Author Topic: False Positive on WebShield? (Read 3020 times)

Cafeen · « **on:** June 16, 2012, 02:37:43 AM »

Myself, and several other users of the site:
wxw.disboards.com

are experiencing Avast blocking this site for an HTML:Script-inf infection ([site]/|{gzip} is listed as URL)

I ran it through the 4 of the 5 tools in !Donvan's signature (urlQuery, urlVoid, Zulu risk analyzer, and Sucuri SiteCheck, the Wepawet was erroring out with DB connection failures) and they all come back clean. There has been no word of anything hinky from the site owners (of which, I am not one, just a user).

Is there any other action that I should, or even can take? Since I have no affiliation with the site, this is about as much info as I can gather.

Asyn · « **Reply #1 on:** June 16, 2012, 05:36:23 AM »

Quote from: Cafeen on June 16, 2012, 02:37:43 AM

I ran it through the 4 of the 5 tools in !Donvan's signature (urlQuery, urlVoid, Zulu risk analyzer, and Sucuri SiteCheck, the Wepawet was erroring out with DB connection failures) and they all come back clean. There has been no word of anything hinky from the site owners (of which, I am not one, just a user).

Is there any other action that I should, or even can take? Since I have no affiliation with the site, this is about as much info as I can gather.

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

!Donovan · « **Reply #2 on:** June 16, 2012, 03:37:26 PM »

Hi Cafeen,

The discussion of disboards in-depth can be found here:
http://forum.avast.com/index.php?topic=99727.0

Also see:
http://forum.avast.com/index.php?topic=99733.0

Both True Indian, Polonus, and I find the partner site safe-surf suspicious.

~!Donovan

polonus · « **Reply #3 on:** June 16, 2012, 03:39:22 PM »

Hi Asyn,

Our friend, !Donovan, is right here.
It might be possible that the heavily obfuscated script was being flagged: wXw.safesurf-check.com/gate.php (related to Zeus trojan)
vulnerability for fx browsers, avast webshield flags as HTML:Script-inf...

polonus

Milos · « **Reply #4 on:** June 16, 2012, 03:44:07 PM »

Quote from: polonus on June 16, 2012, 03:39:22 PM

Hi Asyn,

Our friend, !Donovan, is right here.
It might be possible that the heavily obfuscated script was being flagged: wXw.safesurf-check.com/gate.php (related to Zeus trojan)
vulnerability for fx browsers, avast webshield flags as HTML:Script-inf...

polonus

Hello,
yes, avast! detect there script tag which goes to "safesurf-check.com".

Milos

Asyn · « **Reply #5 on:** June 16, 2012, 05:42:49 PM »

Quote from: polonus on June 16, 2012, 03:39:22 PM

Hi Asyn,
Our friend, !Donovan, is right here.
It might be possible that the heavily obfuscated script was being flagged: wXw.safesurf-check.com/gate.php (related to Zeus trojan) vulnerability for fx browsers, avast webshield flags as HTML:Script-inf...
polonus

Hi D.,
good that you guys checked it.

(I didn't, as I was low on time in the morning...)
Also thanks to Milos for the confirmation.

Author Topic: False Positive on WebShield? (Read 3020 times)

Cafeen

False Positive on WebShield?

Asyn

Re: False Positive on WebShield?

!Donovan

Re: False Positive on WebShield?

polonus

Re: False Positive on WebShield?

Milos

Re: False Positive on WebShield?

Asyn

Re: False Positive on WebShield?