Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 4256 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

URL Categorization

trialrider
Hi there,

Why does trustedsource.org categorize ezthemes(dot)com as "Malicious Sites" and "PUP" and not our ASG? The clients AV blocked access...

Log file shows lines like this: 
url="www.ezthemes.com/.../jpeg"


We don't block access depending on a sites reputation. So I can image there're more false friends...

Can someone explain that behaviour of the ASG?
-- 
Kind regards

Steffen


This thread was automatically locked due to age.
  • 0
    Steffen, please show the complete line from the log.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    here are all ezthemes(dot)com related lines:
    2010:11:04-12:59:18 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1143 ms" request="0xa5e3d230" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1246 ms" request="0xa54ee970" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1273 ms" request="0xa56aab60" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1306 ms" request="0xa2e40090" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1352 ms" request="0xa2e215f8" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="797 ms" request="0xa5469ce8" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="784 ms" request="0xa56dac48" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="788 ms" request="0xa542feb8" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="***" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2728" time="0 ms" request="0xa2e74f78" url="www.ezthemes.com/.../birthofthefederation.jpg" exceptions="" error="" reason="category" category="137" reputation="malicious" categoryname="Provocative Attire"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="10853" time="788 ms" request="0xa5c8c3d8" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:19 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="8983" time="778 ms" request="0xa5cafab8" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="929 ms" request="0xa56a3a80" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="871 ms" request="0xa5e17870" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="852 ms" request="0xa54d1620" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="860 ms" request="0xa563df98" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="10937" time="805 ms" request="0xa5670f88" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1027 ms" request="0xa560e270" url="www.ezthemes.com/.../jpeg"

    2010:11:04-12:59:20 astaro httpproxy[653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="***" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="11680" time="1002 ms" request="0xa5691260" url="www.ezthemes.com/.../jpeg" 


    I can't see any hint. I defined a dns group for blocking HTTPS to their IPs and set the URL as block by blacklist.

    Em, yes, mh, I'm at v7.507.
    -- 
    So long,

    Steffen
  • 0
    Those all look correct to me.  Nothing was blocked because of reputation="malicious". One jpg was blocked for categoryname="Provocative Attire".
    I don't know why the AV on the client thought entermilkywayncc1701d.jpg has a virus.  Maybe their AV has some settings that make it extra careful with jpegs?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    you're right but the problem is that trustedsource.org/McAfee categotizes the URL as Malicious Site and PUP.

    So why it's shown as Entertainment in my log, if Astaro uses McAfee's database? See the attached picture. The AV software on the client bocked all traffic from/to the URL.
    -- 
    Kind regards,

    Steffen
  • 0
    Ah! Understood.  I think you're gonna do a facepalm and chuckle at yourself... [;)]

    The categorization goes beyond the domain, and can even go down to complete, explicit URLs.  "www.ezthemes.com/.../" is PUPs.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello Bob,

    thanks for explanation. I thought the main part of an URL is checked, not the whole URL. So I have to go to ts again and request a recategorization.
    -- 
    So long,

    Steffen