Author Topic: Avast! Internet Security blocked my site!  (Read 34356 times)

0 Members and 1 Guest are viewing this topic.

tiger2wander

  • Guest
Avast! Internet Security blocked my site!
« on: November 27, 2012, 11:12:51 AM »
Hi there,

We are running a site at URL: http://www.joomlart.com/
Avast! Internet Security was detected it as a malware site, below is report from our users:

Quote
URL: http://www.joomlart.com/forums/ajax.php|...
Prozess:   C:\Program Files\Mozilla Firefox\firefox...
Infektion:   HTML:Iframe-inf

I was running a virus scan on our server and it report fine. Some online checks report good also:
- http://www.siteadvisor.com/sites/http%3A//www.joomlart.com/
- http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.joomlart.com

I think this is a wrong detection, please check and remove it from black list.

Thanks in advanced!
« Last Edit: November 27, 2012, 11:17:36 AM by tiger2wander »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user


tiger2wander

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #3 on: November 27, 2012, 11:55:40 AM »
I've just clicked on the "Rescan" button and it turned to green now:

http://sitecheck.sucuri.net/results/www.joomlart.com

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Avast! Internet Security blocked my site!
« Reply #4 on: November 27, 2012, 12:09:02 PM »
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast! Internet Security blocked my site!
« Reply #5 on: November 27, 2012, 01:21:25 PM »
2 suspicious files given there by quttera's, see: http://chrome.quttera.com/chrome_detailed_report/www.joomlart.com
Furthermore the site has the following issues (these are not malware related): 1. -website gibes away through the "X-Powered-By" HTTP Header, that content is being generated dynamically. This header should be removed.  2. - site makes use of a tracking graphic.
Spamcheck status secure, safe browsing status secure, WOT report status all green, DMOZ/ODP 1 link


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tiger2wander

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #6 on: November 27, 2012, 01:43:00 PM »
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

Already reported 2 times a few days ago! No replied, no action at all.


2 suspicious files given there by quttera's, see: http://chrome.quttera.com/chrome_detailed_report/www.joomlart.com
Furthermore the site has the following issues (these are not malware related): 1. -website gibes away through the "X-Powered-By" HTTP Header, that content is being generated dynamically. This header should be removed.  2. - site makes use of a tracking graphic.
Spamcheck status secure, safe browsing status secure, WOT report status all green, DMOZ/ODP 1 link


polonus


It reported 2 links: 1 is a normal JavaScript's Ajax library, 1 is from a Google+ page! I don't think Google+ is kind of "Potentially Suspicious"

I must tell you my story, I think it is wrong behavior / heuristic detection: last time we had launched a promotion for Black Friday, the winner got a Nexus 10 tablet. We have a Joomla!'s module that force redirect all first visit connection (use cookie to check it) by PHP's header, and it was redirecting all links to our site to /nexus10/ page to get user attention. I think Avast!'s engine was think it is injected by a malware that redirect all URLs to that page.

Why you guys don't trust SiteAdvisor, Norton Safe Web and Google site checker?

I had scanned my www folder using ClamAV with latest database and it found nothing.
 

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast! Internet Security blocked my site!
« Reply #7 on: November 27, 2012, 04:44:15 PM »
Hi tiger2wander,

No one said we don't trust SiteAdvisor, Google SafeWeb and Norton Safe Web results. Off course we do and these three usually flag lots and lots of issues.But scanners overlap. And we have to consider quite a bit of scanner to be able to give a site a complete clean bill of health.
Your site seems clean, seems to have some sound security policy. Convince yourself here: https://www.virustotal.com/url/8763905ca2dea1947a950f71cbef84a4a3808dc47626cb81013d0076c175e75a/analysis/1354031349/

It does not give any server version or website software version out to the world. But the three above scanners do not find all threats. DrWeb URL checker and avast scanning overlap. urlquery.net request response scanner with IDS finds issues that gred website scanner does not find, nor zulu Zscaler, Bitdefender's TrafficLight flags threats other scanners do not, sucuri's has many script related issues. We check with malzilla and various webcode sniffers and viewers (Redleg's for instance), IP resources, various bloclkists, VirusWatch data for recently closed and dead or active malcode, and a whole scala of other resources as where our cold reconnaissance query will lead us. But then whenever we say your site has issues it certainly has some to consider and whenever we say your site is secure at this point in time, it is. There are quite some enthusiasts that help out here in website scanning
(Pondus, !Donovan, Asyn to call just a few), and little old me....

polonus

« Last Edit: November 27, 2012, 04:50:18 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tiger2wander

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #8 on: November 27, 2012, 05:07:00 PM »
I said like that because of I got 2 URLs that point to 2 another website checker while I provided links already.

