I have a doubt about AntiVirus blade, hope someone can clarify this.
I need to know when a URL/domain is categorized by AntiVirus blade. According to "ATRG: Anti-Bot and Anti-Virus":
Accessed URLs are checked by the gateway's caching mechanisms or sent to the ThreatCloud repository to determine if they are permissible or not.
I understand that all accessed URL's are checked against ThreatCloud repository (checking first local cache). But if that is true, if i have categorization mode to hold, every page should be blocked first time is accesed while categorization is done, and a log with action "detect" should be generated. That would be a problem with legitimate web sites like checkpoint.com or apple.com.
However, i tested that scenario, and legitimate pages are never blocked, and no AntiVirus logs are generated. I only get blocked when visiting a suspicious or malicious site/domain. So it seems that only sites/domains suspected to be malicious are categorized by AntiVirus? how is it determined if categorization is done or not by AntiVirus blade?
Checked the same behavior on R81 Jumbo 69 and R81.10 Jumbo 79