Avast HTML parser bug causes trojan false alarm

[REDACTED]

The Avast Webshield and Fileshield incorrectly parse an HTML page causing a false alarm (HTML:HideMe-E [Trj]) about a trojan.  The parser that Avast is using should recognize that the offending clause (an iFrame of any size to a third-party website) is commented out and it should not raise an alarm.  Whitelisting the webpage (not third party) domain prevents the Webshield alert however the Fileshield alert goes off on the file cached by the web browser (and Fileshield cannot whitelist by domain) -- so there is no adequate workaround that is acceptable.  Can Avast please look into getting their parser to recognize a proper comment?  My HTML editors properly recognize it.  Why does this matter? Because I don't control the website where this is occurring and it is wrongly setting off alarms for the users in my company.  This is an Avast bug that should be fixed because the code is clearly commented out.  While I can ask the website service to please change their benign webpage, they can easily argue that there is no problem and that Avast should fix the matter.  The links below are my example on a page which I can control (to demonstrate the bug).

See for example:
http://www.cpuinbloom.com/false_positive_scrubbed_W3C.htm
http://www.cpuinbloom.com/true_negative_scrubbed_W3C.htm

My web server alters the source on-the-fly, so here is the actual W3C validated source for those files:
http://www.cpuinbloom.com/false_positive_scrubbed_W3C.txt
http://www.cpuinbloom.com/true_negative_scrubbed_W3C.txt
i.e. validated by https://validator.w3.org/#validate_by_upload

[Eddy]

It is not a false alarm as you already have been told.

It has a link to a non existing/blacklisted domain.

[REDACTED]

What are you talking about.  How is it not a false alarm?  Please explain what you mean.  I am aware of what alarm was set off.  And it is incorrect that it is setoff for code that is commented out.  So what do you mean?

[Eddy]

See reply #1

[REDACTED]

Incorrect.  I have just now proven (see updated links below) that for an existing domain which is not blacklisted the same occurs. 

Are you suggesting that Avast should alarm on commented out HTML code? 

Please give a definitive and clear answer so that I can tell the vendor of the service that is Avast's position.  One way or another I need to resolve this for my users.  So please clarify what exactly is Avast's position on this?

See for example:
http://www.cpuinbloom.com/false_positive_scrubbed_W3C_2.htm
http://www.cpuinbloom.com/true_negative_scrubbed_W3C_2.htm

My web server alters the source on-the-fly, so here is the actual W3C validated source for those files:
http://www.cpuinbloom.com/false_positive_scrubbed_W3C_2.txt
http://www.cpuinbloom.com/true_negative_scrubbed_W3C_2.txt
i.e. validated by https://validator.w3.org/#validate_by_upload

[Asyn]

You can report a URL here: https://www.avast.com/report-a-url.php

[REDACTED]

This is not about reporting a URL.  This is about an Avast bug.  The URLs provided demonstrate the bug.  Please advise if the matter is still unclear.

[Asyn]

- Which Avast..? (Free/Pro/IS/Premier)
- Which version..?
- OS..? (32/64 Bit..? - which SP/Build..?)
- Other security related software installed..?
- Which AV(s) did you use before Avast..?

[DavidR]

You will only get avast's position by contacting them directly as most of the respondents in the forum will be avast users.

Personally if code is commented out, why not simply remove it.

What is commented out now could be active immediately, after a few seconds, minutes, hours, etc. etc.

[Eddy]

Commented out or not, it shouldn't be there in the first place.
It is a security risk, so yes avast should detect it and warn the user.

[REDACTED]

This is an easily reproduceable bug.  Try it yourself per the links given.  Use the txt link if you are worried.  I can include the HTML source code in this thread if you wish.

This bug occurs with both Avast Webshield and Fileshield, on:

Mac OS X El Capitan 10.11.6
Avast Mac Security 2016 Version 12.7 Virus definition version 17042802
Webshield with Firefox, Chrome and Safari
Fileshield
No other anti-virus software installed
Previously used Avira anti-virus

Windows 10 Pro 1607 64-bit
Avast Free Antivirus 17.3.2291 (build 17.3.3443.0) Virus definition version 170501-0
Webshield with Chrome and Edge
Fileshield (when "All Files" setting is turned on)
No other anti-virus software installed
Previously used Avira anti-virus

[Asyn]

For Mac, post/ask here: https://forum.avast.com/index.php?board=5.0
For Windows: You could try the latest beta: https://forum.avast.com/index.php?board=15

[REDACTED]

If it is a security risk, then how come it doesn't detect it on the version that is commented out differently?  So are you saying that Avast failed on that detection?  Clearly Avast has no intention of generating false positives.

If it wants to warn users that a web page has commented out code that is somewhat suspicious and could be a problem in the future that's fine.  But to alert about a serious trojan for a commented out iFrame to a third party domain is alarmist.

While I can appreciate the stance that some take that it is an inherent or latent security risk, the code is commented out and so it clearly poses no actual or residual risk.  You can still wish for an alert on inherent risk if you want, as security people, but that stance and false positives doesn't win over any regular users to become more security-oriented -- to the contrary it tells them that the security person is too alarmist.

To those who didn't actually read the whole post or thread, I've already articulated why I myself can't simply fix it.  And it is clearly Avast which should be consistent in their interpretation of commented out HTML code.  Either both pages I've posted should be an alert, or both should not.  I clearly take the stance, that neither should cause an alert.

And as to why I post in this forum?  It is because it is the only support option I have at the moment, because I have not committed to this product.  And if Avast doesn't have the common sense to monitor this forum and respond as appropriate then I don't know how they will win over customers to purchase their product.

[Asyn]

You can report a suspected FP here: https://www.avast.com/false-positive-file-form.php
You can report a URL here: https://www.avast.com/report-a-url.php

[HonzaZ]

Just chipping in to say it is not a bug, it is working as intended.

false_positive.htm contains

Code: [Select]

<!-- <div style="visibility:hidden">Valid element in a comment (and of course Avast triggers a detection)

true_positive.htm contains

Code: [Select]

<!-- div style="visibility:hidden">NOT a valid element in a comment (and Avast stays silent)

Just to repeat once more: we do not check whether the malicious code is commented out or not (there would be a huge performance penalty in doing so), but we do check if the malicious code is there or not.