Author Topic: URLs are blocked even with 'Block malware URLs' disabled?  (Read 19711 times)

0 Members and 1 Guest are viewing this topic.

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
URLs are blocked even with 'Block malware URLs' disabled?
« on: June 26, 2016, 05:29:04 AM »
Hi. It seems that URLs that Avast deems dangerous are blocked. But when I uncheck 'Block malware URLs' under Web Shield Settings, they remain blocked. Is this normal?

The Avast notification does change though. From: 'Infection URL:Mal', to 'Infection URL:Mal2'. Note the '2'.

Disabling Script blocking also does not fix this. I have to entirely uncheck 'Enable Web Scanning' to access the URL. I'd rather not do that of course.

The URL I'm trying to visit is http://sceper.ws/page/2 and every subsequent number. The main site itself (sceper.ws) does load fine, without warnings. The content on the main page is on the numbered pages after a few hours, so I do want to be able to view those without disabling (large parts of) my AV. And there isn't an option as far as I can tell that lets me add an exclusion to URL blocking for a specific domain. I can add a URL exclusion to Web Shield, but that excludes it from all the other scans in there as well. I don't want to do that.

Is there currently actual malware on those numbered pages? It doesn't seem so. I am however running adblock, mixed content blocking, and privacy badger. In Firefox. If not, perhaps those pages should be removed from the blacklist. And perhaps disabling the malware URL blocking option should actually disable said blocking.

Hopefully I can get some clarification, and maybe even an update to the blacklist. Thanks  :)
« Last Edit: June 26, 2016, 05:32:29 AM by Rundvleeskroket »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #1 on: June 26, 2016, 06:38:25 AM »
By disabling Web Scanning, as you know, there is a risk in unforeseen actions on your system:
http://zulu.zscaler.com/
Use this site to scan for both hxxp://sceper.ws/page/2 and hxxp://sceper.ws/  (urls disabled for user safety, to restore/remove x's with t's)
You should get this:  http://zulu.zscaler.com/submission/show/d800eb206ba179527a7bed8785f383d3-1466914402
Elevated Phish risk
Main site sceper.ws not infected.

Avast WebBlock attached.
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #2 on: June 26, 2016, 06:58:40 AM »
I'm not getting that alert about a malicious JavaScript. One of my blockers may perhaps have already filtered it out.

All I get is the "Infection URL:Mal" warning. So, blocked because the URL has been serving something it shouldn't in the past. Or still is?

I never ever download anything from there. I just use it as a TV-guide of sorts. See what's new. Nothing else.

I don't want to disable Web Scanning. But there doesn't seem to be a way to add a specific domain exclusion for the URL-blocking feature only. So I have to choose between disabling Web Scanning entirely, or not seeing the pages at all.

As I understand it from the zScaler site, it is a known site with an elevated phishing risk. Fine. I understand the risks. It doesn't mean the site is dangerous when just viewed without clicking on things, right?

I'd still like to know how come when I uncheck the malware URL block option, it remains blocked, and with another 'Infection URL:Mal2' alert. Didn't I just explicitly disable that check? How is Mal2 different from Mal?

I'd be happy with an option to proceed with caution.
« Last Edit: June 26, 2016, 07:03:30 AM by Rundvleeskroket »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5564
  • Spartan Warrior
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #3 on: June 26, 2016, 07:21:54 AM »
Avast block posted in attached .png was from a different site:  www.scanurl.net, a different web scanning site, scanning the same website you cannot visit, from a third-party point of view. 

Note the avast block is:  JS:ScriptPE-inf [Trj] -- avast Web Shield.

Phish warnings by independent third-parties should not be ignored as your web site is likely compromised.

Only other possible setting for Web Shield is 'Ask'.  See attached below: 
Windows 10 Home 64-bit 22H2 Avast Premier Security version 24.1.6099 (build 24.1.88821.762)  UI version 1.0.797
 UI version 1.0.788.  Windows 11 Home 23H2 - Windows 11 Pro 23H2 Avast Premier Security version 24.2.6105 (build 24.1.8918.827) UI version 1.0.801

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #4 on: June 26, 2016, 07:25:24 AM »
URL:Mal = Domain and/or IP is blocked.
If you get to see URL: Mal or URL:Mal2 depens on what part of avast detects it.

Suspicious scripts and links to blacklisted sites :
http://www.web-malware-removal.com/website-malware-virus-scanner/?url=sceper.ws

Blacklisted domain :
https://www.virustotal.com/en/url/c4adbccb19fab3e0a2cf1b1d1e0902e7750ff866ca5e2814282d58398eb68b14/analysis/1466917838/

Malicious, link to blacklisted domain :
https://quttera.com/detailed_report/sceper.ws

Blacklisted domains on that ASN :
http://urlquery.net/report.php?id=1466917118548
http://urlquery.net/report.php?id=1466917140794

Really bad (IP) history :
https://www.virustotal.com/en/ip-address/91.235.143.212/information/

Lot's of malicious activity :
http://zulu.zscaler.com/submission/show/1dc4f3b839b6fc9da03af421e947a4cb-1466917825

Vulnerable code used :
http://retire.insecurity.today/#!/scan/9b01a8178cdc5e65418b70838e30ab912ed5dfad76313cc18f92618482fdc0df

If I remember correctly, we have shown that the site isn't safe in the past already.
Since they haven't changed their practices, it is very unlikely the block on it will be lifted.

