cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2630
Views
0
Helpful
6
Replies

www.msftncsi.com/ncsi.txt incorrectly flagged with poor WBRS causing block

keithsauer507
Level 5
Level 5

Microsoft NCSI page is incorrectly being blocked and this is causing all Windows 7 clients to see an exclamation point in the taskbar by the clock, and we are being asked about this.  When they go into this icon its says "No internet access".  Sometimes it also pops up a tooltip that additional login information is required.  When running network diagnosis it is determined that is happening because a page redirect. Microsoft tries to access http://www.msftncsi.com/ncsi.txt and look for simple text that returns Microsoft NCSI.  However when trying to browse this we are redirected internally to our block page with the following information.  I will try white-listing to get around this but you need to fix what I assume is WBRS because of what it states in this description for the block:

BLOCK_WBRS_12-Information_Technology-Authenticated_Users-DefaultGroup-NONE-NONE-NONE

I opened a TAC case but I wanted to post this incase any other WSA users in a Windows 7 environment are getting calls about their system tray icons reporting no internet access when in fact internet is working fine.

URL Check
WBRS Score: -6.8
URL Category: Computers and Internet
Scanner "AVC" Verdict (Request): Unknown (Unknown)
Policy Match
Cisco Data Security policy: None
Decryption policy: None
Routing policy: None
Identification Profile: Authenticated_Users
Access policy: Information_Technology
Final Result
Request blocked
Details: Request blocked based on Web Reputation score
Trace session complete

6 Replies 6

keithsauer507
Level 5
Level 5

I also reported this to senderbase.  Please report this too if you are seeing the issue.  https://www.senderbase.org/support/#problem=other  The more reports possibly the faster they will act.  Though with it Christmas Eve I'm not sure if we will get any updates until after the holiday.  I tried putting the site in bypass and even one of our allowed domains lists, but policy trace still continues to block it due to poor WBRS.  I am now looking towards group policy to see if we can suppress this notification (without any other complications) on Windows 7 machines.  I do not see this notification on my Windows 10 machine.

I didn't get any calls about this but upon examining my logs I was seeing blocks as well until around 7:40AM this morning.  Now they are passing.  BTW, TAC will tell you that policy trace isn't reliable.  The logs are the recommended way to troubleshoot.  Apparently the policy trace can produce incorrect results.  Don't understand why myself, but I've been told this on several occasions.

Dec 24 07:31:37 <removed> accesslogs_syslog: Info: 1450960297.682 1 <removed> TCP_DENIED/403 0 GET http://www.msftncsi.com/ncsi.txt - NONE/- - BLOCK_WBRS_12-UpdateAgents-Exempt_User_Agents-DefaultGroup-NONE-NONE-NONE <IW_comp,-6.8,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","othermalware","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> -

Dec 24 07:43:27 <removed> accesslogs_syslogs: Info: 1450961008.522 14 <removed> TCP_MISS/200 237 GET http://www.msftncsi.com/ncsi.txt - DIRECT/www.msftncsi.com text/plain DEFAULT_CASE_12-UpdateAgents-Exempt_User_Agents-DefaultGroup-NONE-NONE-DefaultGroup <IW_comp,-4.6,0,"-",0,0,0,1,"-",-,-,-,"-",0,0,"-","-",-,-,IW_comp,-,"Unknown","othermalware","Unknown","Unknown","-","-",135.43,0,-,"Unknown","-",-,"-",-,-,"-","-"> -

Thanks for the post.  Yeah I only had two calls but the one is a manager.  They assumed it wasn't a big deal because internet was working.

It's still scoring low, -6.8 WBRS but the proxy override took a few minutes to kick in, though policy trace shows it blocked (in the WSA web gui), the site is not being blocked anymore and the yellow exclamation point went away.

I didn't filter it out, it appears that they updated the webroot score.

Ok your right, I see it was increased from -6.8 to -4.6 thus far.  I think we have our WBRS sliders at -5 and higher so it would be corrected if it wasn't for me putting it in bypass.  Thanks again for checking from your side as well.

Official response from SenderBase

The url is safe to access at this time. The reason for poor wbrs score was due to our sensors identifying the host IP to be hosting other malicious domains and urls. We have taken steps to improve the reputation for the url. Please allow up to 4 hours for this to be reflected on the customer end.

 

 

 

Regards,

 

Greg Johnston

SenderBase Support