Author Topic: False Positive on AFF chat page? Or why Avast Forum is better than personals!!  (Read 19806 times)

0 Members and 1 Guest are viewing this topic.

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Hi!

Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.

Well, I decided to analyze your engine's behavior in the code I sent to your support team, by removing/adding tidbits of code and rescanning to see what triggers the positive.... as funny as it may sound, there seems to exist many conditions to create a trap for your engine in the context of the code I hereby supply and I get the funny feeling this has been hardcoded in your engine. I'm using the latest free home edition, with the latest definitions db on WinXP SP2, latest patches. The conditions I note are as follows:

1- Request of favicon.ico in the head section of the html page - really, the name of the file itself.
2- Standard html comments <---! with string numbers date/version of their page I guess
3- <script> declaration with function declaration + window.open (even with partial code and no argument passed to window.open)!!!

Have you hardcoded these conditions in your engine? That would be some strange and funnily liberal interpretation of some of the Code Red symptoms, server side.... For what purpose? I noticed if I put another name than favicon.ico, then your engine no longer sees a virus. The favicon.ico in question is 2kb and does not contain viral code as your engine doesn't flag it. Note that I can omit language=javascript and arguments passed altogether but window.open seems another condition as your engine no longer traps if I remove that code. I mean, I'm not asking if this is a virus. I know it's not, I'm just wondering, as a trial user, why should I continue using your product if hardcode in your engine creates such flaky false positives?

I mean, if I were not a power user, extremely familiar and proficient field, I would go around tell all my friends I found a virus when in fact this is the consequence of a poorly coded routine in a heuristic scanner, I guess... unless this is really a virus? :) I mean, we all know favicon.ico is used to add a website to the favorites list in IE and we also know that html comments are just comments and that declaring window.open is not enough in itself to warrant an alarm, or is it? I wonder if an engine that considers this code viral is of any service to low-level users, who will waste lots of time dealing with false positives and warning others, and ppl like me wil waste time explaining and debugging, which is why I come to you now.

Please reply promptly, as I need confirmation on your part that my analysis is correct. No engine is perfect I know. Don't get me wrong, I'm trying the product, free, and I like many things I see in it. Please be technical if you answer this mail as I have no use for general support jargon.

Thanks in advance,
A trial user wondering,

Code (if I put that in notepad and save and scan, this is detected as VBS.Jscript/virus/worm):

<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>
function vp( viewurl )
{
    window.open( );
}
</script>
« Last Edit: November 19, 2005, 11:41:25 AM by Trial_user_Uninstalling_Avast »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Cloussau

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 897
  • AVAST! antivirus with balls
Re: False Positive on AFF chat page?
« Reply #1 on: October 27, 2005, 08:57:18 AM »
If you seriously want an answer i suggest you e-mail vlk@avast.com
This is probably not an issue they will or should discuss openly ;)

good luck finding a friend
« Last Edit: October 27, 2005, 09:01:43 AM by Cloussau »
sys- p4  3.0D ,  1024mb ddram ;arsenal :Avast IS 5.0 pro / Firefox / adblock /noscript : win xp/pro/sp3 32 bit

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #2 on: October 27, 2005, 09:01:47 AM »
I've mailed support@avast.com ;-) Is that what you are referring to? What is vlk? But hey, thanks;-)
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Cloussau

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 897
  • AVAST! antivirus with balls
Re: False Positive on AFF chat page?
« Reply #3 on: October 27, 2005, 09:09:01 AM »
Vlk is the author/writer  :)
sys- p4  3.0D ,  1024mb ddram ;arsenal :Avast IS 5.0 pro / Firefox / adblock /noscript : win xp/pro/sp3 32 bit

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #4 on: October 27, 2005, 09:17:45 AM »
Mail was just sent to vlk@avast.com
Thanks!

I know I may have trouble finding a friend here since so many ppl are adamant about avast. I'm not bashing at the product... but some newbies came in the chat room I was and started making bold claims that there was a virus etc. in the channel script.

I mean, nothing is perfect... I use to remember that a version of Norton AV would not detect a virus present in a folder with a path longer than 255 characters etc... Symantec would never confirm my analysis.... so I don't expect much from support teams anymore.

