Google Cache blocked as Malware

Unanswered Question
Jan 28th, 2009

This may well be answered somewhere already and I just haven't found it yet, but it seems that IronPort is blocking Google's cached copies of sites as "Malware/spyware". I hadn't accessed any cached sites until this was pointed out to me today so I don't know whether or not this has always been the case.

I'm quite happy that it is being blocked as it ensures that people aren't able to get on sites that would normally be blocked, but I'm not sure I understand why this is being classed as malware/spyware.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dingall Wed, 01/28/2009 - 16:00

Quick update to my last message - I've noticed in our logs that the web reputation score for the cached sites is -7.3!!

Since I'm told that we could access the cached sites a couple of days ago, I'm assuming this score has changed within the last couple of days.

Does anyone know why this might be?

FYI - the links that are blocked all start with http://74.125.77.132/search?q=cache.....

jowolfer Thu, 01/29/2009 - 16:20

Dangerous,

Can you check on the score now?

I check this URL: http://74.125.77.132/search?q=cache:Lnqc9Y2U6qQJ:www.cache.com/+cache&hl...

and it seems to be -5.7. Which would make sense. I don't believe we would intentionally block google cache. Perhaps there was an outbreak of malware detected from a google cache site and the score temporarily was dropped in order to mitigate the spreading.

All hypothesis, but WBRS scores do fluctuate based on current knowledge of web behaviors.

If the score is still low enough to block all google cache, I recommend filing a support ticket, because this is not expected behavior.

dingall Fri, 01/30/2009 - 08:53

Thanks Josh. Just tried it again and it isn't blocked now. I imagine you were right and we've just seen the web reputation filters in action!!

dingall Fri, 02/20/2009 - 13:13

I'm guessing that the reputation score changes on a regular basis. Chances are if you try again in a day or two you will be able to access it.

It would be useful to know what keeps prompting the drop in score. If it's in reaction to a threat, then that means that IronPort are doing a good job. I'd just be interested in finding out what the threat is we're being protected against!!

David Paschich Mon, 02/23/2009 - 18:05

We're talking with our internal team about why this particular URL scored the way it did, but in general Google's cache is tricky from a reputation point of view.

While Google itself tends to have a very good reputation, the cache servers are automated - meaning that they'll pick up content from both high reputation sites and low reputation. Because the same server at Google will cache content from multiple sources, sometimes one part of the content will end up reducing the reputation of the entire server.

Google tends to be pretty responsive with regards to removing malware from the cache servers - but in the meantime, the most important thing from IronPort's point of view is to protect our customers.

Actions

This Discussion