Mal/HTMLGen-A reported on ESXi 6.7 host

Anyone know why Sophos endpoint software kicks up this message when trying to access an ESXI host by its IP address?

Sophos endpoint advanced 10.8.3 with core agent 2.2.2 is what is installed on my windows box.

I can rebuild any ESXI6.7 u1 or u2 from the official VMware ESXI iso's , tried both modified & standard versions and I get this Sophos message every time when trying to connect to the ESXI host by its IP address.

If I use the FQDN of the host , I do not get the message  - this happens on all browsers where Sophos endpoint is installed.

Any info would be greatly appreciated.

  • I have 6.7 and Sophos but do not see this warning, I would check on what you are blocking with Sophos Central in terms of web policies?  Also you can whitelist it if you want.  

     

    Also false positives are not uncommon-

     

    https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/4952/re-false-positive-mal-htmlgen-a

  • In reply to Badrobot:

    Hello  

    If the blocked message is a false-positive, please have the URL re-assessed by Sophos Labs, following the instructions here

     

    Thanks,

  • In reply to Badrobot:

    its odd , I did spent a day online trying to see if anyone else had this issue , but couldn't find a single thread linking the two, so I thought I'd try here and see what comes of it .

  • In reply to DianneY:

    I have done some more testing :)

    The message saying the site is blocked because of Mal/HTML gen-A is triggered by the Threat protection Policy, Specifically the "Block access to malicious websites" settings
    when this is turned off , I no longer get the Mal/HTML gen-A warning when loading the page. Hooray!


    At this stage I now get the standard "Website Blocked" message as below




    Now you would think that this is because one of the categories from the "Acceptable web usage" options within the Web Control Policy... But that would be too easy Confused
    Even with "allow me to specify" on and "Allow" all categories the error message still shows up and the page doesn't load, IP doesn't resolve.
    The only way to suppress this message is to turn off the entire Web Control Policy to where it states -> Ignore the settings in this section of the policy.

    So ...with the Web Control Policy completely disabled and the Block access to malicious websites turned off in the Threat protection policy , I can finally reach the page, where I get a certificate warning which is what you'd expect.
    Accept the certificate warning and the IP resolves as expected https://ip.address/ui/#/login and I can log into ESXi hypervisor


    No point in having the URL checked by Sophos or whitelisted as its an ESXi host IP address on a private network , it's not reaching the interwebs at all.

    I am typing into the address bar of "any browser" the IP address of an ESXi host for example 192.168.10.1
    That is when this issue kicks off.

    If I type the host-name, for example esxi67.my-domain there is no issue , no warnings , the page just loads without having to disable any Sophos policies.

    Something in the Sophos Endpoint is not liking the request to ESXI6.7 and higher by IP address 

  • In reply to Dam Sam:

    Hello  

    The initial "Mal/HTML gen-A" message you were getting is caused by Web Protection/Intelligence which is the AV portion of Web Control, while the "Website blocked" message is due to Web Control Categories or tags. Even if this is an internal site, the URL it may have been assessed wrong at some point, hence the False Positive blocks you are getting.

    Here is a little background on Web Control vs. Web Protection

     

    If you need the issue reviewed further, on top of a URL re-assessment request, please start a ticket with support, maybe there is something else in the verbose web control logs that will pinpoint what it is exactly that's causing this behavior.

  • In reply to DianneY:

    Hi DianneY,

    Thanks for that , its an interesting read and if I'm understanding it all correctly... what Sophos endpoint is doing is checking the URL being entered against its db of known offenders and saying , "nope!! your not getting to that URL because we know its poo poo"

    Even though its an Internal IP address of a host on a private network , Sophos gets to it first and assumes it's poop based on its history, again even though the IP addresses fall into the reserved ranged and would never be publicly available/reachable ?

    As far as my claim to ESXi6.7 being involved here , that seems to not be the case because I have configured a new network IP range to test and cannot replicate the issue, So there does seem to be no link to ESXi 6.7 and the Sophos Mal/HTMLGen-A warning. Just an unlucky set of IP address's I happened to be using at the time.  Apologies to Vmware , keep up the great workEmbarrassed

    So , my next & final question is .... Is is possible to view the list of URLs Sophos deems as Ultra Mega Poop , so that better planing can be made where Sophos is the endpoint by choice.
    or do we as  badrobot suggested and simply Whitelist on our own end ?

    Keep in mind that these are IP address's within a private range , there are no URLs associated here that are owned or leased that can be legally asked of Sophos to un-blacklist or reassessing

  • In reply to Dam Sam:

    Hello  

    Yes, it is likely that (bad history), or some part of URL assessment has gone wrong even if it's in the reserved range -- that much I don't know of, since that part is with Sophos Labs.

    There is not customer-facing tool that can analyze URL's at the moment; for now you would have to check with support or Sophos Labs (via URL re-assessment) for categories. You can chime in to this product enhancement suggestion so it gets more visibility with Product Management.

    As  suggested, you may whitelist the IP range in your Threat Control Policy under Scanning Exclusions, with exclusion type of "Website" to get past the Mal/HTMLGen-A warning, and also maybe assign a website tag to the IP range if it's being blocked in Web Control (to get past the other blocked message).

     

    Hope that all helps.

  • In reply to DianneY:

    I highly doubt it is an accident in the list of sites since Sophos would not use the private range ever to block anything, what is also concerning is the fact the url works yet the ip does not since Sophos should have a matching list of FQDN's to IP's otherwise a block list would be really ineffective.  Example, a student cannot get to gamestop.com but can get to the website via the IP address.  It almost seems like something else here is in play, do you have your own DNS setup?  Have you tried reinstalling Sophos on the Endpoint?