I've been working many years as a security consultant, specially in the micro field, advising clients, preparing procedures for virus recovery, hardening pcs etc, and those ppl were saying that since they had installed avast, they saw so much more alerts than with AVG or other products... I told them it was ridiculous to make a judgment based on the number of alerts an AV will generate... as these alerts may be false. Now I see that some pages on Ebay will trigger the same alert VBS.Jscript I had. Those ppl are newbies, amateurs, so I understand their behavior... I'm used to users who "think" they know, as I've seen that often in a corporate setting. But I'd like the support team to confirm my analysis and if that can help them, more power to all of us!

Thanks!
« Last Edit: October 27, 2005, 09:31:31 AM by Trial_user »
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Re: False Positive on AFF chat page?
« Reply #5 on: October 27, 2005, 09:41:14 AM »
Hi Trial_user  :)
Quote
Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.
We would all be interested to know what ALWIL'S / Vik's response to your analysis of Avast! .I doubt it would be discussed openly here though.
Technically I can add nothing, but using common sense the  above mentioned site is a part of a  huge network of data collection sites, permeating substantially throughout the web. Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D
If you seriously want an answer i suggest you e-mail vlk@avast.com
This is probably not an issue they will or should discuss openly ;)

good luck finding a friend

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #6 on: October 27, 2005, 09:19:16 PM »
Hi Trial_user  :)

Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D

I read that and I fail to see what you really mean? This is a dating service web site... the biggest in the world, some 20 million users. And yes it is quite a network, but Avast only reacts to the chat room script. And the script is absolutely fine. Even if it were not fine, I've proven here that Avast traps the script even without arguments passed to windows.open.... as it is the script in my proof of concept cannot do a single thing. How can you say Avast's response, seems quite appropriate? You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted. Realtime defense against what? Common Jscript? In what buffering of simple chat data is something we should be defended against? Is Avast an antivirus or a privacy/confidentiality suite - and even if it were the latter, I fail to see how Avast protects my confidentiality be stopping me from accessing the chat room? Because I would talk about myself in the room or what lollllllllllll Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?l lolllllllllllllllllllllllllll That's too funny.... but I respect your opinion.....

And why would they not reply to that openly... I mean, I'm not showing a terrible weakness, I haven't decompiled their code or reverse engineered it to show anything wrong... what can happen though, and I'm expecting that, is that at some point I will update my definitions and the code I show will no longer be trapped by Avast... and my analysis will be confirmed!

I'm curious as to what you meant, but hey thanks anyway ;) ;) :)
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: False Positive on AFF chat page?
« Reply #7 on: October 28, 2005, 03:13:54 AM »
You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted.
Wait if the new VPS file corrects the false positive... Are you sure about it is not infected?

Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?
I won't think this... maybe something into the HTML code is warned as false positive, not only the scripts...
The best things in life are free.

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Re: False Positive on AFF chat page?
« Reply #8 on: October 28, 2005, 09:35:39 AM »
Hi Trial_user  :)

Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems  quite appropriate  whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck  ;D ;D ;D

I read that and I fail to see what you really mean? This is a dating service web site... the biggest in the world, some 20 million users. And yes it is quite a network, but Avast only reacts to the chat room script. And the script is absolutely fine. Even if it were not fine, I've proven here that Avast traps the script even without arguments passed to windows.open.... as it is the script in my proof of concept cannot do a single thing. How can you say Avast's response, seems quite appropriate? You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted. Realtime defense against what? Common Jscript? In what buffering of simple chat data is something we should be defended against? Is Avast an antivirus or a privacy/confidentiality suite - and even if it were the latter, I fail to see how Avast protects my confidentiality be stopping me from accessing the chat room? Because I would talk about myself in the room or what lollllllllllll Or is Avast enforcing political correctness and puritain sexual behavior in it's real time defence?l lolllllllllllllllllllllllllll That's too funny.... but I respect your opinion.....

And why would they not reply to that openly... I mean, I'm not showing a terrible weakness, I haven't decompiled their code or reverse engineered it to show anything wrong... what can happen though, and I'm expecting that, is that at some point I will update my definitions and the code I show will no longer be trapped by Avast... and my analysis will be confirmed!

