 
    wget www.tandberg.com
     the page and then view it, you can see some encoded content (hex separated by % symbols) but not being an expert in HTML, I'm not sure of the effect of this code or whether it's harmless.

    I'm actually out of the office for the next two weeks, so if you can raise this with Astaro (seeing as you have the same problem and are probably on the phone to them every day [;)] ) and that it might be a false positive, that'd be cool.

    For info, if you paste some of the content into http://www.yellowpipe.com/yis/tools/encrypter/index.php as "URL decode", it comes out with readable content that looks innocent.

    Regards,
    Stuart