Author Topic: False positive on web page  (Read 9316 times)

0 Members and 1 Guest are viewing this topic.

Offline PermDude

  • Newbie
  • *
  • Posts: 2
False positive on web page
« on: November 28, 2005, 04:26:58 PM »
I'm using version 4.6  Home Edition, and get false positives as I navigate around a fantasy sports site rotowire.com.  The warning says that it found Win32:Nimda [Drp], but Rotowire is mystified as to why any malware warning would come up.

I used Avast a couple of years ago, and stopped using it because of this problem--I'm on Rotowire about every day, and having a warning come up every page or two (accompanied by a siren sound) is more annoying than useful.  Any chance Avast can fix this problem?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: False positive on web page
« Reply #1 on: November 28, 2005, 04:41:45 PM »
Well, Nimda [Drp] is a tag that Nimda worm used to append to the HTML files it found on disk. I.e. it doesn't sound like a real false alarm to me - but it's hard to say without more info. Any particular URL you get the warning at?

Offline compmanio36

  • Jr. Member
  • **
  • Posts: 26
  • What's with this llama thing?
Re: False positive on web page
« Reply #2 on: November 29, 2005, 03:45:26 AM »
At one point, I got a virus warning on Ebay with Avast.  Ebay, of all places!  After about a day, it went away as the page changed.  My stance is that I would rather have a few overzealous alerts, than have any AV miss something.  And heck, maybe Ebay was infected with something.....

Also, Nimda infected a LOT of HTTP servers a while back, it is entirely possible there is still some trace of the virus left on Rotowire's server that Avast is picking up.

But to help with your question, can you put a URL in an exceptions list to make Avast not scan this site?  I know you can do so with folders on a hard drive, but I'm not sure how this would work with URLs on the Web Shield.

Offline PermDude

  • Newbie
  • *
  • Posts: 2
Re: False positive on web page
« Reply #3 on: December 01, 2005, 09:17:11 PM »
That's a good idea--I'll look around for a possible exceptions list.

The warnings come up as I negotiate around the RotoWire site, all sort of pages, all coming from them (and with the same ads coming up).  I suspect the warning is coming from one of the ads being served up.

Offline compmanio36

  • Jr. Member
  • **
  • Posts: 26
  • What's with this llama thing?
Re: False positive on web page
« Reply #4 on: December 02, 2005, 04:59:31 AM »
Ah, yes, that's helpful  ;D

It's probably not Rotowire itself that has or is trying to install a virus/malware on your machine, but the ad server Rotowire uses.  Many ad servers nowadays are so nasty that they will actually try using Java/ActiveX exploits to install spyware/viruses on your machine to gain more profit!  If you can find the URL of the ad server this is popping up from, set it in Avast's Web Shield URL blocker to block that whole server.  That way you won't see the ads, and no more virus warnings!

Offline ks

  • Newbie
  • *
  • Posts: 5
  • What's up with: "I'm a llama?"
Re: False positive on web page
« Reply #5 on: April 23, 2006, 12:35:33 AM »
I'm using version 4.6  Home Edition, and get false positives as I navigate around a fantasy sports site rotowire.com.  The warning says that it found Win32:Nimda [Drp], but Rotowire is mystified as to why any malware warning would come up.

I used Avast a couple of years ago, and stopped using it because of this problem--I'm on Rotowire about every day, and having a warning come up every page or two (accompanied by a siren sound) is more annoying than useful.  Any chance Avast can fix this problem?



I am getting the same false positive "for Win32:Nimda [Drp] at rotowire.com. The file that avast claims is contaminated is called "favicon.ico."  I can't see how an icon file  -- a bitmap -- could contain a virus. 

This is still occurring roughly six months after this first post on the subject was made.  It would be nice if Avast could clean this up  (or I will be inclined to use another product).  Thanks.

