Author Topic: False Positive -- VBS:Malware [Gen] (Read 11503 times)

REDACTED · « **on:** July 01, 2016, 02:40:04 PM »

Receiving blocked threat notices here: https://personalsavings.americanexpress.com/

Asyn · « **Reply #1 on:** July 01, 2016, 02:45:33 PM »

You can report a URL here: https://www.avast.com/report-a-url.php

REDACTED · « **Reply #2 on:** July 01, 2016, 02:50:30 PM »

Excellent! Thanks!!

Asyn · « **Reply #3 on:** July 01, 2016, 02:51:38 PM »

You're welcome.

Pondus · « **Reply #4 on:** July 01, 2016, 03:47:31 PM »

Only avast detect > https://virusscan.jotti.org/en-US/filescanjob/1x6wknwhef

REDACTED · « **Reply #5 on:** July 01, 2016, 06:21:23 PM »

This seems to be happening to everything to do woth Amex.......how do you override a threat report?

REDACTED · « **Reply #6 on:** July 01, 2016, 06:43:07 PM »

I am having the same problem. It seems to affect everything to do with American Express.

polonus · « **Reply #7 on:** July 02, 2016, 12:57:29 AM »

Will be interesting to hear Avast Team's position on this issue. Is it a FP or a genuine detection, just Avast detects. American Express has been hacked and spread malware on several occasions in the past. The only one to explain is the Avast Team Member responsible for that potential FP whenever it is one. Probably we will hear about this over the weekend. Also curious if the detection is also reported when users use Avast Safe Zone browser?

Well there are certainly problems there, as is shown here: https://aw-snap.info/file-viewer/?tgt=https%3A%2F%2Fpersonalsavings.americanexpress.com%2Fhome.html&ref_sel=GSP2&ua_sel=ff&fs=1

But let us wait for a final verdict from Avast...

polonus

polonus · « **Reply #8 on:** July 02, 2016, 01:20:26 PM »

Seems the FP has been mitigated, I am no longer getting this avast pop-up alert.

A likewise generic detection like this one seemed to have been at the culprit of this, again not on all clients: https://www.reverse.it/sample/8bef79ef4eb547e6a227b31a80fec6565fb073d4a36138ab80fdeed274a7a414?environmentId=100
and also consider this one: https://www.hybrid-analysis.com/sample/145ec5176315a0cec2c56f3ae57dbd22c2d7e09a2e958ef13a3ca28f70439100?environmentId=100 It is anexperimental navigation structure and behavior pattern based on progressive enhancement and responsive web design,
NAV.RWD.checkMetroMode line 87 of the website code where we have to point to according to Redleg.

We are just waiting for an Avast Team Member to react.

Security issue server header info proliferation for Server type:
Apache/2.2.3 (Red Hat) DAV/2 mod_jk/1.2.31 mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5
Secure Renegotiation:
Enabled
Downgrade attack prevention:
Not Enabled
Next Protocol Negotiation:
Not Enabled
Session resumption (caching):
Enabled
Session resumption (tickets):
Enabled
Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Enabled
RC4:
Not Enabled
OCSP stapling:
Not Enabled

Please check this list for unknown links on your website:

-https://www.bluebird.com/?solid=inavmyaccountbb&inav=menu_my --> 'bluebird alternative to bankin'
-https://www.amexglobalbusinesstravel.com --> 'corporate travel solutions'
-http://www.amextravelresources.com/?us_nu=dd&inav=menu_trave --> 'find a travel service office'
-https://www.amexglobalbusinesstravel.com --> 'corporate travel solutions'
-https://www.amexglobalbusinesstravel.com/meetings-and-events --> 'meetings and events'
-https://www.openforum.com/?cid=inav_home --> 'learn more'
-http://www.fdic.gov/edie/index.html --> 'continue'
-http://www.fdic.gov/edie/index.html --> 'continue'
-https://foursquare.com/americanexpress --> ''
-https://www.bluebird.com/?solid=bbdamexhpbbar&inav=footer_bl --> 'bluebird®'
-https://info.evidon.com/pub_info/1328?v=1&nt=1&nw=true&inav= --> 'adchoices'

polonus (volunteer website security analyst and website error-hunter)

HonzaZ · « **Reply #9 on:** July 04, 2016, 09:26:41 AM »

Hi all,
This was indeed a false positive. Luckily it impacted only a very small percentage of users accessing amex

It should have been fixed a long time ago, if you still have any problems, can you try to update Avast, restart shields and then trying again?

REDACTED · « **Reply #10 on:** July 07, 2016, 09:02:00 PM »

@HonzaZ - Tried what you recommended and still getting popup warning. What else do you recommend?

Pondus · « **Reply #11 on:** July 07, 2016, 10:06:00 PM »

Quote from: steve307 on July 07, 2016, 09:02:00 PM

@HonzaZ - Tried what you recommended and still getting popup warning. What else do you recommend?

Post a screenshot of the popup warning

REDACTED · « **Reply #12 on:** July 07, 2016, 10:14:03 PM »

Screenshot attached

Pondus · « **Reply #13 on:** July 07, 2016, 10:26:40 PM »

@HonzaZ is probably not online again before tomorrow (european time)

HonzaZ · « **Reply #14 on:** July 08, 2016, 09:26:11 AM »

I doubt that there is another FP on the same site with the same detection...
Cou you try to updating Avast (both engine and virus database), then restart your computer, to see if there is still a popup?

Author Topic: False Positive -- VBS:Malware [Gen] (Read 11503 times)

REDACTED

False Positive -- VBS:Malware [Gen]

Asyn

Re: False Positive -- VBS:Malware [Gen]

REDACTED

Re: False Positive -- VBS:Malware [Gen]

Asyn

Re: False Positive -- VBS:Malware [Gen]

Pondus

Re: False Positive -- VBS:Malware [Gen]

REDACTED

Re: False Positive -- VBS:Malware [Gen]

REDACTED

Re: False Positive -- VBS:Malware [Gen]

polonus

Re: False Positive -- VBS:Malware [Gen]

polonus

Re: False Positive -- VBS:Malware [Gen] (SOLVED)

HonzaZ

Re: False Positive -- VBS:Malware [Gen]

REDACTED

Re: False Positive -- VBS:Malware [Gen]

Pondus

Re: False Positive -- VBS:Malware [Gen]

REDACTED

Re: False Positive -- VBS:Malware [Gen]

Pondus

Re: False Positive -- VBS:Malware [Gen]

HonzaZ

Re: False Positive -- VBS:Malware [Gen]