I agree with you that no software is perfect, and we should use more as we knew to see what's happening.

Is my site removed from the blacklist? I am not using Avast! Internet Security here and I will wait for user's feedback.

Thanks anyway! 

tiger2wander

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #9 on: November 28, 2012, 10:42:37 AM »
Any news? I still received feedback from our users that Avast! still block our site:
Here is some detail:



tiger2wander

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #10 on: November 28, 2012, 11:10:53 AM »
I tried to check with Quttera and see it is reported so standard libraries, famous sites contain kind of "potentially suspicious" thread like it said, here are some report like that:

Google+: http://chrome.quttera.com/detailed_report/plus.google.com
Facebook: http://chrome.quttera.com/detailed_report/www.facebook.com
JQuery: http://chrome.quttera.com/detailed_report/www.jquery.com

More here:
http://chrome.quttera.com/lists/potentially_suspicious

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast! Internet Security blocked my site!
« Reply #11 on: November 28, 2012, 10:30:29 PM »
Hi tiger2wander,

The decision to block unblock a particular url or domain or IP lies entirely by the members of the avast av solution team.
We here are no part of it and have no influence further than reporting issues to virus AT avast dot com, and what the avast team does with this information is just their privilege period.
If the detection is a false positive it will be dealt with in some coming update. They won't comment directly, but they are known to react quite soon, also avast webshield and networkshield detection is known to be solid state and highly reliable. But you know the status of a wbesite can change within seconds from with active malware as to cleansed from malware or malware response dead...

Some potentially suspicious flags from quttera's and other scanners should be taken like for instance  the flags that jsunpack sometimes produces on anomalies or delayed handling of some javascript code also will produce a "suspicious" there. Also benevolent obfuscation could lead to FPs.
This could also mean a bug, a time out, due to a misconfiguration and will not mean immediately it is malcode per se, so not being malcious or not even unwanted code. Do not read more into "code hick-ups" as should as I produce these scan results just for evaluation purposes,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast! Internet Security blocked my site!
« Reply #12 on: November 29, 2012, 01:04:44 AM »
I tried to check with Quttera and see it is reported so standard libraries, famous sites contain kind of "potentially suspicious" thread like it said, here are some report like that:

Google+: http://chrome.quttera.com/detailed_report/plus.google.com
Facebook: http://chrome.quttera.com/detailed_report/www.facebook.com
JQuery: http://chrome.quttera.com/detailed_report/www.jquery.com

More here:
http://chrome.quttera.com/lists/potentially_suspicious

Hi tiger2wander,

These companies are the top of the top. Naturally, they utilize 'hacks' (notice the quotes) in order to increase the speed of their huge frameworks. Have you ever thought of all the code behind Google's search engine, email, and the likes? Checking if you are logged in, then having to check and load the required essentials if so? Now think about Facebook. How do they manage a huge database of that sort, all the features that they offer, and provided services to unimaginable numbers of people at the same time, and still be able browse the website fast? Naturally, obfuscation is the best bet for speeding up the website's load time. Especially when you have mobile browsers visit the same site with a phone at hand, where the processing power isn't as great as desktop browsers.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Binny

  • Guest
Re: Avast! Internet Security blocked my site!
« Reply #13 on: January 24, 2014, 05:28:10 PM »

โปรโมทเว็บไซต์ฟรี

Hi there,

We are running a site at URL: http://www.siamaddurl.com

I think block this URL, please check and remove it from black list.
http://sites.securepaynet.net/redirect_0.html?size

Any help would be greatly appreciated, thank you.   :'(

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast! Internet Security blocked my site!
« Reply #14 on: January 25, 2014, 12:26:56 AM »
I do not see any alert there on the main site.
For the second site I get an IP block - general URL:Mal detection, but site is not available see: http://jsunpack.jeek.org/?report=46f0f83e67f4d61c63afabb6ee6f314d6cc429db -> http://zulu.zscaler.com/submission/show/ac6b5b5e9e96f48cfe815afdd97f49cf-1390605873
It is on a PHISHING list: http://support.clean-mx.de/clean-mx/phishing.php?sort=firstseen%20desc&domain=www.securepaynet.net
For the link you give the malware seems dead since 2012-02-07 17:56:27, but one link is still active: htxp://www.securepaynet.net/?ci=1767&prog_id=453767 and found to be long OVERDUE being active now for 14509.9 hrs and up.

polonus
« Last Edit: January 25, 2014, 12:33:33 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!