We do not help people to get on malicious websites.
« Last Edit: June 26, 2016, 01:16:46 PM by Eddy »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #5 on: June 26, 2016, 12:42:59 PM »
Also reported by FF in addition to Avast

Quote
What are Deceptive/Phishing, Attack Sites, Unwanted Software and Malware?
Deceptive Site (also known as “Phishing”)

This is a form of identity theft that occurs when a malicious website impersonates a legitimate one in order to trick you into giving up sensitive information such as passwords, account details, or credit card numbers. Phishing attacks usually come from email messages that attempt to lure the recipient into updating their personal information on fake but very real-looking websites. More information on phishing can be found at the Anti-Phishing Working Group, and there are a number of examples and resources available at the Wikipedia Phishing page.

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #6 on: June 26, 2016, 04:14:57 PM »
Thanks for the info. I am well aware of what phishing is. I do not give out personal information even on most legitimate sites. If at all. It is still not clear to me how come when I disable URL blocking, I'm still getting the website blocked. Disable blocking should mean exactly that imo. What part of Web Shield is responsible for the Mal2 alert, and can I add an exclusion to it?
« Last Edit: June 26, 2016, 04:17:08 PM by Rundvleeskroket »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #7 on: June 26, 2016, 05:35:13 PM »
See reply #4

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #8 on: June 26, 2016, 05:54:17 PM »
@ Rundvleeskroket
Your are misinterpreting the Site Blocking function (there is no 'Block malware URLs' option that you mention) - it doesn't stop avast scanning and blocking sites - its purpose is to allow 'you' to add sites to block irrespective of avast scanning finding it clean.

The actions you are experiencing with sites detected as malicious, etc. are correct.

In the Site Blocking window you will see that it allows for URLs (to block) to be entered. Uncheck the 'Enable site blocking. and the screen changes so you can no longer enter URLs.

EDIT: attached image.
« Last Edit: June 26, 2016, 05:56:32 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #9 on: June 26, 2016, 06:37:23 PM »
@ DavidR: Avast --> Options --> Active Protection --> Web Shield --> Customize --> Block malware URLs.

In the Help via the question mark in top right it says about this function:

Quote
Block malware URLs - Block websites based on a database of known malware URLs.

I'm not even looking at site blocking. That's not what I'm talking about.

So, even though I uncheck 'block malware URLs', Avast still blocks malware URLs. Rendering that checkbox moot.

@ Eddy: Setting to 'Ask' will have the whole of Web Shield ask what to do if it detects something, not specifically only the malware URL blocking part of Web Shield, right? If so, again, that is not what I'm after. I want to have Web Shield enabled, actively scanning my browsing, but allow me to proceed to access a site known to be of higher risk, at my own discretion. I don't consider phishing much of a risk to myself. I would however like the benefit of the script checking and such. So adding an exclusion for the whole of Web Shield is not preferred. And this isn't even adding an exclusion, but instead changing global behaviour. I don't want Web Shield asking me what to do for all browsing all the time.

Also, if the warning that pops up would tell me what malware is found, this would be helpful. I'm less inclined to proceed if a malicious script is trying to run, but less concerned if the site just contains a fake login or something of that ilk. The generic 'URL:Mal' warning doesn't give me enough detailed information about what exactly is wrong with the site I'm trying to visit.

« Last Edit: June 26, 2016, 06:52:03 PM by Rundvleeskroket »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #10 on: June 26, 2016, 07:03:11 PM »
Why do you even have avast installed if all you want to do is bypassing the protection it is offering you ?

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #11 on: June 26, 2016, 07:25:52 PM »
I'm not bypassing 99% of the protection. I just want to customize that one remaining percent of protection to allow me to access a site. By all means, keep the blacklist, but give me a way to override the blockade with minimal deactivation of other components of Avast.

I'll ask yet again: why does disabling 'block malware URLs' not actually disable said blocking? Yes, the alert changes from Mal to Mal2. So another part of Avast is now blocking. Which part is that specifically, and can I change it settings to my liking?

Malware comes in different guises. Not all are equally dangerous. I understand the default one size fits all approach, but that leaves advanced users out of options.
« Last Edit: June 26, 2016, 07:30:54 PM by Rundvleeskroket »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #12 on: June 26, 2016, 07:26:20 PM »
@ DavidR: Avast --> Options --> Active Protection --> Web Shield --> Customize --> Block malware URLs.

In the Help via the question mark in top right it says about this function:

Quote
Block malware URLs - Block websites based on a database of known malware URLs.

I'm not even looking at site blocking. That's not what I'm talking about.

So, even though I uncheck 'block malware URLs', Avast still blocks malware URLs. Rendering that checkbox moot.
<snip>

Apologies, I did think you were looking in the Site Blocking, since you were still getting alerts.

I visited the link that you gave using Firefox 47.0 and that gave a FF alert, blocking it before even avast got there. See attached FF notice image and the 'Why was this page blocked ?' https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct

Can you attach an image of the alert you are getting.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rundvleeskroket

  • Poster
  • *
  • Posts: 508
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #13 on: June 26, 2016, 07:38:38 PM »
@ DavidR: I have unchecked 'Block reported attack sites' and 'block reported web forgeries' in Firefox :)

With the checkbox in Web Shield enabled:



All six entries are identical.

With the checkbox disabled:

« Last Edit: June 26, 2016, 07:53:27 PM by Rundvleeskroket »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: URLs are blocked even with 'Block malware URLs' disabled?
« Reply #14 on: June 26, 2016, 07:40:06 PM »
That site is bad and not only because of phishing activities.
Do the smart thing and stay away from it.