Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: donbt09 on March 03, 2009, 11:11:59 PM

Title: Could this be a false positive
Post by: donbt09 on March 03, 2009, 11:11:59 PM

Today the http://translator.live.com from microsoft is triggering avast virus alert (HTML:Script-inf) Could this be a false positive?

Title: Re: Could this be a false positive
Post by: RejZoR on March 03, 2009, 11:22:49 PM

The address itself seems to be legit, however it could be a hijacked webpage. But then again, it could just as well be false positive of some sort. You may want to report it to virus@avast.com for further inspection or just wait for someone from ALWIL team to check this thread.

Title: Re: Could this be a false positive
Post by: DavidR on March 03, 2009, 11:34:15 PM

Well it looks like there is a redirect script on that page that redirects to a site that is being blocked by the network shield.

03.03.2009  22:23:33  Network Shield: blocked access to malicious site wXX.microsofttranslator.com/Default.aspx?br=ro [ C:\Program Files\Mozilla Firefox\firefox.exe ( 3588 ) ]

Since this also belongs to Microsoft I think this could be an FP:

Quote

Name:      microsofttranslator.com
IP:      65.55.177.207
Domain:   microsofttranslator.com
Querying root.rwhois.net:4321 for microsofttranslator.com...

Querying whois.tucows.com for microsofttranslator.com...
Registrant:
 Microsoft Corporation
 1 Microsoft Way
 Redmond, WA 98052
 US

 Domain name: MICROSOFTTRANSLATOR.COM

I have sent report to avast, but I guess it won't hurt for another.

Title: Re: Could this be a false positive
Post by: donbt09 on March 03, 2009, 11:38:56 PM

Quote from: RejZoR on March 03, 2009, 11:22:49 PM

The address itself seems to be legit, however it could be a hijacked webpage. But then again, it could just as well be false positive of some sort. You may want to report it to virus@avast.com for further inspection or just wait for someone from ALWIL team to check this thread.

thanks  :) I reported. It looks like Microsoft is doing changes to their windows live translation URL http://liveside.net/main/archive/2009/03/03/windows-live-translator-rebranded-under-live-search.aspx.

Title: Re: Could this be a false positive
Post by: DavidR on March 03, 2009, 11:47:00 PM

I paused the network shield to see if I could find anything obvious on the page source (I didn't) but the web shield fired this time, so I have also submitted that for further investigation.

Title: Re: Could this be a false positive
Post by: kubecj on March 03, 2009, 11:54:16 PM

It's a FP, my mistake. Had report, virus inside, typical scamsite name  8) and not whitelisted. We have whitelisted most of the big companies webs because this is exactly the situation we want to avoid.

Title: Re: Could this be a false positive
Post by: DavidR on March 04, 2009, 12:10:51 AM

Thanks for the prompt response kubecj I trust it will be corrected in the next VPS update.

Title: Re: Could this be a false positive
Post by: kubecj on March 04, 2009, 01:03:26 AM

Yep, it's out.

Title: Re: Could this be a false positive
Post by: RejZoR on March 04, 2009, 01:30:14 AM

Now thats what i call instant FP fixing. :o ;D

Title: Re: Could this be a false positive
Post by: DavidR on March 04, 2009, 01:46:15 AM

Yes very fast, but of course it doesn't pay to go blocking Microsoft ;D

Title: Re: Could this be a false positive
Post by: Lisandro on March 04, 2009, 01:50:13 AM

Quote from: RejZoR on March 04, 2009, 01:30:14 AM

Now thats what i call instant FP fixing. :o ;D

Nobody wants a fight with MS ;D