playboy.com not getting blocked on multiple pc's (with transparent redirection). however when explicitly pointed to proxy the same pc's were blocked for the website.
if these pc's were moved to a different subnet it would block the traffic transparently but when put back again to same subnet it would again allow the website.
With the access logs it was noticed that pc's where the website was not getting blocked were wrapping the playboy url and it was being then categorized as business category. The destination ip was also different as compared to when the logs were taken with the pc where the site was being blocked.
logs from infected PC (where playboy would not get blocked):
1477670667.365 60 10.1.90.39 TCP_MISS/200 371 GET http://dt.adsafeprotected.com/dt?anId=8544&asId=6db0ba4f-fa34-ce9e-3f82-89e1768d54c3&tv={c:sqsnJ9,pingTime:-8,time:226419,type:l,fc:0,rt:1,cb:0,np:1,th:0,es:0,sa:1,gm:1,fif:0,slTimes:{i:0,o:226419,n:0,pp:0,pm:0,gpp:0,gpm:0,gi:0,go:0,gn:226419,fi:0,fo...[{sl:o,fsl:fn,gsl:gn,t:26,wc:-7.-7.1536.701,ac:268.34.970.250,am:i,cc:-7.-7.970.250,piv:100,obst:0,th:1,reas:f,cmps:1,bkn:{piv:[226411~0,4~100],as:[226415~970.250]}}],slEventCount:1,em:true,fr:true,uf:0,e:,tt:jload,dtt:209,fm:q0WuAhk+11|12|13|14|15|16|17|18.8544|181|182|19|1a*.8544|1a1|1a2|1b|1c.8544|1c1|1d|1e.8544|1e1|1f|1g|1h|1i,idMap:1a*}&br=g - DIRECT/dt.adsafeprotected.com image/gif DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_adv,-2.3,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_adv,-,"-","-","Unknown","Unknown","-","-",49.47,0,-,"-","-",-,"-",-,-,"-","-"> -
00:45
1477670671.623 11 10.1.90.39 TCP_MISS/200 385 GET http://playboy-d.openx.net/w/1.0/bo?bd=622&br=p&bp=651&bt=2500&ts=1fHJpZD0yZGQ0ZWI2MS0yNWFlLTRmMjItODUyZi04OGUwOTI2Y2EwN2V8cnQ9MTQ3NzY3MDY3MXxhdWlkPTUzODAxNzc5OXxhdW09RE1JRC5XRUJ8YXVwZj1kaXNwbGF5fHNpZD01MzcyMDEzMzd8cHViPTUzNzExNDA0OXxwYz1VU0R8cmFpZD1... - DIRECT/playboy-d.openx.net image/gif DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup <IW_busi,-0.3,1,"-",-,-,-,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_busi,-,"-","-","Unknown","Unknown","-","-",280.00,0,-,"-","-",-,"-",-,-,"-","-"> -
Logs from PC where playboy was correctly being blocked (in transparent mode)
1477671120.904 0 10.1.90.37 TCP_DENIED/403 0 GET http://playboy.com/ - NONE/- - BLOCK_CUSTOMCAT_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-NONE <C_Deny,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -
The actual ip for play boy showing in the packet captures was 204.74.99.100. However with the infected pc it was showing 151.101.44.65.
This could only be possible when either a program is installed on PC which is somehow hiding itself and is able to figure out change in ip and would hide itself (in action as well) in case ip is changed, hence the site would get blocked when the subnet was changed.It seems the program was designed to hide itself.
We could not find any suspicious program installed on the pc (under control panel>> programs) so then as a next step checked the plugins. The plugin was also not showing anything suspicious. Unistalling firefox and reinstalling firefox did not help.
Google did provide us more insight when basis the logs we searched and found that there were websites explaning details about "dt.adsafeprotected" virus basis the url showing up on the logs.
We advised to either install a program from the internet (which is verified as a genuine product) or reimage the pc.
