Author Topic: How to tell why web shield shows URL:Mal for particular site (Read 3105 times)

REDACTED · « **on:** September 12, 2018, 09:52:45 PM »

How to tell why web shield shows URL:Mal for particular site
There is a resource site, mbzponton.org, that "Web Shield" always blocks and reports as a low severity threat categorized as "URL:Mal" in file favicon.ico.

How do we identify what that threat actually is?

Something akin to tracking cookies or some other minor issue I'd exclude from being flagged, or could it be a possible infection vector?
I need to access this site and am loath to disable the shield for an hour or whatever but I do occasionally need data off that site.
How can we tell if web shield is raising a false positive "URL:Mal" or if the issue is severe or innocuous or not?
Thanks all.

Pondus · « **Reply #1 on:** September 12, 2018, 11:14:26 PM »

URL:Mal = Blacklisted URL or IP

How to report >> https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

polonus · « **Reply #2 on:** September 12, 2018, 11:31:03 PM »

Pondus is right, and what has been blocked is thatIP, that you may share with a domain for launching ransomeware.
There is also some FP involved, IP has been giving issues as far back as 2009: https://forums.malwarebytes.com/topic/117170-6429151221/

Your site this has been flagged by 6 vendors because of: MB_Tool_Kits.pdf -> https://www.virustotal.com/#/file/89da8318c7b311878d8c5e69716b2916eb7219f024899c5a58c0ee62b77ca9f0/detection
Avast detects this as PDF:UrlMal-inf [Trj]

Steer away from that host, or make sure the pdf is above board, and then ask for a domain exclusion from an avast team member.
as the website as such seems OK.

Remember are just volunteers with relevant knowledge here, but only avast team members unblock or maintain detection.

polonus (volunteer website security analyst and website error-hunter)

DavidR · « **Reply #3 on:** September 12, 2018, 11:32:50 PM »

This also used to be an old tactic to have the favicon.ico file redirect to a 3rd party malicious/suspicious site (commonly for a drive by attack). Or if you don't have favicon.ico file hackers can craft a 404 file that does redirect to a malicious/suspicious site. So it certainly needs investigation.

polonus · « **Reply #4 on:** September 13, 2018, 12:09:57 AM »

Thanks for pointing that out, DavidR.

Additionally the pdf file involved has 1 javascript block flagged - The packer is F-Prot appended.
Using this append option F-PROT Antivirus will only detect a fraction of infected files. So be careful here also.

Re: https://www.virustotal.com/#/file/89da8318c7b311878d8c5e69716b2916eb7219f024899c5a58c0ee62b77ca9f0/details

pol

HonzaZ · « **Reply #5 on:** September 13, 2018, 05:59:40 PM »

Hi,
mbzponton[.]org was blocked ~2 years ago. I am unblocking it now.

Author Topic: How to tell why web shield shows URL:Mal for particular site (Read 3105 times)

REDACTED

How to tell why web shield shows URL:Mal for particular site

Pondus

Re: How to tell why web shield shows URL:Mal for particular site

polonus

Re: How to tell why web shield shows URL:Mal for particular site

DavidR

Re: How to tell why web shield shows URL:Mal for particular site

polonus

Re: How to tell why web shield shows URL:Mal for particular site

HonzaZ

Re: How to tell why web shield shows URL:Mal for particular site