Bug ID 703129: False 'Web Rootkit detected' on UC browser for ChromeOS running on a mobile device

Last Modified: Jan 17, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0

Opened: Jan 23, 2018
Severity: 3-Major

Symptoms

When proactive bot defense, which provides headless browser detection, is enabled, a request from the UC Browser running on a mobile device, gets a high score and might be reset/CAPTCHA'd.

Impact

Potential reset/CAPTCHA in this case. In addition to the system presenting a false 'Web Rootkit detected' alert, there are other violations detected within the request.

Conditions

1. ASM or DOS provisioned. 2. Proactive bot defense (headless browsers detection) enabled in DoS Application profile and DoS profile assigned on a virtual server. 3. Request is sent without TSPD101 cookie.

Workaround

You can use either of the following workarounds: -- Disable headless browser detection (under proactive bot defense). -- Raise reset/CAPTCHA score limits using the following commands: list sys db dosl7.browser_legit_min_score_captcha sys db dosl7.browser_legit_min_score_captcha { value "60" } list sys db dosl7.browser_legit_min_score_drop sys db dosl7.browser_legit_min_score_drop { value "120" }

Fix Information

Rootkit checks for UC Browser are improved.

Behavior Change