Antivirus block page presents inconsistent behavior

Antivirus block page presents inconsistent behavior

Created On 09/27/18 06:29 AM - Last Modified 06/01/23 07:58 AM


Testing a virus download from different websites using SSL Decryption yields different results.

Sometimes you receive a response page indicating Virus/Spyware Download block, and on other sites you don't see a response page. In the first case, you can also see that whenever the response page is triggered, a reset is only sent to the server. The reason for this is that instead of reset-both, the firewall presents a response page to the client and a reset to the server.


The configured action for the Antivirus profile is reset-both.

User-added image


We are presented with two samples of the EICAR file, hosted in different websites:


First website

At the time of testing, resolves to IP address

The resulting Threat log entry shows a reset-both action:


User-added image

The web-browser does not present with a response page:

User-added image


Second website

At the time of testing, resolves to IP address


User-added image 

The web-browser presents with a response page:

User-added image




The behavior is 'as designed'.


The reason for the behavior presented with the first website,, is, we don't detect the threat in the first packet of the response. In this case, the HTTP headers were already transmitted to the client. In this situation we can't send the response page, and therefore the only action taken is sending a reset to both client and server as configured in the profile.

In the case of the second website,, we detect the threat early, in the first packet of the response, so we are able to send a response page to the client.

  • Print
  • Copy Link

Choose Language