Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: PermDude on November 28, 2005, 04:26:58 PM
-
I'm using version 4.6 Home Edition, and get false positives as I navigate around a fantasy sports site rotowire.com. The warning says that it found Win32:Nimda [Drp], but Rotowire is mystified as to why any malware warning would come up.
I used Avast a couple of years ago, and stopped using it because of this problem--I'm on Rotowire about every day, and having a warning come up every page or two (accompanied by a siren sound) is more annoying than useful. Any chance Avast can fix this problem?
-
Well, Nimda [Drp] is a tag that Nimda worm used to append to the HTML files it found on disk. I.e. it doesn't sound like a real false alarm to me - but it's hard to say without more info. Any particular URL you get the warning at?
-
At one point, I got a virus warning on Ebay with Avast. Ebay, of all places! After about a day, it went away as the page changed. My stance is that I would rather have a few overzealous alerts, than have any AV miss something. And heck, maybe Ebay was infected with something.....
Also, Nimda infected a LOT of HTTP servers a while back, it is entirely possible there is still some trace of the virus left on Rotowire's server that Avast is picking up.
But to help with your question, can you put a URL in an exceptions list to make Avast not scan this site? I know you can do so with folders on a hard drive, but I'm not sure how this would work with URLs on the Web Shield.
-
That's a good idea--I'll look around for a possible exceptions list.
The warnings come up as I negotiate around the RotoWire site, all sort of pages, all coming from them (and with the same ads coming up). I suspect the warning is coming from one of the ads being served up.
-
Ah, yes, that's helpful ;D
It's probably not Rotowire itself that has or is trying to install a virus/malware on your machine, but the ad server Rotowire uses. Many ad servers nowadays are so nasty that they will actually try using Java/ActiveX exploits to install spyware/viruses on your machine to gain more profit! If you can find the URL of the ad server this is popping up from, set it in Avast's Web Shield URL blocker to block that whole server. That way you won't see the ads, and no more virus warnings!
-
I'm using version 4.6 Home Edition, and get false positives as I navigate around a fantasy sports site rotowire.com. The warning says that it found Win32:Nimda [Drp], but Rotowire is mystified as to why any malware warning would come up.
I used Avast a couple of years ago, and stopped using it because of this problem--I'm on Rotowire about every day, and having a warning come up every page or two (accompanied by a siren sound) is more annoying than useful. Any chance Avast can fix this problem?
I am getting the same false positive "for Win32:Nimda [Drp] at rotowire.com. The file that avast claims is contaminated is called "favicon.ico." I can't see how an icon file -- a bitmap -- could contain a virus.
This is still occurring roughly six months after this first post on the subject was made. It would be nice if Avast could clean this up (or I will be inclined to use another product). Thanks.
-
Hello,
This may not be a false positive. Also any type of file no matter what kind can hold a virus. I believe this site does have a virus in it because I get a yellow alert from Siteadvisor when I visit this site.
-
I'll look around for a possible exceptions list.
For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...
For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...
You can use wildcards like * and ?.
But be carefull, you should 'exclude' that many files that let your system in danger.
Hope this helps...
-
I believe this site does have a virus in it because I get a yellow alert from Siteadvisor when I visit this site.
No offense, but this is circular reasoning. Services like SiteAdvisor use non-expert member feedback to warn users of nonspecific threats such as cookies and spyware, or even links to other sites that are believed have questionable habits. Hundreds of Avast users getting false positives for the presence of a virus when visiting www.rotowire.com would generate an equal amount of feedback from a false positive as they would from an actual threat. It confirms nothing other than flawed assumptions. Anecdotal evidence isn't a substitute for detection.
Avast is in the virus detection business. They should be able to confirm the presence of a virus from a persistent source (six months plus is persistant) by downloading the file(s) in question and examining them. It would be nice if one of the developers could comment, after performing such testing.
-
Well, I asked for an exact URL back then and didn't get any.
The one page I'm getting the warning at indeed does have the Nimda appended tag at the bottom of the page, i.e. no false alarm here.
-
Hi,
Thought I'd check out the site you mentioned to see if it would affect my Avast the same way. The result? Nada, nothing.
