Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on September 10, 2015, 12:10:57 AM
-
Hello,
I thought I would post this here since Malwarebytes is blocking and reporting su2.ff.avast.com as a Malicous Website.
All scans are reporting clean.
This pops up every few minutes and just started today.
Thanks
-
same thing showed on my computer today!!
-
For me the first thing I disable in MBAM Pro was the malicious sites as it doesn't do as it says on the tin - it notifies you on much more than malicious sites or rather it has many categories other than malicious sites included in its database.
AS you can see these are sub-domains of avast.com.
-
I have the same issue. Started today at about 2PM Pacific Time. Michael
-
Please report it on the Malwarebytes forum.
It might not be a false positive, appears to related to a DNS hijacker if you read the post by MysteryFCM https://forums.malwarebytes.org/index.php?/topic/172525-su2ffavastcom-being-blocked/
-
More information here https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/
-
It would seem that Avast needs to update its client-side software and/or server configuration to resolve this issue. It's affecting a number of people (myself included) and it doesn't seem to be attributable to Malwarebytes. Of course, if Avast disagrees that's fine, but I would ask that Avast take up the issue with Malwarebytes and come to an agreeable solution. Each company telling all these people to contact the other company's support staff is a waste of everyone's time. Thanks!
-
It looks like this is a DNS hijack as reported at Malwalebytes.
https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/
Many have changed their DNS which fixed the problem without disabling Malwarebytes.
Here is a link to change your DNS.
https://developers.google.com/speed/public-dns/docs/using?hl=en
-
Avast needs to fix their product..
-
This started about four days ago for me. Resetting DNS to the Google settings seems to have fixed it for me. I am running Win 7 Pro, MWB Premium, Avast PRO and using Verizon FIOS.
-
Same Problem I am having. the MBAM forum states: the avast program is trying to make connections to "su2.ff.avast.com" but "su2.ff.avast.com" does not resolve to an IP address and, so, the connection is redirected to the "92.242.140.21" IP address which is flagged by the MBAM program. I tried to ping the address myself and it would not resolve.
-
https://forums.malwarebytes.org/index.php?/topic/172548-infected-by-su2ffavastcom-ip-9224214021-dns-hijacking/?p=988597
-
Attached is the protection file from malwarebytes that shows avast as a malicious website
-
I want someone from Avast to address this issue. This is silly, the transmittal is coming from their system and is annoying.
-
I want someone from Avast to address this issue. This is silly, the transmittal is coming from their system and is annoying.
I'm not from avast, but an avast user just like yourself - If this is DNS Hijacking as has been suggested on the malwarebytes forum, then this is somewhat different when saying who is at fault.
Are you aware what dns hijacking is, when your computer/browser tries to access a site that is shown in a user friendly/readable form such as su2.ff.avast.com it checks against 'your' DNS server commonly provided by your ISP to get the IP address.
If that DNS has been hijacked then it can return a different IP address, which could be considered malicious. But if it is your ISPs DNS server that has been hijacked then they have to resolve that. This is why not everyone is effected by this and why the suggestion to change your DNS server resolves this problem, when nothing has changed in avast.
So it isn't as clear cut as you might think.
-
I've been battling this for 3 days. Ran numerous virus and malware detection programs to no avail. Finally changed the DNS server of my wireless router to Google 8.8.8.8 and haven't had the popups return as of yet. Running Win7, MWB and Avast Internet Security. Verizon FIOS.
-
It looks like this is a DNS hijack as reported at Malwalebytes.
https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/
Many have changed their DNS which fixed the problem without disabling Malwarebytes.
Here is a link to change your DNS.
https://developers.google.com/speed/public-dns/docs/using?hl=en
This problem started 3 days ago on two of my laptops. It may be on my desktop but have not found the annoying popup there that is on these.
I tried to contact AVAST, and MALWAREBYTES... what a laugh.
I am in awe of anyone that can do anything technical wise on a computer.
I can't.
For me to change a DNS would be the equivalent of me being able to split an atom.
What I want to know is if I get away from AVAST completely... though I am paid until 2017... and go with Webroot or another, would that solve the problem?
-
I have also changed the dns (to the open one, not google) and that has solved the problem but it was a scary thing to do. First, though, I uninstalled avast and probably won't be coming back since I found another good free antivirus program.
