Author Topic: FALSE POSITIVE Blocking completely my Website  (Read 13012 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
FALSE POSITIVE Blocking completely my Website
« on: April 04, 2016, 08:56:48 PM »
Hello there,
I just discovered that my website is being blocked (URL:Mal2) by avast! Free Edition.
My website is : http://www.leblogduhacker.fr.
There is no threat on the website and I guess avast is reading a little too fast the "hacker" term.
I help people to protect their computer and privacy and I encourage you to check by yourself in case of any doubt.
Regards.


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
« Last Edit: April 04, 2016, 09:22:57 PM by Eddy »

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #2 on: April 04, 2016, 09:48:06 PM »
Thank you for your quick answer Eddy. I disabled CloudFlare but the alert doesn't stop showing up. I also had a "Script:inf" threat alert, do you think it has something to do with the jQuery lib?
@Jakub, it's not just the logo, I also had the favicon.ico and all the other files detected.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: FALSE POSITIVE Blocking completely my Website
« Reply #3 on: April 04, 2016, 09:52:16 PM »
It can have to do with the JQuery insecurities, but only someone from avast can tell what exactly was detected/why the site is blocked.

I suggest you solve the JQuery problems, it will make the site more safe.

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #4 on: April 04, 2016, 10:00:10 PM »
I will try to fix the jQuery insecuritites, but the problem is that Wordpress itself load the libraries : http://www.leblogduhacker.fr/wp-includes/js/jquery/jquery.js?ver=681a0fbf01ffa8a1c3226acc958ffdd9

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: FALSE POSITIVE Blocking completely my Website
« Reply #5 on: April 04, 2016, 10:06:55 PM »
There is also WordPress insecurity detected.
Check all: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

woocommerce-follow-up-emails   
woocommerce 2.5.5   latest release (2.5.5)
http://www.woothemes.com/woocommerce/
jetpack 3.9.6   latest release (3.9.6)
http://jetpack.com
wp-polls 2.72   latest release (2.72)
https://lesterchan.net/portfolio/programming/php/
thrive-visual-editor   
jquery-image-lazy-loading 0.21   
http://github.com/ayn/wp-jquery-lazy-load/
wysija-newsletters 2.7.1   latest release (2.7.1)
http://www.mailpoet.com/
what-would-seth-godin-do 2.0.6   latest release (2.0.6)
http://richardkmiller.com/wordpress-plugin-what-would-seth-godin-do

Also consider this scan: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.leblogduhacker.fr

But the alert from Avast on the browser executable can only be explained by an Avast Team Member,
and we here are not, just volunteers with relevant knowledge.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #6 on: April 04, 2016, 10:11:37 PM »
You are definitely volunteers with relevent knowledge, and thank you again for that.
Now jQuery is up to date : http://retire.insecurity.today/#!/scan/db6f8b22d96d358b973bd570d68f01522fa89e62444dbec7bd695bf4b84fcd0b
The domain is not blacklisted (as I can see) and VirusTotal doesn't see any problem with my website : https://virustotal.com/fr/url/bb5768e71d616deeb33cbcda95a97a9eb77f073de22593f430a043a6c7efc544/analysis/
I guess thousands and thousands of website are using those plugins...
Is avast really blocking my website because of the term "hacker"??

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: FALSE POSITIVE Blocking completely my Website
« Reply #7 on: April 04, 2016, 10:20:20 PM »
As far as I know, avast doesn't look at domain names for hacker (and other strings like that)

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #8 on: April 04, 2016, 10:27:22 PM »
I guess that the threat "URL:Mal" means that the domain name is problematic, but I contacted the support to report the false positive anyway. I hope they will be as fast and helpful as you.
For now I don't see anything else that could lead to this alert. Nothing changed on the website, and every single URL is detected by avast, which brings me more than 50 'threat blocked' alerts...

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: FALSE POSITIVE Blocking completely my Website
« Reply #9 on: April 04, 2016, 10:36:47 PM »
The amount of detections comes from the blacklisted domain and/or IP.

There is URL:Mal and URL:Mal2
According to someone from avast the difference is likely what scanner of avast is detecting it.
Both however (as far as avast told me), mean that the IP and/or Domain is blacklisted.

The problem can very well be the use of CloudFlare.
They don't take security, blocking malicious sites and such not exactly serious.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: FALSE POSITIVE Blocking completely my Website
« Reply #10 on: April 05, 2016, 10:01:02 AM »
I removed leblogduhacker.fr from our blacklist ;)

As others said:
URL:Mal or URL:Mal2 detections both mean the URL (either a domain, subdomain, path, IP, or any combination of these) is on our blacklist.
If the domain is blacklisted, the Avast popup shows the URL entered in the browser (so if the user entered "images.leblogduhacker.fr/logov2.jpg" and "leblogduhacker.fr" was blocked, Avast would show "images.leblogduhacker.fr/logov2.jpg").
If the domain is not blacklisted, Avast lets your browser check the DNS for the IP, and then tests the IP. If the IP is blacklisted, Avast would show something like "104.28.20.53" when displaying the popup.
This was the old "Network Shield" - checking if the URLs are blacklisted.

Then we have the old "Web Shield", which actually checks the inside of the page (the source code). When Avast sees a suspicious code, it shows a popup with whatever was suspicious: this includes all JS: and HTML: detections.
A strange crossover is the HTML:Iframe-inf, HTML:Script-inf, etc - this means a blacklisted domain is being loaded into an otherwise clean domain.

The old network shield and old web shield were merged into Web Shield, as we know it from the current versions of Avast, as a means of simplification. Deep down there, though, it still works as previously, merging is mostly a GUI issue.

If you guys have more questions, I will be happy to answer them 8)

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #11 on: April 05, 2016, 11:00:36 AM »
Hello HonzaZ and thank you for your support and the clarifications!
May I know why exactly the domain was blacklisted? And did the alert really come from the insecure jQuery libraries?
Regards.

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: FALSE POSITIVE Blocking completely my Website
« Reply #12 on: April 05, 2016, 11:52:44 AM »
Hard question, as the analyst who blocked it isn't at work today :).
I would say it is possible though!

REDACTED

  • Guest
Re: FALSE POSITIVE Blocking completely my Website
« Reply #13 on: April 07, 2016, 08:21:04 PM »
Hello there,
Any news about the blacklisting of my website? I have still sometimes an alert for the subdomains like //images.leblogduhacker.fr.
I have no idea if it comes from my version of Avast or not, but I'm not totally sure the problem is fixed :/

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: FALSE POSITIVE Blocking completely my Website
« Reply #14 on: April 07, 2016, 08:26:21 PM »
Did you try turning your shields off then back on again? Sometimes Avast holds the cache a little too long...