Offline justin1278

  • Advanced Poster
  • **
  • Posts: 1072
Re: False positive on web page
« Reply #6 on: April 23, 2006, 01:17:11 AM »
Hello,

This may not be a false positive. Also any type of file no matter what kind can hold a virus. I believe this site does have a virus in it because I get a yellow alert from Siteadvisor when I visit this site.
My PC's

Compaq Presario:
Windows Vista Ultimate SP1
AMD Athlon 3800+ 2.4 GHz
2 GB RAM

Sony Vaio:
Windows XP Professional SP3 [Tester]
Intel Pentium M 1.86 GHz
1.5 GB RAM

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: False positive on web page
« Reply #7 on: April 23, 2006, 08:15:03 PM »
I'll look around for a possible exceptions list.

For the Standard Shield provider (on-access scanning):
Left click the 'a' blue icon, click on the provider icon at left and then Customize.
Go to Advanced tab and click on Add button...

For the other providers (on-demmand scanning):
Right click the 'a' blue icon, click Program Settings.
Go to Exclusions tab and click on Add button...

You can use wildcards like * and ?.
But be carefull, you should 'exclude' that many files that let your system in danger.

Hope this helps...
The best things in life are free.

Offline ks

  • Newbie
  • *
  • Posts: 5
  • What's up with: "I'm a llama?"
Re: False positive on web page
« Reply #8 on: April 24, 2006, 06:34:13 PM »
I believe this site does have a virus in it because I get a yellow alert from Siteadvisor when I visit this site.

No offense, but this is circular reasoning.  Services like SiteAdvisor use non-expert member feedback to warn users of nonspecific threats such as cookies and spyware, or even links to other sites that are believed have questionable habits. Hundreds of Avast users getting false positives for the presence of a virus when visiting www.rotowire.com would generate an equal amount of feedback from a false positive as they would from an actual threat.  It confirms nothing other than flawed assumptions.  Anecdotal evidence isn't a substitute for detection.

Avast is in the virus detection business.  They should be able to confirm the presence of a virus from a persistent source (six months plus is persistant) by downloading the file(s) in question and examining them.  It would be nice if one of the developers could comment, after performing such testing.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: False positive on web page
« Reply #9 on: April 25, 2006, 10:17:50 AM »
Well, I asked for an exact URL back then and didn't get any.
The one page I'm getting the warning at indeed does have the Nimda appended tag at the bottom of the page, i.e. no false alarm here.

Offline Wulf

  • Jr. Member
  • **
  • Posts: 26
Re: False positive on web page
« Reply #10 on: April 25, 2006, 01:23:36 PM »
Hi,
Thought I'd check out the site you mentioned to see if it would affect my Avast the same way. The result? Nada, nothing.
I wonder if that could have anything to do with the settings I've applied to Avast courtesy of RejZor. He has a guide at this link http://forum.avast.com/index.php?topic=20412.0
It could help solve your problem.

Offline Chief ADFP

  • Jr. Member
  • **
  • Posts: 34
  • NHQ: Tech-Head
    • Novalogic, Inc fan site
Re: False positive on web page
« Reply #11 on: April 25, 2006, 01:49:57 PM »
i came acoss other site, i try let the webmaster of the site know of it so they replace the bad file, even in some forum i seen java virus in as will.

"Xfire Internet messager service above" Sig/Stats
www.novahq.net Staff tech-support team

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: False positive on web page
« Reply #12 on: April 25, 2006, 02:12:50 PM »
I get the warning on this page:

http://www.rotowire.com/baseball/player.htm?id=5321

There was a similar problem with a favicon here:

http://forum.avast.com/index.php?topic=17119.0
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11796
    • AVAST Software
Re: False positive on web page
« Reply #13 on: April 25, 2006, 02:18:35 PM »
The favicon.ico doesn't exist on rotowire.com - you'll get an error HTML page instead.
Exactly that page has been infected by Nimda (long time ago, probably).

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: False positive on web page
« Reply #14 on: April 25, 2006, 02:26:12 PM »
Frank,

I just clicked the the rotowire link you posted about 6 times.  First 5 = no warning.  Last click showed nimba in

http://www (dot) rotowire.com/include/drop_down.js
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)