False Positive JS:ScriptIP-inf and URL:Mal

[secorpro]

Hi, everybody!
Avast blocked site with reason: URL:Mal. Then, in few days the reason changed to: JS:ScriptIP-inf [Trj]
I contacted the site's webmaster, he said, that the site is clean and only Avast blocked it.

All scans and reports show that this site is clean from any malware. I have checked:
Kaspersky - clean
Avira - clean
McAfee - clean
Panda - clean
BitDefender - clean

Then checked with scaners
virustotal.com - clean
novirusthanks.org
vscan.urlvoid.com - clean
safeweb.norton.com -clean
malwaredomainlist.com/hostslist/hosts.txt - clean
malwaredomains.com/files/domains.txt - clean

I contacted the support team, http://www.avast.com/contacts
But noone answered me.....


Whom can I contact to fix the problem?

[Onix]

Please, give us a link to the blocked site. Better if the link would be unclickable.

[DavidR]

Post the link and we can try to check it out, but as Onix said make it unclickable.
e.g. change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[guitarscientist]

my site was blocked too! (JS:ScriptIP-inf ) I use IP data base from maxmind dot com (JavaScript return country code and nothing more!!!) to give language/country specific download files.
Why avast think that IP data base from maxmind is a virus??

Note that avast itself detects your language on his own site so avast must block his own site too!!!

[guitarscientist]

my site was blocked too! (JS:ScriptIP-inf ) I use IP data base from maxmind dot com (JavaScript return country code and nothing more!!!) to give language/country specific download files.
Why avast think that IP data base from maxmind is a virus??

Note that avast itself detects your country-language on his own site so avast must block his own site too!!!

File name:
index.html
Submission date:
2011-04-07 17:27:47 (UTC)
Current status:
finished
Result:
3 /41 (7.3%)
   
VT Community

not reviewed
 Safety score: -
Compact
Print results
Antivirus    Version    Last Update    Result
AhnLab-V3    2011.04.08.00    2011.04.07    -
AntiVir    7.11.6.4    2011.04.07    -
Antiy-AVL    2.0.3.7    2011.04.06    -
Avast    4.8.1351.0    2011.04.07    JS:ScriptIP-inf
Avast5    5.0.677.0    2011.04.01    JS:ScriptIP-inf
AVG    10.0.0.1190    2011.04.07    -
BitDefender    7.2    2011.04.07    -
CAT-QuickHeal    11.00    2011.04.07    -
ClamAV    0.97.0.0    2011.04.07    -
Commtouch    5.2.11.5    2011.04.06    -
Comodo    8256    2011.04.07    -
DrWeb    5.0.2.03300    2011.04.07    -
eSafe    7.0.17.0    2011.04.04    -
eTrust-Vet    36.1.8258    2011.04.07    -
F-Prot    4.6.2.117    2011.04.07    -
F-Secure    9.0.16440.0    2011.04.07    -
Fortinet    4.2.254.0    2011.04.07    -
GData    22    2011.04.07    JS:ScriptIP-inf
Ikarus    T3.1.1.103.0    2011.04.07    -
Jiangmin    13.0.900    2011.04.07    -
K7AntiVirus    9.96.4320    2011.04.07    -
Kaspersky    7.0.0.125    2011.04.07    -
McAfee    5.400.0.1158    2011.04.07    -
McAfee-GW-Edition    2010.1C    2011.04.07    -
Microsoft    1.6702    2011.04.07    -
NOD32    6023    2011.04.07    -
Norman    6.07.07    2011.04.07    -
Panda    10.0.3.5    2011.04.07    -
PCTools    7.0.3.5    2011.04.07    -
Prevx    3.0    2011.04.07    -
Rising    23.52.03.06    2011.04.07    -
Sophos    4.64.0    2011.04.07    -
SUPERAntiSpyware    4.40.0.1006    2011.04.06    -
Symantec    20101.3.2.89    2011.04.07    -
TheHacker    6.7.0.1.168    2011.04.07    -
TrendMicro    9.200.0.1012    2011.04.07    -
TrendMicro-HouseCall    9.200.0.1012    2011.04.07    -
VBA32    3.12.14.3    2011.04.07    -
VIPRE    8948    2011.04.07    -
ViRobot    2011.4.7.4398    2011.04.07    -
VirusBuster    13.6.293.1    2011.04.07    -

[kubecj]

If you'd tell us the url of your page, we'd be able to do something. 

[masterbo]

ScripIP-inf
this is Country detection by using IP of your site visitors. I think this is a crime in Czech Republic (Avast home) so, avast must block it.
But it's funy that avast itself does this on avast.com (detect country from IP and redirect to country specific page)
In USA,CA,UK etc. country detection via IP is a 100% legal option. Any webmaster can do it legally, but avast will block such sites, and WORLDWIDE!

[spg SCOTT]

This detection suggests that there is an inserted script that points to a malicious site.

