Author Topic: FP: anonymoX (Read 9528 times)

i2imran · « **on:** August 13, 2013, 12:35:08 AM »

I've been using following Firefox add-on for a year along with paid version of avast! Internet Security without any issue, but since the last update of virus definitions avast! has started thinking that it's a virus: https://addons.mozilla.org/en-US/firefox/addon/anonymox/

I consider myself an advanced user, it's been almost 6 years since my PC caught a virus. I haven't installed any new program in the last 3 months or connected a jump drive to my PC. Once I disable the aforementioned add-on avast! goes about its business. With avast! disabled, and the add-on enabled, Malwarebytes doesn't find anything unusual with my PC.

The add-on is important to me, and I believe it's a FP on avast's part. Please solve the issue.

Thanks!

anonymox-chris · « **Reply #1 on:** August 13, 2013, 03:27:25 AM »

Hi,
as far as our users reported, a URL was flagged by avast, which you can see in the message you are probably getting. I reported this as fp, hoping to hear back soon.

Same thing happened little more than a year ago:
https://forum.avast.com/index.php?topic=100964.0
https://forum.avast.com/index.php?topic=100974.0

chris

polonus · « **Reply #2 on:** August 13, 2013, 04:50:38 PM »

Google also detects script from insecure sources there, see warning here: https://forum.avast.com/index.php?topic=100964.0
IDS alerts for same IP as add-on IP: ssp_ssl: Invalid Client HELLO after Server HELLO Detected
http://urlquery.net/report.php?id=56773 Best policy is to suppress the specific alerts in the network stack *
error connecting php
= $alert_dbname : MySQL database name where the alerts are stored *
= $alert_host : host where the database is stored
= $alert_port : port where the database is stored
= $alert_user : username into the database
= $alert_password : password for the username

polonus

Secondmineboy · « **Reply #3 on:** August 13, 2013, 05:12:09 PM »

I have no alerts there, Avast IS 8.0.1489 newest database.

Using Google Chrome.

polonus · « **Reply #4 on:** August 13, 2013, 05:34:32 PM »

I'm also not getting any alerts going to that uri and also not while downloading the add-on,

polonus

i2imran · « **Reply #5 on:** August 13, 2013, 11:29:22 PM »

When anonymous is disabled, avast! doesn't report anything, but as soon I as I enable it avast goes ape sh...

Here are the screenshots:

Secondmineboy · « **Reply #6 on:** August 14, 2013, 04:25:57 PM »

You can report a false Positive here: http://www.avast.com/contact-form.php

You may ad a link to this topic in case they reply.

anonymox-chris · « **Reply #7 on:** August 14, 2013, 10:17:14 PM »

Quote from: Steven Winderlich on August 14, 2013, 04:25:57 PM

You can report a false Positive here: http://www.avast.com/contact-form.php

You may ad a link to this topic in case they reply.

I reported this case two days ago with no reply. Shall I query again, do I have to send all affected users a link to the contact form or is the response time that long?

chris

Secondmineboy · « **Reply #8 on:** August 14, 2013, 10:19:34 PM »

It depends from time to time, they must investigate it and they must find out what is causing the
False Alert. And then they must fix that.

Normally they are reacting moderately fast. I had also sent some Malware to them and it took up to an half week
till Avast was detecting it.

Secondmineboy · « **Reply #9 on:** August 14, 2013, 10:26:48 PM »

Is the Alert still there with the newest update?

14.8.2013 - 130814-1

This was released to fix False Alarms.

i2imran · « **Reply #10 on:** August 15, 2013, 12:23:15 AM »

Yeah, the alert is still there with the latest update.

I reported it to them I think the day I posted on the forum, but no reply from them thus far. So, I've again reported it to them today.

Milos · « **Reply #11 on:** August 15, 2013, 02:49:40 PM »

Hello,
ca you post IP addres on which the URL (anonymox.net) recognizes to you when the alert appears?

Milos

i2imran · « **Reply #12 on:** August 15, 2013, 06:58:25 PM »

Quote from: Milos on August 15, 2013, 02:49:40 PM

Hello,
ca you post IP addres on which the URL (anonymox.net) recognizes to you when the alert appears?

Milos

Here:

polonus · « **Reply #13 on:** August 15, 2013, 10:13:53 PM »

Hi anonymox-chris,

Server at main9.anonymox.net does not support SSLv2 cyphers, but does support the SSLv2 protocol.
You should be aware of the following -
There exists an alleged attack being performed against squid proxies: https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/APP%3APROXY%3ASQUID-PROXY-CACHE.html - a successful attack can result in a denial-of-service condition
and http://www.security-database.com/detail.php?alert=USN-1713-1

polonus

Milos · « **Reply #14 on:** August 16, 2013, 08:32:06 AM »

Quote from: i2imran on August 15, 2013, 06:58:25 PM

Quote from: Milos on August 15, 2013, 02:49:40 PM
Hello,
ca you post IP addres on which the URL (anonymox.net) recognizes to you when the alert appears?

Milos

Here:

The domain nor the IP is not blocked. Look into "c:\ProgramData\AVAST Software\Avast\log\nshield.log" and there should be line containing blocked URL and the corresponding IP.

Milos

Author Topic: FP: anonymoX (Read 9528 times)

i2imran

FP: anonymoX

anonymox-chris

Re: FP: anonymoX

polonus

Re: FP: anonymoX

Secondmineboy

Re: FP: anonymoX

polonus

Re: FP: anonymoX

i2imran

Re: FP: anonymoX

Secondmineboy

Re: FP: anonymoX

anonymox-chris

Re: FP: anonymoX

Secondmineboy

Re: FP: anonymoX

Secondmineboy

Re: FP: anonymoX

i2imran

Re: FP: anonymoX

Milos

Re: FP: anonymoX

i2imran

Re: FP: anonymoX

polonus

Re: FP: anonymoX

Milos

Re: FP: anonymoX