Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dmarkd on April 17, 2010, 07:28:40 PM
-
Hi,
It appears that in the last couple days my website has been blocked by Avast. It's just a personal site, no big deal, but I'm trying to figure out why it has been blocked. After looking over the logs on the server, there has been no suspicious login activity, so I started focusing on the software itself. Apache is up to date, as is simple machines. I looked through the other directories on the webserver and couldn't find anything suspicious. UnmaskParasites didn't complain about anything on any of the directories.
I'm really at a loss here as to why my site has been blocked. If it's infected with something, I'll fix it - if it hasn't been, why has it been blocked?
My site is: hxxp://9thlevel.ca/
Thanks.
-
Try this to scan your site: http://wepawet.iseclab.org/
asyn
-
Here is the report from that tool, which says no malicious software identified:
http://wepawet.iseclab.org/domain.php?hash=2ae4f61e814577e8159beb3688a9a8e2&type=js
I'm really scratching my head here. ??? ???
-
Hello dmarkd ,
Not found on hphosts black list.
Neither on mdl.
up returns ok.
wepawet returns ok.
My virtual machine seems to be messed up. Not able to connect to the internet. Will surely post some update here later. Even if I didn't find anything.
nmb
-
Well wepawet isn't really saying anything, but I don't believe that means there is nothing wrong.
Trying to check your site I find nothing on the home page, see image of the source of the home page.
-
Well wepawet isn't really saying anything, but I don't believe that means there is nothing wrong.
I too dont believe that wepawet is telling us the right thing. There was a recent attack on apache.org too.. may be an apache a related issue.. Idk.. may be it is not apache problem. my vm is not able to connect to internet.
nmb
-
Full disclosure, I took down the un-used SMF forums I had on the front page to see if that would help anything, replaced it with the "Sup" page that is there now. I did this AFTER the wepawet scan however.
I have upgraded to the latest apache build, even still, I have a much higher traffic site hosted on the same Apache instance which is not being reported as "bad" by Avast or anything else.
So my question is, is Avast actually detecting something live when I go to the site, or is it just because my URL is in a database somewhere that Avast is complaining?
-
Since network shield is blocking, it should be in the blacklist of n/w shield.
nmb
-
So what has triggered it to be there? Can I report to somewhere that I think it's wrong and have them re-evaluate?
-
Well you can do it here or send an email to them with the link to this topic in the body. virus[at]avast[dot]com . Idk whether there is any other email id for reporting n/w shield fps. ;D
nmb
-
Web Shield says the site is blocked because of JS:ScriptPE-inf [Trj] (0)
-
Web Shield says the site is blocked because of JS:ScriptPE-inf [Trj] (0)
http://forum.avast.com/index.php?topic=44391.0
http://forum.avast.com/index.php?topic=43970.0
asyn
-
I really wish there was some more verbosity around these errors. JS:ScriptPE-inf [Trj] apparently is a generic label to any apparently malicious javascript. Except before I removed the forums, I looked, and there wasn't any there. Anyway, at the very least, there is absolutely NO javascript there now as I replaced the forums with a single static page, and have sent an e-mail to the one nmb mentioned. Hopefully I'll get some more info.
Asyn, I looked at those topics before writing this, again, no help. The JS just isn't there, and apparently this is now a blacklist issue not an active detection issue.
-
I'm using avast 4 and network shield blocks it ???
nmb
-
The JS just isn't there, and apparently this is now a blacklist issue not an active detection issue.
To the best of my knowledge, Avast doesn't use a blacklist.
-
Asyn, I looked at those topics before writing this, again, no help. The JS just isn't there, and apparently this is now a blacklist issue not an active detection issue.
Once blacklisted it could take some time...
It would be interesting, how long exactly!
So, please could you post back here, if the issue is solved..!??
Thank you! :)
asyn
-
To the best of my knowledge, Avast doesn't use a blacklist.
You sure? I dont think so..
nmb
-
To the best of my knowledge, Avast doesn't use a blacklist.
You sure? I dont think so..
nmb
Well, I'm not really sure. But since Avast is actually detecting malware it doesn't sound like blacklisting.
Also, in Avast 5 the detection is listed in both Web Shield and Network Shield.
-
From what I remember, a blacklist is (at least) partly how network shield works...
FWIW I also get a network shield block of this site with 5.
-Scott-
-
Even in avast 5, network shield blocks it, but if you disable network shield, you will then get the trojan error itself. So I'm getting this multi-pronged block against the site and I have no idea why.