I'm curious as to what you meant, but hey thanks anyway ;) ;) :)

I better clarify / append my comment Trial_user :
1. AFF "Chat" triggered a response from Avast! Your analysis of this response indicates a false positive.
2. This site and it's affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn't come back :) but I'd be checking out for Tracking cookies / and their scripts.
3. We're talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further. I have no idea what script programs you're  running, or your browser settings,  but have a look at your java script settings . Yes I'm off topic with your queeries about Avast! , but maybe it's false  response may lead you to another problem , as regards to scripts... ;)

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #9 on: October 28, 2005, 02:39:11 PM »
Quote
2. This site and it's affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn't come back  but I'd be checking out for Tracking cookies / and their scripts.
Yes, that may be right... tracking cookies for sure, multiple scipts etc... but this is all the inner workings of a complex site... cookies can be flushed, scripts can be disabled from IE, whatever, I agree. But indeed this is remote from the subject ;)

Quote
We're talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further.
I have examined the script in high detail, here it is again:

<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>
function vp( viewurl )
{
    window.open( );
}
</script>

Won't there be a single programmer in Jscript that will have the guts to testify that this is completely harmless? I mean, take this code, put it in notepad, change the extension to .html and run it... it does nothing... there is NO ARGUMENT passed to window.open!!!!!

Will someone help!
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline brijones

  • Newbie
  • *
  • Posts: 9
Re: False Positive on AFF chat page?
« Reply #10 on: October 30, 2005, 03:35:20 PM »

Won't there be a single programmer in Jscript that will have the guts to testify that this is completely harmless? I mean, take this code, put it in notepad, change the extension to .html and run it... it does nothing... there is NO ARGUMENT passed to window.open!!!!!

Will someone help!

I tried the code, and the first thing that happened was "Internet Explorer has restricted this file from showing active content that could access your computer".

Offline MrBabis

  • Full Member
  • ***
  • Posts: 165
  • AVast ronomical Chelo
Re: False Positive on AFF chat page?
« Reply #11 on: October 31, 2005, 11:36:34 PM »
harmless EICAR?
...confused...very confused... am I signed too?...

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #12 on: November 05, 2005, 09:13:01 PM »
Well, it's been a full week, and no significant reply from any support staff to acknowledge or infirm what I have written. As of today, the 5th, that code I posted is still trapped by the Avast engine, despite many updates to the signature during the week. What is that. ???

Thanks for replying ASAP.
Trial_user who deactivates Avast before going to the chat room.

<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #13 on: November 05, 2005, 09:27:36 PM »

I tried the code, and the first thing that happened was "Internet Explorer has restricted this file from showing active content that could access your computer".

Yeah, yeah, sure, then allow IE to execute it and see if it does anything... it does nothing because it's only a declaration of a function which has no argument. It's sad when newbies try to help me when it should be the SUPPORT STAFF that should take this more seriously and try.

If newbies are scared off by WinXP script execution prevention, and avast's false positive, I am not - because a newbie considers that if Avast says it's a virus, then it's a virus - but I am not a newbie, this code is harmless, avast is making a flagrant false positive and no one corrects it or shows any intent of correcting it. Lame.

The thing is, my analysis is CORRECT, there is no viral or harmful code on the chat page I was describing, the code I pasted is inoperative, and I don't need the support staff to confirm that to me. What I can confirm though is that this trial user will no longer be using that product shortly....i.e. when I take the 30 secs to do an uninstall in a few mins.

Thanks for your support! (Note I did not say thanks "support" - I wanted to thank those who took the time to write, some even despite their lack of knowledge, but always with the intent to help, in opposition to the support staff silence). :D
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>

Offline Trial_user_Reinstalling_Avast

  • Jr. Member
  • **
  • Posts: 24
  • Look, this is favicon.ico from AFF... virus!!!
Re: False Positive on AFF chat page?
« Reply #14 on: November 05, 2005, 09:31:07 PM »
harmless EICAR?

I don't know where you took that reference but yeah, www.eicar.org, on this site you will find a file that contains a single string of characters that will make any antivirus pop an alarm. This is called the eicar test string, but I fail to see the link with what we were discussing, unless I missed something....
<html><head>
<link rel='shortcut icon' type='image/x-icon' href='http://graphics.adultfriendfinder.com/images/ffadult/favicon.ico'>
</head>
<!-- X.X.15.134 -->
<!-- v.20051012 -->
<html>
<head>
<script language=javascript>function vp( viewurl )
{
    window.open( );
}
</script>