Why does Avast block websites that aren't infected!!!

[REDACTED]

The url carpauto.ca is blocked by avast. Why? Who knows! sucuri.net and drweb all say there's no virus. mxtoolbox does not report the server's IP on any blacklist yet Avast blocks the URL. This is garbage! I have better things to do in a day than have my customer complain because people cannot visit his website that use Avast! I mean come on! I'm the web host and I know this is a common problem with Avast. No, I'm not happy! Oh, and can you make the damn captcha any harder to read when you post?

[Eddy]

Avast doesn't say the site is malicious (although it can be)
URL:Mal = Domain and/or IP is blacklisted

Malicious :
https://www.virustotal.com/en/url/7e997b15e506569551aa4a176902abfbc6a34fa4a33c193b3be75202d5f2528e/analysis/1465916442/

IP in multiple blacklists :
http://multirbl.valli.org/lookup/24.222.10.106.html

Vulnerable libraries :
http://retire.insecurity.today/#!/scan/691b731c446e8240c5d3afd324e32f5d405fd0c28713b858ae69f24dcad5235c

Problem with scanning :
https://sitecheck.sucuri.net/results/www.carpauto.ca

[REDACTED]

Malicious :
https://www.virustotal.com/en/url/7e997b15e506569551aa4a176902abfbc6a34fa4a33c193b3be75202d5f2528e/analysis/1465916442/
^^^ This is saying I'm on a blacklist from clean-mx.de which is a BS site! No one uses them! Plus, their site is ONLY in German. I'm in Canada.

IP in multiple blacklists :
http://multirbl.valli.org/lookup/24.222.10.106.html
^^^ They are all the same error, DNS request failed: The name server was unable to process this query due to a problem with the name server.
I'm listed in http://www.dnsblchile.org/index.en.html which again is a non-reputable German site. I can't even de-list the IP because the only email address they will send a verification to is an invalid one at my ISP!!!

Vulnerable libraries :
http://retire.insecurity.today/#!/scan/691b731c446e8240c5d3afd324e32f5d405fd0c28713b858ae69f24dcad5235c
^^^ Seriously??? You're going to block something because it MAY be vulnerable to an attack! What, should I not let my kid play at the playground because she MIGHT get hurt and is vulnerable to a cut and scrape???

Problem with scanning :
https://sitecheck.sucuri.net/results/www.carpauto.ca
^^^ There's no problem with scanning. See Screenshot: http://www.webenergy.ca/images/Secururi.jpg

I use REPUTABLE sites like www.mxtookbox.com.

I host websites for clients, I also use Symantec Endpoint (which does not block the URL.) Malwarebytes, Spybot etc etc etc do NOT block this URL, only Avast does. This is ridiculous. Whitelist the damn site!!!

[Pondus]

Problem with scanning :
https://sitecheck.sucuri.net/results/www.carpauto.ca

Just scanned now  >  https://sitecheck.sucuri.net/results/www.carpauto.ca

IP in multiple blacklists :
http://multirbl.valli.org/lookup/24.222.10.106.html

This is only related to spam firewalls, giving extra score on mails comming from this IP before it decide if it is spam or not



IP History  >  https://www.virustotal.com/en/ip-address/24.222.10.106/information/

[Eddy]

You are wrong in several places.

1] Clean-MX also has a English website and is not a BS site
2] dnsblchili is not even close to German, it is in the Spanish language (Chili)
3] None of the blacklists is saying that the DNS failed

You're going to block something because it MAY be vulnerable to an attack!

I am not blocking your site, avast (and others?) do.
I just pointed you to vulnerabilities that need to be fixed for the safety of your site as well as for the visitors of it.

Yes there was problem with scanning the site by Sucuri.
Could have been a problem with Securi or somewhere else.

You are not hosting this site.
You are not the owner of Eastlink.
If you host websites for clients you should know better than to use vulnerable code.

Spybot?
It used to be a good tool, but that was many years ago.

Ridiculous is your language and the way you behave on a public webboard that is open for all ages.

https://www.avast.com/false-positive-file-form.php

[HonzaZ]

Hi Rick,
This site was blocked a while ago because of infection; we spotted this URL: carpauto[.]ca/f/1/1407112860/2491324060/5/x0004090407000700080150050f0304045106565601;1;5
No, we do not block URLs because they are vulnerable, we only block them if we actually spot a malicious code on them, which is the case with carpauto.ca as well.
I hope the infection has been cleaned since then, so I am unblocking carpauto.ca now. Please do pay attention to the security issues that others pointed out, though.

[REDACTED]

Well, only AVAST is blocking the site and you want to know why I call BS??? Because you're all saying the IP is blocked. Tell me then, howcome I can visit ANY OTHER SITE on the same IP as www.carpauto.ca using Avast and it's NOT blocked!!!

http://www.cnct.ca
http://www.webenergy.ca
http://www.novascotiacomputers.com
http://www.aquatightbasements.com

Just to list a few!!!

