topic Remove a site from from Palo Alto's blacklist in General Topics

Remove a site from from Palo Alto's blacklist

canadacoder — Mon, 30 May 2022 20:10:23 GMT

My client's site, a Canadian site that prepares school supply kits, edupac.ca was hacked badly a few months ago. But we manually removed all malware files. We abandoned the original infected file base, restoring from backups, and now the code base is a clean version from before the hacks.

EduPac is an established company for over 20 years. I am their web developer, and I have been working with them for at least eight years. Being ranked "High Risk" hurts them, since they deal with schools using the service.

I found some old posts from 2018 and 2019 about this, but they are giving links to pages that no longer offer any option to request removal. I tried to phone, but you need a serial number to get through their call system. I can't find any support email, and, since I am not a customer, I can't log into their support system to enter a ticket.

These are really nice people who are no threat, and had the bad luck to get hacked for and have their site taken over for a couple of days a few months ago. It doesn't seem right that they should be punished when their site is now no threat.

Any help, or information you can give me will be really appreciated.

Brian

Re: Remove a site from from Palo Alto's blacklist

Adrian_Jensen — Tue, 31 May 2022 00:47:26 GMT

You can query your site's status here:

https://urlfiltering.paloaltonetworks.com/query/

At the bottom of the page click the "Request Change" button and fill out with as much information as possible to request a re-evaluation.

Re: Remove a site from from Palo Alto's blacklist

canadacoder — Tue, 31 May 2022 17:12:07 GMT

I had previously tried that, which was recommended in a previous post. But when I did, I got this message:

"This URL already has the requested categorization. If you intended to submit a different categorization, please try again. If you are trying to change the Risk rating, this cannot be done via Change Request. If the Risk rating is incorrect, please contact support."

But they give no way to actually contact support.

Re: Remove a site from from Palo Alto's blacklist

BPry — Wed, 01 Jun 2022 01:24:59 GMT

@canadacoder,

The High Risk category isn't something that you can request removal from outside of a support ticket. Since your schools apparently have Palo-Alto Networks equipment, could you ask one of them to open a ticket on your behalf if you have a working relationship with them?

Outside of that, what the schools are doing actually isn't best practice per PAN. The recommended, and default, policy action is Alert and not Block. The name of that category trips people up and gets people to want to set it to block, but high-risk is used after the site is caught under malware, phishing, or C2. This will go down to medium risk after 60 days.

If you fixed this months ago and you're still running into issues, I'd actually look at your hosting provider. High-Risk is used for bulletproof ISP-hosting and sites hosts on known bad ASNs as well. You may be able to resolve this issue by just moving to a more reputable hosting partner.