Avast WEBforum
Other => Viruses and worms => Topic started by: AndrewNR on July 14, 2020, 11:37:06 AM
-
Hi, my Free Avast Antivirus has recently started to block some subdomains of our Salesforce.com production org as a URL:Phishing. Next URLs are being blocked:
- https://salesoptimizer--c.na84.content.force.com // Content subdomain
- https://salesoptimizer--c.na84.visual.force.com // Visualforce pages subdomain
- https://salesoptimizersupport.force.com // Salesforce Site.com configured in our production org
At the same time, the main https://salesoptimizer.my.salesforce.com site URL does not have this problem.
I tried to scan the https://salesoptimizer--c.na84.visual.force.com URL using the virustotal.com - no viruses detected:
https://www.virustotal.com/gui/url/29c4e27ebb953c1af69bad4583452f69fdd4110093d650b775b414817a93ba83/detection
What should I do? I wouldn't like to keep the URL exception for this site (what if a real virus/phishing will hide there once).
-
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
-
Thanks for guiding me on this! Done.
-
You're welcome.
-
Has been given the clean bill of health here: https://checkphish.ai/insights/url/1594728051165/8450c7d0a1781248ec8ca843a75aaf64ce455850a5691301a0bb25a2d9821e55#
Redirecting to -https://salesoptimizersupport.force.com/login
With blockers ReferenceError: loader is not defined
/jslibrary/LoginHint208.js:23
CSP Evaluated CSP as seen by a browser supporting CSP Version 3
checkupgrade-insecure-requests
errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
On source: Javascript 11 (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes
INLINE: if (self == top) {document.documentElement.style.visibility = 'visible';} else {
249 bytes
INLINE: var SFDCSessionVars={"server":"https:\/\/login.salesforce.com\/login\/sessionser
588 bytes
-salesoptimizersupport.force.com/jslibrary/SfdcSessionBase208.js
-salesoptimizersupport.force.com/jslibrary/LoginHint208.js
INLINE: LoginHint.hideLoginForm();
26 bytes
INLINE: LoginHint.getSavedIdentities(false);
36 bytes
-salesoptimizersupport.force.com/jslibrary/baselogin.js
-salesoptimizersupport.force.com/marketing/survey/survey1/1384
-salesoptimizersupport.force.com/marketing/survey/survey4/1384
INLINE: function handleLogin(){document.login.un.value=document.login.username.value;doc
262 bytes
ONCLICK: /* a#edit.fr small.onclick = */ LoginHint.showEdit();
53 bytes
ONCLICK: /* button#hint_save_edit.button primary fiftyfifty right.onclick = */ LoginHint.
95 bytes
ONCLICK: /* button#hint_back_edit.button secondary fiftyfifty.onclick = */ LoginHint.show
90 bytes
ONCLICK: /* a#clear_link.clearlink.onclick = */ LoginHint.clearExistingIdentity();
73 bytes
ONCLICK: /* button#mydomainContinue.button primary fiftyfifty right.onclick = */ DomainSw
104 bytes
ONCLICK: /* button#hint_back_domain.button secondary fiftyfifty.onclick = */ DomainSwitch
140 bytes
ONCLICK: /* a#use_new_identity.onclick = */ LoginHint.useNewIdentity();
62 bytes
CSS 5 (external 1, inline 4)
salesoptimizersupport.force.com/css/sfdc_210.css
INJECTED
INLINE: html{visibility: hidden;}a{color:#0070d2;}body{background-color:#FFFFFF;}#conten
459 bytes INJECTED
INLINE: html { visibility: hidden; }
30 bytes INJECTED
INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED
INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
170 bytes INJECTED
Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
for now I do not see that particcular page being blocked by avast's. Also Zen Mate blocks zero.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
Redirecting to the login site is insecure as it may produce access to internal files,
like for instance baselogin.js, survey4 etc., both with code meant for internal use only.
/*
* This code is for Internal Salesforce use only, and subject to change without notice.
* Customers shouldn't reference this file in any web pages.
*/
Also with links to -: htxps://jeddrexler.com/
This is known as excessive info proliferation and one should hide it from accidental access.
polonus
-
Hi polonus,
Thank you for looking into it and providing recommendations on fixing some parts. Unfortunately I am not the owner of those sites (even the support site), and most of the site HTML is rendered by Salesforce internally - so I can not adjust anything there. In any case, thank you for the feedback on this.
I have just received a response from Avast support, they marked it as safe, and it is not detected by Avast any more.
Thanks for your help!
Best regards,
Andrew