Author Topic: (Solved) Is this false positive? or not  (Read 5054 times)

0 Members and 1 Guest are viewing this topic.

Offline jraju

  • Poster
  • *
  • Posts: 419
(Solved) Is this false positive? or not
« on: October 25, 2017, 07:57:22 AM »
Hi, Of late, i am asking questions on security aspects. I am enclosing the scan result of avast smart scan, which gives this result.i want to know, whether it is a false alarm or false positive. Would any expert , give advice. I am also enclosing the lines of text in my hns scan log.
« Last Edit: November 04, 2017, 04:25:07 PM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #1 on: October 25, 2017, 07:59:29 AM »
Hi, In continuation, i enclose the relevant portion of the scan, from hns scan log

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76029
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #3 on: October 25, 2017, 08:03:40 AM »
Hi, did you check the txt file I enclose. I have checked with all other scans with no vulnerability existed results. So, i ask . As the product belongs to avast, i could get the confirmation only with avast

Offline libor_b

  • Avast team
  • Newbie
  • *
  • Posts: 14
Re: Is this false positive? or not
« Reply #4 on: October 25, 2017, 01:08:30 PM »
Hello jraju,

to confirm this, type following to command line:

Code: [Select]
nslookup vk.com
nslookup yandex.ru

in output of these commands you will see
Name: <something>
Addresses: <some_addresses>
if addresses of both commands are the same, then your DNS is hijacked. As HonzaZ says in the other topic, this may be caused by many reasons.

Quote
This could be caused by many reasons - your ISP might redirect you, your device (either end-device, such as laptop, PC, mobile; or router) might be infected, your DNS server might be infected, etc.

Libor

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #5 on: October 26, 2017, 07:39:02 AM »
Hi, nsloop command on elevated status, gives the following address
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>nslookup vk.com
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    vk.com
Address:

C:\Windows\system32>nslookup yandex.ru
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    yandex.ru
Address: 
       The addresses are  the same and secured address of the ISP. I just deleted for the sake of security. But how these are said to be dns hijacked. I also tried google.com, which fetches the actual pages of google.com. Please say something more on this. how to overcome ?
I want response like this, which is giving the idea of existing problem.
              I just changed to google dns. Even though dns hijack problem goes, there is unknown access of some foreign sites server accessing the google dns.The site is sometime shown in third party.
               pl expecing answers to this
If suppose, a domain and sub domain is having the same ISP, then, why we should not assume such a thing here?
               But i do not know, how the Ip of the ISP is shown as addresses, is not known.I checked the addresses shown in the command prompt, nslook up and then searched it for whose ip.com. Mere pasting the ip at address bar, does not fetch any result


« Last Edit: October 26, 2017, 02:22:30 PM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #6 on: October 27, 2017, 12:50:06 PM »
Hi, Previously experts and some times staff or the moderators would visit this fourm posts and give the reply, as they know the intricacies involved in a query or bug. Oflate, i have not seen such replies . Also, the support ticket  format could not be used to submit

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89420
  • No support PMs thanks
Re: Is this false positive? or not
« Reply #7 on: October 27, 2017, 02:37:51 PM »
You have had a reply from an Avast Team member in this topic. 

Hopefully libor_b will be able to get back to the topic.

I just wonder if it might have gotten more of a response in the viruses and worms sub-forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #8 on: October 28, 2017, 09:12:15 AM »
Hi, Thanks for the information. Hope that Libor would come to my rescue. I think that avast has included so many sites in its hns scan and only two are said to be domains hijacked. I still expect a kind of solution to the problem.
                   The avast gives solution to switch to google dns to get remedy from dns hijak problem. But choosing dns as google has also posed to me a strange problem of unknown dns servers accessing my router or my network. so, i changed back to dhcp server, that is my ISP's server resulting in poping of hns dns hijack alert after each scan. 
                     If some domains and sub domains have the exact ip address, ( is it possible ), then the same ip of nslookup command would have shown the same addresses. I do not know more about this. I hope Libor would tell me about this. But how the addresses are shown as My Isp"s server for the foreign domains still not understood by me.
 i also wish to point out that those ip servers belong to the ISP, but those were not configured dns automatically obtained in the router.
             
                     
« Last Edit: October 28, 2017, 09:29:45 AM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #9 on: October 28, 2017, 09:34:26 AM »
Hi, I am enclosing herewith the  unknown server not configured in the router. Would libor listen to me

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76029
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Is this false positive? or not
« Reply #10 on: October 28, 2017, 10:23:02 AM »
Would libor listen to me
Be patient, it's weekend... ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline libor_b

  • Avast team
  • Newbie
  • *
  • Posts: 14
Re: Is this false positive? or not
« Reply #11 on: October 30, 2017, 02:09:31 PM »
Hello jraju,

if the IP addresses are the same, then our scan indeed reports DNS hijacked domains. It doesn't matter which two domains conflict. It also often happens that these domains are redirected by ISP's (as is probably your case) and then you can safely ignore this issue. But our scanner is not lying to you and your DNS is hijacked (by your ISP), so this is not false positive, but probably harmless DNS hijack.

Libor

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #12 on: October 30, 2017, 02:41:38 PM »
Hi, Libor,

                    if i switch to googld dns server, then what is the role of unknown server. i could understand my isp server, as provider of internet, and google dns as configured could access. But why the third dns server accessing my router, which i have not configured in my router .
                       Could you explain that behaviour . It is a server from malaysia. how to find the role of that server. Is that the server may have been allowed by google dns for some internet activity. The irony of the problem is that query to google dns public has so far not replied .
Users are concerned about the security tips . Hope that i receive reply for this also

                     Anyhow, as it is not false positive, i changed to open dns in router .anyhow, please explain if i select the public dns and it allows some third party dns servers access at times .
« Last Edit: October 30, 2017, 02:57:50 PM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #13 on: November 03, 2017, 02:02:42 AM »
Hi, libor, I was expecting your reply.
              But is that possible that those domains ip if shown as non authorittative answer, then could it not be false positive.
                 
« Last Edit: November 03, 2017, 02:19:16 AM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 419
Re: Is this false positive? or not
« Reply #14 on: November 04, 2017, 09:28:39 AM »
 so this is not false positive, but probably harmless DNS hijack.
                             Fine. I confirmed with the ISP, that those are blocked sites. I am using avast  for more than 10 years.
                             Now, how to make avast not displaying these red letter words, on scan by avast. I mean, how i could handle this false positive sites, not to be scanned by avast so that i did not get this alert for these two sites alone.
                             The scan is included in the smart scan. How to configure. please. I will try in the mean while from your tutorial. can i expect a reply from libor or some experts