The problem is simple, Avast is blocking the site FALSELY! and Canadian people cannot visit a Canadian website hosted in Canada because some site in Chili and Germany say so? Again, Avast is the ONLY antivirus software blocking it. It's Avast's problem not mine. Fix it!

[REDACTED]

Hi Rick,
This site was blocked a while ago because of infection; we spotted this URL: carpauto[.]ca/f/1/1407112860/2491324060/5/x0004090407000700080150050f0304045106565601;1;5
No, we do not block URLs because they are vulnerable, we only block them if we actually spot a malicious code on them, which is the case with carpauto.ca as well.
I hope the infection has been cleaned since then, so I am unblocking carpauto.ca now. Please do pay attention to the security issues that others pointed out, though.

Thank you! That's all I ask! Yes, the site was compromised about a year ago, but has since been cleaned. We have active virus scans, we locked down IIS and check the site against blacklists regularly.

I apologize if I offended anyone. It seems that the blacklists being used are not reliable as they list records automatically but do not de-list them automatically. clean-mx.de and multirbl.valli.org look like some kid built the site 15 years ago and that's why they do not look reputable. Perhaps using these blacklists is not such a good idea for such a widely used antivirus system like Avast since the blacklists are unreliable.

[Pondus]

multirbl.valli.org does not block anything, it is just a list of spam firewall blacklists

avast to my knowledge use there own list

[Eddy]

Well, only AVAST is blocking the site and you want to know why I call BS???

avast did block it for a very good reason.
If it is/was the only one doing so doesn't mean the block was wrong.
1 man said that the earth was round and not flat, all others said he was wrong

Because you're all saying the IP is blocked.

Nobody said that the IP was blocked.

and Canadian people cannot visit a Canadian website hosted in Canada because some site in Chili and Germany say so?

Don't forget that the internet is worldwide.
It is even in space
avast detected malicious content on the site and blocked it.
Shouldn't they have done so just because they are not Canadian ?

[REDACTED]

avast did block it for a very good reason.
If it is/was the only one doing so doesn't mean the block was wrong.
1 man said that the earth was round and not flat, all others said he was wrong

It may have been blocked for a good reason, but that was over a year ago. Records should be time and date stamped. Many blacklist sites re-check their blacklist every month or sooner and update the record if the malicious content remains or is cleaned. How is someone supposed to know that on some blacklist somewhere the site is listed and remains listed even if it's cleaned?

Nobody said that the IP was blocked.
IP in multiple blacklists :
http://multirbl.valli.org/lookup/24.222.10.106.html

You said the IP was on multiple blacklists.

Don't forget that the internet is worldwide.
It is even in space
avast detected malicious content on the site and blocked it.
Shouldn't they have done so just because they are not Canadian ?

Yes it should of been listed when there was a problem with the site, but this resource is unreliable since they do not update their records. 90% of the world uses mxtoolbox.com and they have a comprehensive list of reliable blacklists that automatically update their records. The 2 the site was listed on are not reliable. My point remains the same. Use reliable blacklists that everyone uses!

[Eddy]

You said the IP was on multiple blacklists.

Yes I did.
But I never said it was blocked.

Records should be time and date stamped.

They are.
How else could HonzaZ have known that the site was blocked a while ago and not e.g. yesterday ?
He can see the date/time that it happened (and more).

How is someone supposed to know that on some blacklist somewhere the site is listed and remains listed even if it's cleaned?

Someone who knows what he is doing will not have asked this.
Someone who knows what he is doing runs checks/scans and not only after a infection.

Yes it should of been listed when there was a problem with the site, but this resource is unreliable since they do not update their records.

If they didn't update their records, how can it be the site is even on their records ?
How can it be that HonzaZ removed the block ?

90% of the world uses mxtoolbox.com

Wrong again.
It would not surprise me that over 90% of the people never heard of it.

and they have a comprehensive list of reliable blacklists that automatically update their records.

They use many of the same blacklists that multirbl is using also.

The real questions are :
Why did the site got malicious in the first place ?
Why didn't you removed the infection before avast (and others) detected it ?

[polonus]

Let me put it in other plain words, what Eddy states here:

Those webmasters that do not mitigate insecurity and vulnerability as we report it to them,
will have a website that stays open to (re-)infection or they are just playing Russian Roulette,
and/or are extremely lucky to stay free of compromittal.

Webmasters that forget about mitigating insecurity & do not fully update, upgrade, patch and configure settings,
according to best practices are food for the birds.

Simple as that. Denial mode has not helped anyone as far as I am aware.

polonus (volunteer website security analyst and website error-hunter)