Jump to content

URL safe for LiveGrid but blocked by the Web protection


cyb
 Share

Recommended Posts

I am using ESET PROTECT and ESET Endpoint.

One URL is blocked by the Web protection module (PUA blacklist) but is declared « Safe » by LiveGrid: is there a way to make the Web protection use LiveGrid's reputation?

I am getting a few false positive like this one over the organization and if I could avoid such errors by trusting LiveGrid it would be great.

The detection details follows (emphasis mine):

-----

Web protection
An attempt to connect to URL
Occurred: November 3, 2022 17:12:35
Occurrences:
* Total 4
* Resolved 4
* Handled by product 4
Cause: Blocked
Hash: C0E20A0172694DF8441C75B848A86BEA97C2CE17
Uniform Resource Identifier (URI): ***redacted***
Process name: C:\Program Files\Google\Chrome\Application\chrome.exe
Event: An attempt to connect to URL
Rule: Blocked by PUA blacklist
Scanner: HTTP filter
Target address: ***redacted***
User: ***redacted***

ESET LiveGrid®
Observed worldwide (ESET LiveGrid®)
Reputation: Safe (8)
Popularity: 10000000 - 99999999 computers (approximation)
First seen: 2 weeks ago
Detection observed in organization
Count: 17
First time: November 3, 2022 11:33:29
Last time: November 8, 2022 15:20:18

-----

Link to comment
Share on other sites

  • Administrators

It appears that Chrome (clean app) attempted to open a PUA website.  What is the url that was blocked? LiveGrid has reputation of files, not urls.

Link to comment
Share on other sites

I can't really publicly share the URL (can do privately though).

What actually happened is that Chrome attempted a GET on an URL which contains (in the query string) an URL which ESET think is bad.

Quote

LiveGrid has reputation of files, not urls.

OK, so the display of LiveGrid reputation on the detection details window is misleading.

Link to comment
Share on other sites

  • Administrators

Please drop me a private message with the url and a screenshot of the above detection details enclosed.

Link to comment
Share on other sites

(Private message sent)

As a I said, I know theses URLs are seen as potentially bad (but I don't know why) but I think they are false-positive, and I thought I could use LiveGrid to avoid blocking for some of theses.

Link to comment
Share on other sites

  • Administrators

Thanks. Since malware has been removed from the website, we have unblocked it. Also I've asked the product manager to consider labeling the LiveGrid part "Process details" to make it clear that LiveGrid info pertain to the process that accessed the url.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...