Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
304
Views
0
Helpful
2
Replies

Cisco SWA Notification: MALWARE_SPECIFIC

kamensky@kronovision.sk
Level 1
Level 1

ā€Ž07-17-2025 10:37 AM

Hello community,

recently we are experiencing random blocking of some webs on Cisco WSA with reason

Reason: BLOCK-MALWARE
Notification: MALWARE_SPECIFIC

Web is only blocked about 1 of 10 access attempts and after refresh it is loaded correctly.

Seems like a false positive to me.

We are running 

S100V

Version: 14.5.1-016

I have already opened a TAC for it but no progress yet.

Anybody else experiencing the same?

Labels:
0 Helpful
2 Replies 2

amojarra
Cisco Employee
Cisco Employee

ā€Ž07-26-2025 08:44 AM

Hello kamensky@kronovision.sk 

I hope you are doing fine 

it would be best to:

[1] collect the HAR file to see if any specific file is getting blocked

[2] having the scanner's logs to DEBUG , for example if you are using SoPhos and Webroot, please change their log level to DEBUG

[3] add these to your acesslogs:

[ Request Details: ID = %I] [Client Port = %F, Server IP = %k, Server Port = %p][ AVC response = %:A> ,  AVC total = %:A< ,  DCA response = %:C> ,  DCA total = %:C< ,  McAfee response = %:m> ,  McAfee total = %:m< ,  Sophos response = %:p>, Sophos total = %:p<, Webroot response = %:w>, Webroot total = %:w<, Anti-Spyware response = %:<s, Anti-Spyware total = %:>s, AMP response = %:e>, AMP total = %:e<] [ x-amp-verdict = %X#1# , x-amp-malware-name = %X#2# , x-amp-score = %X#3# , x-amp-upload = %X#4# , x-amp-filename = %X#5# , x-amp-sha = %X#6# , x-p2p-amp-svc-time = %:e< , x-p2p-amp-wait-time = %:e> ] [x-resp-dvs-verdictname =%XZ , x-app-type = %Xu , x-icap-verdict = %Xp , x-ids-verdict = %Xl ] [x-sophos-scanerror = %Xx , x-sophos-file-name = %Xy , x-sophos-scanverdict = %XY , x-sophos-virus-name = %Xz , x-webroot-spyid = %Xs , x-webcat-req-code-full = %XR , x-webroot-scanverdict = %Xv , x-avc-reqbody-scanverdict = %XN , x-webroot-threat-name = %Xn , x-avc-resphead- scanverdict = %XM , x-mcafee-virus-name = %Xj , x-mcafee-av-virustype = %Xh , x-mcafee-av-detecttype = %Xg , x-mcafee-scanverdict = %Xj, x-avc-reqbody- scanverdict = %XH] [x-wbrs-score = %XW ]

 

 

then please share the date and time of the test + HRA log to the TAC, they will collect the Accesslogs from remote access and will investigate further. 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
0 Helpful

kamensky@kronovision.sk
Level 1
Level 1
In response to amojarra

ā€Ž08-07-2025 03:53 PM

Hello,

thank you for feedback.

Cisco confirmed this as a bug https://bst.cisco.com/quickview/bug/CSCwp93076

we are waiting for further steps  now.. Issue is still on, however most of web pages are now loaded but it is very slow, impacting daily operations...

0 Helpful
Customers Also Viewed These Support Documents