I wonder if that could have anything to do with the settings I've applied to Avast courtesy of RejZor. He has a guide at this link http://forum.avast.com/index.php?topic=20412.0
It could help solve your problem.
-
i came acoss other site, i try let the webmaster of the site know of it so they replace the bad file, even in some forum i seen java virus in as will.
-
I get the warning on this page:
http://www.rotowire.com/baseball/player.htm?id=5321
There was a similar problem with a favicon here:
http://forum.avast.com/index.php?topic=17119.0
-
The favicon.ico doesn't exist on rotowire.com - you'll get an error HTML page instead.
Exactly that page has been infected by Nimda (long time ago, probably).
-
Frank,
I just clicked the the rotowire link you posted about 6 times. First 5 = no warning. Last click showed nimba in
http://www (dot) rotowire.com/include/drop_down.js
-
Yes, clicking my link didn't bring up a warning for me, but clicking any blue underlined link on the home page brings up a warning, sometimes for drop_down.js, sometimes for:
http://www dot rotowire.com/hockey/favicon.ico
-
NOD 32 shows the same behaviour on this site - so I assume that's no false/positive ^^
Greetings
Timo
-
The one page I'm getting the warning at indeed does have the Nimda appended tag at the bottom of the page, i.e. no false alarm here.
Thanks for taking a look.
I guess it depends on one's definition of a false positive. In my opinion, detecting leftover traces of a defunct threat is of little use to the user, and clearly constitutes a false positive. I think such detection is actually a disservice in that it flags sites that no longer have a problem, while creating an ongoing problem both for the visitor and the webmaster. Users have to treat the threat as real -- and it isn't. How much more false can it get?
I contacted rotowire and received a reply from their editor saying that at one point they were infected with Nimba, although the virus has long been eradicated. However, the virus left traces (html) of its presence that remain on some files, predominantly error message files. They are trying to track down the remaining traces -- because they understand that "[such] traces are an inconvenience." Avast! needs to come to a similar understanding.
-
How is avast to know that the signature elements that have been detected are no longer a threat, it isn't only avast that is picking this up and the responsibility has to rest with the webmaster to clean up the remnants left on HIS site after it was infected, rather than other AVs cater for their tardiness ?
I mean it shouldn't be too difficult for him scan his web site and those pages that alert need looking at.
because they understand that "[such] traces are an inconvenience."
Since they recognise that inconvenience they should clean it up and not have AVs make allowances for them.
-
How is avast to know that the signature elements that have been detected are no longer a threat
By using signatures that don't rely on harmless leftover code. It is lazy.
Since they recognise that inconvenience they should clean it up and not have AVs make allowances for them.
Wrong. Poor reasoning. The responsiblility lies with Avast not the webmaster. I have no business relationship with the webmaster, nor do I wish to have one. My business is with Avast. (Although, not any longer. I am finding a better product.) I don't wish to be alerted falsely, it is as simple as that. I expect Avast to detect actual threats and not rely on cheap methods like looking for HTML fragments that represent no threat. It is lazy programming, based on flawed assumptions (like yours).
-
So every AV should change what they do so as not to inconvenience the webmaster, I think not. It is the webmaster/site owner who is trying to drive traffic to his or her web site now if that traffic isn't getting there because they have been lazy (as you put it) then they could be losing potential revenue. Now if I were that webmaster I wouldn't be waiting for others to compensate for the code remaining on my web pages after an infection, I would want it done/resolved now.
That is where site back-up comes in restore/upload and replace all content, which should be much quicker than waiting for others to make up for the web sites security short comings. This would be a much quicker option.
Sorry but I have to disagree, but you are entitled to your opinion.
-
ks, your assumptions are wrong as well. The HTML snippets may be obsolete, but I wouldn't call them exactly harmless.
I'll put it another way: these pieces of HTML code are trying to execute a file on your disk (through a browser exploit). You probably don't have these files on your disk, and your browser is probably patched, so the files probably wouldn't really get executed - but that's not what an antivirus program can suppose.
-
***
Hmmm ... 100+ anti-virus companies should change their programs just to suit one "lazy webmaster?" ??? :o
That, indeed, is poor reasoning. ::)
***