Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
1
Replies

ISA500 series False positives

Brian Bergin
Level 4
Level 4

‎06-07-2013 05:45 AM

We've seen multiple false postives in the ISA500 series security applianes/routers over the post few months, most have not been a big deal, bu we have yet to find a good way to report larger issues to Cisco.  Yesterday I opened a case and spent 20 minutes trying to convince the support tech that they had another false positive, this time download.piriform.com (the makers of CCleaner).  The guy really just didn't understand, even going as far as saying he's using an ISA in the office and it wasn't blocking it, until I pointed out to him that he didn't have his security services enabled (uh, shoudln't they be running the ISA with all the security services enabled as that's how Cisco markets these units over say an RV082 which has all the same abilities except the security services?).

Anyway, how are the rest of you reporting false positives?  After the day and a half wth Google blocked and weeks with UltraVNC's download site blocked there's got to be a better system to report sites that Cisco is unacceptably blocking.

Oh, by the way, the support tech suggesed I enter the flase positive in the always allow list.  I informed him I knew that but that doing it on every ISA500 we had in the field was an unacceptble solution.  Cisco just needs a false positive reporting system AND a 1-2 hour turn around just like Symantec would with false positive virus definitions if Cisco is going to be in the malicious website detection/blocking business.

Labels:
Preview file
28 KB
0 Helpful
1 Reply 1

jeffrrod
Level 4
Level 4

‎06-11-2013 09:42 AM

Dear Brian,

Thank you for reaching The Small Business Support Community and I am sorry to hear about this situation.

Spam Filter, Web URL Filtering, Web Reputation Filtering, and Network Reputation obtain the security data from the SecApps servers and determine which traffic is allowed or blocked. The “Server Status” column under “Security Services > Dashboard “ displays the status of SecApps servers. Make sure that the SecApps servers are online.

Because I am not allowed to edit the SecApps server data I can only suggest you to specify the block sensitivity as Low or  Medium from "Security Services > Web Reputation Filtering" on each one of the devices (unfortunately), another option would be a manually allow the websites from the same Web Reputuation configuration area as the engineer you spoke to suggested.

Please let me know if there is anything I may assist you with in the meantime.

Kind regards,

Jeffrey Rodriguez S. .:|:.:|:.
Cisco Customer Support Engineer

*Please rate the Post so other will know when an answer has been found.

Jeffrey Rodriguez S. .:|:.:|:. Cisco Customer Support Engineer *Please rate the Post so other will know when an answer has been found.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents