Avast WEBforum

Other => Viruses and worms => Topic started by: Dominik30 on September 20, 2023, 11:30:37 AM

Title: False Positive: Site Blocked - URL:Phishing
Post by: Dominik30 on September 20, 2023, 11:30:37 AM

Hello,

The avast software is saying that our company domain www[.]sklep[.]polysport.pl is blocked because of phishing URL.

This has caused huge concerns among our customers who had your software on their laptops and PCs. Can we understand what happened here and what had triggered the false positive?

Thank you in advance for clarification.

Kind regards

Polysport

Title: Re: False Positive: Site Blocked - URL:Phishing
Post by: Pondus on September 20, 2023, 12:21:28 PM

https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Title: Re: False Positive: Site Blocked - URL:Phishing
Post by: Dominik30 on September 20, 2023, 12:56:36 PM

I've already reported this problem via https://www.avast.com/false-positive-file-form.php

However, I've been told to update my virus database which obviously is not the solution I am looking for...

Even if it would work, I cannot reach all my customers to advise them to update their Avast virus database.

The site has been also scanned via multiple scanners such as virustotal etc.

https://www.virustotal.com/gui/ip-address/185.41.68.201
https://sitecheck.sucuri.net/results/www.sklep.polysport.pl

Title: Re: False Positive: Site Blocked - URL:Phishing
Post by: DavidR on September 20, 2023, 01:42:10 PM

It isn't just that sub domain but the whole domain that is being alerted on.

The VT link you posted is 2 years old:
New scan - https://www.virustotal.com/gui/url/06befde055bc5b7f2f3ef71a029ac88f9a33a333daf01869e02b7e29e3109291/detection, note the Links header (2 external links), these might also be implicated.
The second link securi.net isn't clear, whilst it gives it a "Low Security Risk" it isn't Minimal and it also gives hardening improvements.

Some pointers also given here - https://en.internet.nl/site/polysport.pl/2342724/#

My virus database is up to date and it is still detected.
Note I'm an Avast User and not an Avast Employee.

Title: Re: False Positive: Site Blocked - URL:Phishing
Post by: polonus on September 20, 2023, 02:07:39 PM

Witam,

Avast flags the site -https://www.sklep.polysport.pl/ as a phishing site.

Could be a SUCRO javascript phish. Obfuscation used to be phishing, your site has SUCRO javascript.

Also consider: https://www.shodan.io/host/185.41.68.201 (IP has not been reported as with abuse).
But see the vulnerabilities that shodan freports for that IP: https://www.shodan.io/host/185.41.68.224 (mainly for OpenSSH)

But wait for a final verdict from avast team,

pozdrawiam,

polonus