Without the site link (please deactivate it, change http to hXXp) no one can know the real reason for the detection.

EDIT: Ahh.. I see now...

this is maxmind(.)com...

I use IP data base from maxmind dot com

ok, what is the exact location of the detection?

[masterbo]

Do you understand that "suggest" is not equal to "access to site prohibited"?
Also how avast can ban sites with links to another sites? This is totally wrong way! I think this is illegal way!
So, say, if I point on my site on Cadafy site my site will be banned by avast?! (say, Cadafy is bad, people in Czech Republic think!)
Wrong! Wrong! Avast can ban Cadafy site, but my site can't banned for "bad" link!

And attention to the name of "virus" ScriptIP-inf
Do you understand that this is "java-script country Inf-ormation extraction from IP"?
This is not a virus with name "Link to bad site"!
Understand?

Well, spg SCOTT please explain us what is JS:ScriptIP-inf in the terms of avast virus detection? Please point us 1 URL banned by avast for this script!
I want to see what real bad do this virus! I foyu can't it means there is no such virus in nature!
Also spg SCOTT please explain why in http://virustotal.com only avast knows such virus, nobody else!

[kubecj]

OMG, will we finally get the url to the page, where do we detect ScriptIP-inf? It's generic detection and may mean million different things. Probably totally unrealated to the things you've said.

[Pondus]

you need to post the URL  http://www.? ? ? ? ?     

[masterbo]

As I understand Avast is an automatic system, so, if avast software does not know this virus avast must remove it from his data base!
ATTN: nobody in our Universe knows this virus! Microsoft does not know! AVG does not know! etc/ etc/ etc/
I have many sites I plan to use http://maxmind.com ScripIP-inf javascript IP->country in near future and afraid that I will must to ask avast to allow me to use maxmin
any time I will deside to use it! It's horrible! I hope avast will remove this not preset in the word virus and will solve this problem totally and forever!


AhnLab-V3    2011.04.08.00    2011.04.07    -
AntiVir    7.11.6.4    2011.04.07    -
Antiy-AVL    2.0.3.7    2011.04.06    -
Avast    4.8.1351.0    2011.04.07    JS:ScriptIP-inf
Avast5    5.0.677.0    2011.04.01    JS:ScriptIP-inf
AVG    10.0.0.1190    2011.04.07    -
BitDefender    7.2    2011.04.07    -
CAT-QuickHeal    11.00    2011.04.07    -
ClamAV    0.97.0.0    2011.04.07    -
Commtouch    5.2.11.5    2011.04.06    -
Comodo    8256    2011.04.07    -
DrWeb    5.0.2.03300    2011.04.07    -
eSafe    7.0.17.0    2011.04.04    -
eTrust-Vet    36.1.8258    2011.04.07    -
F-Prot    4.6.2.117    2011.04.07    -
F-Secure    9.0.16440.0    2011.04.07    -
Fortinet    4.2.254.0    2011.04.07    -
GData    22    2011.04.07    JS:ScriptIP-inf
Ikarus    T3.1.1.103.0    2011.04.07    -
Jiangmin    13.0.900    2011.04.07    -
K7AntiVirus    9.96.4320    2011.04.07    -
Kaspersky    7.0.0.125    2011.04.07    -
McAfee    5.400.0.1158    2011.04.07    -
McAfee-GW-Edition    2010.1C    2011.04.07    -
Microsoft    1.6702    2011.04.07    -
NOD32    6023    2011.04.07    -
Norman    6.07.07    2011.04.07    -
Panda    10.0.3.5    2011.04.07    -
PCTools    7.0.3.5    2011.04.07    -
Prevx    3.0    2011.04.07    -
Rising    23.52.03.06    2011.04.07    -
Sophos    4.64.0    2011.04.07    -
SUPERAntiSpyware    4.40.0.1006    2011.04.06    -
Symantec    20101.3.2.89    2011.04.07    -
TheHacker    6.7.0.1.168    2011.04.07    -
TrendMicro    9.200.0.1012    2011.04.07    -
TrendMicro-HouseCall    9.200.0.1012    2011.04.07    -
VBA32    3.12.14.3    2011.04.07    -
VIPRE    8948    2011.04.07    -
ViRobot    2011.4.7.4398    2011.04.07    -
VirusBuster    13.6.293.1    2011.04.07    -

[kubecj]

Blah, blah and blah and no sign of the url which we report as infected. Maxmind is whitelisted, there is almost 0% probabilty this has anything to do with geoip/maxmind and I still don't know why are you still talking about it.

[masterbo]

If maxmind is white listed explain
1)what is ScripIP-inf ?
2)why only avast detected it?

[kubecj]

This is the last time I reply, unless you provide us the url of the page where we report this.

ScriptIP-inf is the detection of <script referring to page which we block.
We may be only one to detect it because
a) others don't detect it 
b) we false

That can't be decided without the link to the page where we report this.