Author Topic: Avast blocks site - INFECTION BLOCKED - scanned site - no virus - still blocked  (Read 6769 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
I cannot access my website architecturalconstruction[dot]com on Mac computers running Avast.  Avast blocks the site and displays the message "INFECTION BLOCKED" (details below).

I have run a full virus-scan on the site files using three different virus scanners, including MBAM and ESET using latest virus definitions, and no infected files were detected.

I have submitted two support requests to Avast, the latest weeks ago, under the Customer & Technical Support section, requesting that either the site be removed from the block list or to be provided with a summary of the alleged malware on the website, but haven't received any reply.

Here is the text of the site-blocked message:

The requested URL contains malicious code that can damage your computer. If you want to access the URL anyway, turn off the Avast web shield and try it again.

Infection type: URL:Mal


Thanks for any help/ input.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31197
  • Watching (over?) you
    • Malware removal, Biljart and other things.
MBAM and Eset are not website scanners!

Outdated software used:
https://sitecheck.sucuri.net/results/architecturalconstruction.com

Blacklisted IP:
http://urlquery.net/report.php?id=1431447173230
http://zulu.zscaler.com/submission/show/342d74731dc671e76e68329610baafb6-1431446924

Certificate problem and vulnerable to Poodle attack:
https://www.ssllabs.com/ssltest/analyze.html?d=architecturalconstruction.com

DNS problems:
http://dnscheck.pingdom.com/?domain=architecturalconstruction.com

As has been explained many times, each time you submit a new ticket/change a existing one you will be put back to the bottom of the stack and you will have to wait longer to get a reply.

REDACTED

  • Guest
The process of downloading the website files and scanning the archive with ESET has been advised to me by other web techs! I have successfully used this process in the past to find & delete viruses on other websites!

Thank you for the reports, but I am confused because I see a number of vulnerabilities & weaknesses, not virus infections.  Avast's site blocking message is actually headed by the phrase "Infection Detected" in big red letters — is that triggered by vulnerabilities & not necessarily a virus?  Anyway, I see several weaknesses & will address them in the order of most severe to least severe.  Is there any way of knowing specifically which one triggers Avast's "Infection Detected" block page?

How I was supposed to know that my first support ticket was working its way up the queue when fully one year elapsed between my first and my second submissions without any response?

Unfortunately, I'm unable at present to perform any maintenance that would involve changes to the domain settings, and this would include changing to a host with non-outdated software!  The client originally registered the website with Melbourne IT via Yahoo in the early 00s and through the subsequent series of web developers who've worked on the site, the original Yahoo credentials were lost and the business account closed.  Apparently, Melbourne IT directs people with this issue to Yahoo, who've since closed any customer support numbers (including those on the whois) and doesn't respond to requests to restore domain access, even if you have access to the owner of the e-mail address and telephone number listed on the site's whois page and can easily prove ownership.  The annual billing continues unabated, and so we're still able to keep the domain active but that's it at the moment, as the website can only be edited through the previously configured hosting provider.  There are other problems with the host and I would love to change hosts to somebody with better software.

Others with the same Yahoo domains issue:
http://www.webhostingtalk.com/showthread.php?t=919699
http://www.webhostingtalk.com/showthread.php?t=864671 (currently attempting the fix which the OP found)

REDACTED

  • Guest
I have the same problem with my site visic.ru. All my attempts to report the problem to Avast by the application form were ignored.

Ok, I bought this domain this year and looks like it was used by spammers or hackers before. So it was blacklisted before I got it.

But there is another problem: after a single attempt to visit that domain Avast also blocks all other sites placed on the same server. Looks like it just stores site IP in local cache and then blocks the whole IP reporting an "infection". A good approach to improve "blocked infections" statistics!  :o

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Looks like it just stores site IP in local cache and then blocks the whole IP reporting an "infection". A good approach to improve "blocked infections" statistics!  :o

If one site on the server is infected it's HIGHLY likely other sites on the same server are.

Anyway, you'll have other blacklists to take care of:
https://sitecheck.sucuri.net/results/visic.ru

And what's up with using a cert that says Avast.com?
https://www.ssllabs.com/ssltest/analyze.html?d=visic.ru&ignoreMismatch=on&latest
« Last Edit: September 07, 2015, 09:37:00 PM by specimen9999 »

Offline tumic

  • Moderator
  • Advanced Poster
  • *
  • Posts: 724
And what's up with using a cert that says Avast.com?
https://www.ssllabs.com/ssltest/analyze.html?d=visic.ru&ignoreMismatch=on&latest

The domain name resolves to 75.126.120.205 which really is an Avast server
(a724sl.avast.com), that's why you see the (real) Avast certificate. But the common
name in the certificate of course mismatches, when you access the server as "visic.ru".

No idea if that's a an miss-configuration or a hacking attempt, but it definitely is
suspicious. And it is really funny to ask here, as technically greesha.ru says:
"Hey, I'm trying to fake your web page, why do you consider this as being suspicious?!"
:-))

REDACTED

  • Guest
The domain name resolves to 75.126.120.205 which really is an Avast server
(a724sl.avast.com), that's why you see the (real) Avast certificate. But the common
name in the certificate of course mismatches, when you access the server as "visic.ru".

No idea if that's a an miss-configuration or a hacking attempt, but it definitely is
suspicious. And it is really funny to ask here, as technically greesha.ru says:
"Hey, I'm trying to fake your web page, why do you consider this as being suspicious?!"
:-))

Well, when I found I couldn't access my sites just because Avast antivirus blocked my whole server IP, I had to change the domain DNS settings. I couldn't find any better idea.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1119
So there are two cases here:

1. gopala484 and architecturalconstruction.com
The URL was blocked 02. 08. 2013 due to infection. I hope everything is healed now, and I am unblocking the domain again.

2. greesha.ru and visic.ru
The URL was blocked 06. 10. 2012 due to distributing fake goods. I suspect that you bought it AFTER that, so I am unblocking it.
How did you contact our support? Which form did you use?

REDACTED

  • Guest
2. greesha.ru and visic.ru
The URL was blocked 06. 10. 2012 due to distributing fake goods. I suspect that you bought it AFTER that, so I am unblocking it.
How did you contact our support? Which form did you use?

Thank you!

I used 2 ways to report the problem:
1) When Avast antivirus blocks access, I press the button "Mark the file as false alarm" in the popup window to send a report (not sure about the actual button label because I use Russian version)
2) Fill out Avast contact form in this page: https://www.avast.ru/contact-form.php

I used both a number of times, without any feedback. Every time I entered my real mail address, exactly the same I used to register here.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1119
Hmm...
Option 1 means the URL/file is sent to us (viruslab) and then processed semi-automatically - when the number of users reporting the same thing is low, then it may not have reached us at all.
Option 2 - the contact form seems very generic - perhaps this goes to first level support, but I am not really sure.

Anyway, please use support.avast.com -> Virus Lab ;-)!