Author Topic: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])  (Read 19355 times)

0 Members and 1 Guest are viewing this topic.

dominator

  • Guest
Half of visited adult sites blocked by Web Shield with following infection info: JS:Includer-BAO [Trj]
Including major ones like xhamster.com. Many small and obscure sites (not gonna throw links in here ;]) working just fine.
All "normal" sites/portals working without problems.

HDD scan detects JS:Includer-BAO [Trj] again in browser cache (in my case firefox). Cleaning browser cache fixes this.
Full system scan and startup scan return no infection.

What the hell is happening at avast? First AV-Test destroy you in test and now wave of annoying false positives. Get a grip or change job (or maybe I will change AV software).

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37642
  • F-Secure user
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #1 on: March 29, 2014, 01:25:34 PM »
Quote
First AV-Test destroy you in test................
destroy   ....hmmm    ???


Quote
and now wave of annoying false positives. Get a grip or change job (or maybe I will change AV software).
ahaaa..... so other AV dont have FP ..... can you recomend a FP free AV  ?


dominator

  • Guest
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #2 on: March 29, 2014, 01:33:02 PM »
ahaaa..... so other AV dont have FP ..... can you recomend a FP free AV  ?

one of those: https://www.virustotal.com/en/file/6c49fb8cb6098f4a5a7fdffa69b8a4627f65b0ec210627cc06030d2b8675921b/analysis/1396082682/

1/49 AVAST seems bit retarded dont you think?

Just FIX this shit and stop posting stupid replies.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #3 on: March 29, 2014, 01:43:24 PM »
Watch your language please

First submission 2014-03-29 08:44:42 UTC ( 3 hours, 57 minutes ago )
Last submission 2014-03-29 08:44:42 UTC ( 3 hours, 57 minutes ago )


File is new, maybe Avast is the only one to detect yet.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

dominator

  • Guest
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #4 on: March 29, 2014, 01:47:47 PM »
File is new, maybe Avast is the only one to detect yet.

According to my Avast scan history JS:Includer-BAO [Trj] was blocked by Web Shield and then detected (in my browser cache) already @ 2014-03-29 01:10:04 (GMT+1).

I highly doubt other AV's are so slow with updates.


dprout69

  • Guest
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #5 on: March 29, 2014, 01:53:07 PM »
Dominator you aren't dominating anyone here.  You have way too much attitude to be asking for help.  Bottom line if you don't like the product don't use it.  Other than that, report what you believe is the false positive and treat people with respect until they have done something to disrespect you.

dominator

  • Guest
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #6 on: March 29, 2014, 02:28:53 PM »
I'm not asking for help becase I dont need one.
And I report here because build in report tool is way to slow (outsource more into hindu IT land...)

I'm in bashing mood so here we go again: http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=140613
FIX.THOSE.PATHETIC.SCORES.
I'm disgusted to even look at this.

I'm done. Now work. (and by work I mean improving detection engine and algorithms, not adding useless shit like grimefapper or software updater.)
« Last Edit: March 29, 2014, 02:38:00 PM by dominator »

Offline Flippy

  • Avast team
  • Jr. Member
  • *
  • Posts: 45
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #7 on: March 29, 2014, 04:12:25 PM »
Hello,

sorry detection JS:Includer-BAO caused some false positives and its switched off. Sorry for any inconvenience.

Best regards,

Filip Chytrý
Virus analyst

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33976
  • malware fighter
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #8 on: March 29, 2014, 04:59:55 PM »
Now we have heard the verdict from base (detection with various FP), in retrospect we could give some remarks on the site-detects bordering on being unwanted adware for some users (others that block won't come into contact with it even).

So just a couple of remarks for the VT example given in post #2 having issues next to it probably being a FP
-> wXw.makamundo.com.htm,,,Not in namespace, 
Server errors: Unable to properly scan your site.
Unable to connect. http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.makamundo.com.htm
No SOA record found for wXw.makamundo.com.
No SOA record was found when querying the name server.
This is most probably due to a misconfiguration at the name server - a zone must have a SOA record.

Nameserver 208.109.255.25 does not do DNSSEC extra processing. Nameserver 216.69.185.25 does not do DNSSEC extra processing.

Avast! WebShield here still flags here as infested with JS;Includer-BAO[Trj].

Web Security Test Results come up with the following detections:

Suspicious iFrame Check:
Suspicious
htxp://adf.ly/5668242/exo'
htxp://adf.ly/5668242/plug'
htxp://adf.ly/5668242/juicy'
htxp://widget.plugrush.com/makamundo.com/5imx'
//ads.exoclick dot m/iframe.php?idzone=832320&size=728x90'
htxp://adserver.juicyads.com/adshow.php?adzone=266917'
htxp://adserver.juicyads.com/adshow.php?adzone=274847'
//ads.exoclick dot com/iframe.php?idzone=827182&size=300x250'
//ads.exoclick dot com/iframe.php?idzone=827176&size=300x250'
//ads.exoclick dot com/iframe.php?idzone=823268&size=300x250'
htxp://widget.plugrush.com/makamundo.com/5imo'
htxp://widget.plugrush.com/makamundo.com/5j7u'
htxp://adserver.juicyads.com/adshow.php?adzone=291743'
htxp://adserver.juicyads.com/adshow.php?adzone=291744' (also as Eddy mentioned in his posting).

Included script:
Suspect - please check list for unknown includes
htxp://syndication.exoclick.com/splash.php?idzone=821938&type=4  (is being blocked by several extensions)

Outdated vulnerable  PHP version found: php/5.4.24
external link to htxps://d31qbv1cthcecs.cloudfront.net/atrk.js -> http://jsfiddle.net/B5m87/  probably benign - no strict transport security -
various https- no-best-policy issues flagged

For website code, see: http://www.rexswain.com/cgi-bin/httpview.cgi?url=http://www.makamundo.com/&uag=MSIE+8.0+Trident&ref=http://www.google.com&aen=&req=GET&ver=1.1&fmt=AUTO

What Eddy reports on exoclick is valid according to WOT,
controversial results: https://www.mywot.com/en/scorecard/exoclick.com?utm_source=addon&utm_content=popup-donuts
involved in generating smut-ads!  bad web rep.
Even here there is a flag: http://www.urlvoid.com/scan/exoclick.com/  WOT
Site may be malware free, still might be considered as at least controversial -
well with ABP and no script extensions in the browser  installedbrowser users do not need to read this posting,
because they are protected against any eventual risks anyway,

polonus

« Last Edit: March 29, 2014, 05:02:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast FAILS with false positives AGAIN (JS:Includer-BAO [Trj])
« Reply #9 on: March 29, 2014, 05:16:01 PM »
I'm in bashing mood so here we go again: http://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=140613
FIX.THOSE.PATHETIC.SCORES.
I'm disgusted to even look at this.

There is a explaination:
http://forum.avast.com/index.php?topic=147986.msg1075601#msg1075601