Remove a site from from Palo Alto's blacklist

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Remove a site from from Palo Alto's blacklist

L0 Member

My client's site, a Canadian site that prepares school supply kits, was hacked badly a few months ago. But we manually removed all malware files. We abandoned the original infected file base, restoring from backups, and now the code base is a clean version from before the hacks.


EduPac is an established company for over 20 years. I am their web developer, and I have been working with them for at least eight years. Being ranked "High Risk"  hurts them, since they deal with schools using the service. 


I found some old posts from 2018 and 2019 about this, but they are giving links to pages that no longer offer any option to request removal. I tried to phone, but you need a serial number to get through their call system. I can't find any support email, and, since I am not a customer, I can't log into their support system to enter a ticket.


These are really nice people who are no threat, and had the bad luck to get hacked for and have their site taken over for a couple of days a few months ago. It doesn't seem right that they should be punished when their site is now no threat.


Any help, or information you can give me will be really appreciated.




L6 Presenter

You can query your site's status here:


At the bottom of the page click the "Request Change" button and fill out with as much information as possible to request a re-evaluation.

I had previously tried that, which was recommended in a previous post. But when I did, I got this message: 

"This URL already has the requested categorization. If you intended to submit a different categorization, please try again. If you are trying to change the Risk rating, this cannot be done via Change Request. If the Risk rating is incorrect, please contact support."


But they give no way to actually contact support.




The High Risk category isn't something that you can request removal from outside of a support ticket. Since your schools apparently have Palo-Alto Networks equipment, could you ask one of them to open a ticket on your behalf if you have a working relationship with them?


Outside of that, what the schools are doing actually isn't best practice per PAN. The recommended, and default, policy action is Alert and not Block. The name of that category trips people up and gets people to want to set it to block, but high-risk is used after the site is caught under malware, phishing, or C2. This will go down to medium risk after 60 days. 


If you fixed this months ago and you're still running into issues, I'd actually look at your hosting provider. High-Risk is used for bulletproof ISP-hosting and sites hosts on known bad ASNs as well. You may be able to resolve this issue by just moving to a more reputable hosting partner. 

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!