-
Here is a response from Avast in the other thread regarding this.
https://forum.avast.com/index.php?topic=176229.15
Until they update the program you can disable Web Protection or change your DNS settings. Verizon seems to be the ISP with most issues but once I change to Googles DNS or another DNS the pop-ups stopped.
CyberTom
----------------
Re: su2.ff.avast.com
« Reply #28 on: Today at 01:05:30 PM »
Hi All,
there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.
Note this response from Google DNS servers:
Code: [Select]
nslookup su2.ff.avast.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find su2.ff.avast.com: NXDOMAIN
What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.
We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.
Regards.
-
Well, I got a reply from Malwarebytes regarding this.
They sent me to a link that suggested as others have done to change the DNS.
They also suggested if using Avast to try one of theirs, which I did first.
Then I tried the Google ones they suggested.
NO help for me.......
-
When one does a DNS scan for the nameserver of su2.ff.avast one gets bad zone: Could not get name servers for 'pns.avast.com'.
See: http://toolbar.netcraft.com/site_report?url=su2.ff.avast.com
See: http://who.is/nameserver/pns.avast.com/
Delegation not found at parent: http://dnscheck.pingdom.com/?domain=pns.avast.com×tamp=1442139880&view=1
Not enough nameserver information was found to test the zone pns.avast.com, but an IP address lookup succeeded in spite of that.
Re: http://www.tcpiputils.com/browse/ip-address/91.213.143.1
So is there something misconfigured?
Re: https://www.metricsbot.com/nameserver/pns.avast.com/
Also consider my posting here: https://forum.avast.com/index.php?topic=154511.0
Name Server
pns.avast.com is a known Domain Name Server. This server provides name services (DNS) for the following domains:
avast.com -> http://www.dnsinspect.com/avast.com/1442140070
Warning: WARNING: Found stealth name servers:
ns6.avast.com.
sns.avast.com.
This should not be: WARNING: Name servers software versions are exposed:
91.213.143.1: "9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2" hostname: pns.avast.com
domain ISC BIND 9.3.6-25.P1.el5_11.2
Service Info: OS: Red Hat Enterprise Linux; CPE: cpe:/o:redhat:enterprise_linux
Should be updated: https://rhn.redhat.com/errata/RHSA-2014-1984.html
SRPMS:
bind-9.3.6-25.P1.el5_11.2.src.rpm
File outdated by: RHSA-2015:1706 MD5: 219d9fcc20de4b8ebe01a9014fe8a52b
SHA-256: c6c46ab655778236a30e364d10d4766f69f2858f2da37aa296dfde8a79cb8d38
polonus
-
Re: su2.ff.avast.com
« Reply #30 on: Today at 12:59:53 AM »
Quote
Modify
Quote from: JBG on September 11, 2015, 01:05:30 PM
Hi All,
there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.
Note this response from Google DNS servers:
Code: [Select]
nslookup su2.ff.avast.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find su2.ff.avast.com: NXDOMAIN
What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.
We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.
Regards.
The lastest version of Avast did not seem to fix this issue. Once I switch back to Verizon dns the pop-ups re-occurred.
-
I want someone from Avast to address this issue. This is silly, the transmittal is coming from their system and is annoying.
I'm not from avast, but an avast user just like yourself - If this is DNS Hijacking as has been suggested on the malwarebytes forum, then this is somewhat different when saying who is at fault.
Are you aware what dns hijacking is, when your computer/browser tries to access a site that is shown in a user friendly/readable form such as su2.ff.avast.com it checks against 'your' DNS server commonly provided by your ISP to get the IP address.
If that DNS has been hijacked then it can return a different IP address, which could be considered malicious. But if it is your ISPs DNS server that has been hijacked then they have to resolve that. This is why not everyone is effected by this and why the suggestion to change your DNS server resolves this problem, when nothing has changed in avast.
So it isn't as clear cut as you might think.
I don't use MBAM *Pro*, but I think MBAM correctly reports DNS redirection because it is suspicious, even though in this particular case it is not due to malicious activity but, partially, to mere sloppiness on Avast's side ("the use of a hostname that does not resolve (and hasn't done for months)," https://forums.malwarebytes.org/index.php?/topic/172548-infected-by-su2ffavastcom-ip-9224214021-dns-hijacking/?p=988597 ), and to some ISP's policies (hijacking invalid requests and redirecting to unrelated sites).
I am happy I use OpenDNS anyway :)
-
Avast has already mentioned that the fix for this was too late for the current new release
and probably will not be included till Avast 2016 is released.