Web Access Blocked

[JaapHoetmer 0]

Hello

 

My Endpoint AV blocks access to jpg files from a particular website, but it doesn't say why. These events are also not visible in the journal, are they logged anywhere so I can understand why the access is blocked?

 

The website in question is hXXp://sorayabakhtiar.com/

 

 

Thanks, kind regards

Edited September 17, 2014 by Aryeh Goretsky
edited URL to make it non-clickable

[Marcos 5,074]

The website has recently been infected and serving malware (file 2014_06informationen_zum_transaktions_pdf.zip for instance). Since it's been removed, we'll unblock the website as of the next update.

Next time, please report url blocks to ESET Malware research lab as per the instructions here.

[JaapHoetmer 0]

Thanks, Marcos,for the information.

 

I am wondering why this information is not shown anywhere, as the popup alert only says that access to the site content is blocked, but states no further reason or where to go for more information. Additionally, the application's journal doesn't state anything related to these events having taken place, despite the fact I enabled ThreatSense journaling. Why is the log/journal not showing this?

 

Regards, Jaap

[SweX 871]

Well, if a site is blocked it's obviously because there is something bad on the site, that's the reason. But there's no way ESET can keep up and write threat reports for each site that is blocked and tell you why and what type of threat that's on the site. That's literally impossible in todays threat landscape when sites serving malware goes up and down very quickly.

 

How the logging works depends on how you have the log verbosity set up. 

[JaapHoetmer 0]

Hi SweX, thanks for the reply, yes I do understand and appreciate that it is very hard to keep up with the ever changing landscape of sites infected with malware, but no information is not good either. As Marcos was saying before you, the reason for the block was known, so this information _was_ readily available. It just never showed.

 

Most if not all sites that have been marked or recorded by ESET as carrying malicious content do show a message in the browser that at least provides a minimal indication, and a log entry helps to track this. However, this site didn't, only the popup showed indicating objects had been blocked but without indicating why. The product additionally doesn't show anything in the log about this particular event, which to me is not correct. I have checked all the settings available, and couldn't get it to log the event by whatever means.

[SweX 871]

Hello,

 

Sorry my fault , I now see you use Endpoint so the settings etc.. may be a bit different in there.

 

Right, I guess you saw a "blocked URL or blocked IP" popup notification. Yes they don't look exactly the same like the threat notification popups like e.g "Win32/Kryptik...quarantined, connection terminated.".