If it is not a blacklist, what exactly is it finding wrong with the index.html containing nothing but "Sup" ? Even using a telnet session to the page to inspect the headers shows nothing out of the ordinary.
This is getting pretty frustrating.
-
Please PM me the index.html
asyn
-
Please PM me the index.html
asyn
Apparently I'm not allowed to send PM's.
-
Apparently I'm not allowed to send PM's.
Sorry, forgot about that... You need 20 posts first. ;)
But you could attach it to a post... (rename it to something like dmarked.999)
asyn
-
From what I remember, a blacklist is (at least) partly how network shield works...
FWIW I also get a network shield block of this site with 5.
-Scott-
Thank you for confirming that.
-
Web Shield alerted for JS:ScriptPE-inf [Trj] (0) at 2:40:46 PM EDT, which is apparently before you replaced the forums. Currently, only Network Shield is blocking it.
-
Web Shield alerted for JS:ScriptPE-inf [Trj] (0) at 2:40:46 PM EDT, which is apparently before you replaced the forums. Currently, only Network Shield is blocking it.
I can confirm that - only Network Shield is blocking it here at time of posting...
-
Here is the current index.html and the old index.html from the forums. For completeness' sake, I've also included the index of the template file the forum was using.
On a side note, I received an e-mail back from Avast - they said they were seeing many reports from a url "downloadnow.9thlevel.ca" and blocked my entire domain. Downloadnow is not a valid subdomain of mine nor is my webserver configured to host it, so I'm guessing that the issue was a dns injection / wildcard issue which caused the report in the first place. Unfortunately it is not an issue I have any control over nor do I apparently have any ability to fix it. Anyway, their response was that they have modified the block to be the subdomain only, so hopefully when I get my next update that will solve things.
Update - I host my DNS with a service called "FreeDNS.afraid.org" - one of their options is to allow other people to use your domains for their own subdomains and point them elsewhere. I am SUPPOSED to be notified when this happens and be able to approve/deny domains. I had no such notification and as I cannot resolve this "downloadnow" name I'm not sure if this is the issue, but it is possible their was a fault in their system which has caused this confusion. Not guaranteed that this is it, but at this point it seems to make the most sense.
-
Update - I host my DNS with a service called "FreeDNS.afraid.org" - one of their options is to allow other people to use your domains for their own subdomains and point them elsewhere. I am SUPPOSED to be notified when this happens and be able to approve/deny domains. I had no such notification and as I cannot resolve this "downloadnow" name I'm not sure if this is the issue, but it is possible their was a fault in their system which has caused this confusion. Not guaranteed that this is it, but at this point it seems to make the most sense.
Maybe...
I never could accept the rules you posted above. :(
All kind of troubles can easily occur...
-
I'm using avast 4 and network shield blocks it ???
nmb
Why are you not using avast! V5?
-
The JS just isn't there, and apparently this is now a blacklist issue not an active detection issue.
To the best of my knowledge, Avast doesn't use a blacklist.
I think the network shield does...
-
The JS just isn't there, and apparently this is now a blacklist issue not an active detection issue.
To the best of my knowledge, Avast doesn't use a blacklist.
I think the network shield does...
He does not need any advice:
http://forum.avast.com/index.php?topic=58679.msg494662#msg494662
-
I'm using avast 4 and network shield blocks it ???
nmb
Why are you not using avast! V5?
http://forum.avast.com/index.php?topic=58671.msg494552#msg494552
No luck, avast refusing to run on my system.
nmb
-
No luck, avast refusing to run on my system.
nmb
I did a fresh install of avast! V5 using the procedure here:
How to uninstall our software using aswClear:
http://www.avast.com/uninstall-utility
Then I downloaded avast! Free Antivirus English (40MB) for my Windows 7 system:
http://www.avast.com/free-antivirus-download
I installed setup_av_free.exe and did the required reboot.
I updated avast! to V5.0.507
I would remove Windows firewall control as I had lots of problems with it.
I did the same for my XP Pro system except I used the setup_av_pro.exe
I would remove Privatefirewall on the XP Pro system then get avast! V5 working and re-train Privatefirewall for the new avast! V5 modules.
-
Hey ken,
Thanks pal. But I have tried all of them. Before installing windows firewall control, I had installed avast!, but no luck(on my laptop). I will try removing private firewall and installing avast!(desktop).
nmb
-
Ah! I could install on windows 7 with the windows firewall control running. Installed avast! 5 over 4. Works like charm and no problem whatsoever!
Although, I have to test the same way on my desktop.
btw, Thanks ken.
nmb