Netflix address repeatedly triggering "Phishing and Other Frauds" block alert

[petecloss]

I'm perplexed. An old Sony Android TV recently started triggering alerts every minute. I have tried blocking its MAC address in the firewall settings, disabling the Alert, allowing the domain and IP in the Filter... yet I still get sent these emails constantly. I searched for the domain nflxvideo.net, it's legitimate and only appears in the Filter List query under Streaming Video, not Phishing. What else can I try here? (Obviously I can unplug the TVs internet, but I'd rather a solution where it still retains internet access!)

Code:

Event: WebFilterEvent

Event Time: 2022-01-12 18:11:19.67.

Event Summary:
Web Filter blocked hxxp://ipv4-c003-lhr006-bt-isp.1.oca.nflxvideo.net/ (Phishing and Other Frauds)

Event Details:
app name                          = web_filter
blocked                           = true
category                          = Phishing and Other Frauds
category id                       = 57
flagged                           = true
reason                            = BLOCK_CATEGORY
request line                      = GET hxxp://ipv4-c003-lhr006-bt-isp.1.oca.nflxvideo.net/
rule id                           = 57
session event                   
 bypassed                         = false
 c client addr                    = 192.168.0.145
 c client port                    = 47334
 c server addr                    = ###.###.###.###
 c server port                    = 443
 client country                   = XL
 client intf                      = 1
 entitled                         = true
 hostname                         = android-479d0b3b62cd7b3e
 local addr                       = 192.168.0.145
 policy id                        = 1
 policy rule id                   = 0
 protocol                         = 6
 protocol name                    = TCP
 remote addr                      = 81.130.98.37
 s client addr                    = ###.###.###.###
 s client port                    = 47929
 s server addr                    = ###.###.###.###
 s server port                    = 443
 server country                   = GB
 server intf                      = 2
 server latitude                  = 51.472
 server longitude                 = -0.2204
 session id                       = 107478987851235
 tags string                      =
 time stamp                       = 2022-01-12 18:11:19.665
time stamp                        = 2022-01-12 18:11:19.67

This is an automated message sent because this event matched Alerts Rule "Phishing and Other Frauds website visit blocked".

(Edited http to hxxp to allow me to post this)

[Nannus]

Got same problem yasterday. Temporay solution, in web filter app. add as "Pass Sites" the value "nflxvideo.net". Could be that the domain went in some blacklist. Sorry for my english and let me know if it work please.

[dashpuppy]

Could create a bypass rule for the tv.

[sky-knight]

On Web Filter's advanced tab is a clear category URL cache button...

I suggest smashing it before you lose your mind!

[petecloss]

On Web Filter's advanced tab is a clear category URL cache button...

I suggest smashing it before you lose your mind!

Thank you, that seems to have worked! Is this extra step required for the Pass Sites addition to actually apply?

[sky-knight]

Thank you, that seems to have worked! Is this extra step required for the Pass Sites addition to actually apply?

No, the pass site configuration you created was simply wrong. I'm not sure exactly how, but it wasn't working.

What that button does is force the system to get a fresh list of answers from the upstream database, if you have a false positive caught due to an error of some sort, that's how you clear it.

So in the future if you have this alert firing, you can check the site being caught here: https://www.brightcloud.com/tools/url-ip-lookup.php

If things look good on the BrightCloud website, when you mash that button all the problems go away. If the site is categorized as malware on the BrightCloud site well... there are false positives in there from time to time, but generally I say leave it. Sites get tossed in there for good reason and even highly trusted sites can sometimes be compromised.

[Nannus]

On Web Filter's advanced tab is a clear category URL cache button...

I suggest smashing it before you lose your mind!

Thanks for the help, I deleted the pass rule and now all work correctly

[Wasretic]

Thank you!!!

My kids Amazon Fire tablets have been triggering this alert for a few days now. So, 1600 emails later... I have a solution!!

[kinuj]

I had the same problem with another website, not Netflix, but the solution is still working. Thx)