False Positive HTML:ChaseBank-A [Phish]

[FrostBitten]

I just installed a brand new out of box Arris SVG2482AC router and Avast is telling me that it is infected with HTML:ChaseBank-A [Phish] and blocks access to it.  These are generally considered DNS hijacking situations, but the router reports legitimate Comcast DNS numbers.

I called Arris, and they said that it is not possible to infect one of these routers. It has essentially the same firmware as Xfinity's routers. The problem didn't show up until I rebooted my machines after the new router install and (I assume) it updated Avast's virus files.

Since 192.168.0.1 is not a valid URl, I can't submit this via the "Report False Positives" Page.

I can't even access the router configuration and to try the suggestions Avast provides without first disabling Avast.  Even the internet is iffy without disabling avast.

You need to Fix this.  Now. 

[REDACTED]

We saw this false positive site interception for a user trying to log in to our Squirrelmail webmail server, over HTTPS, while Avast Free was in place.
I worked out that this was the "Web Shield" feature blocking the URL, apparently based on some behavioral heuristic? (The Squirrelmail webmail package redirects visitors who need to log in to sitename.tld/squirrelmail/src/login.php - don't know why that would be 'phishy')


To get around this problem, I found it is sufficient to:
open Avast

in "protections" click "Core Shields"
in "Core Shields" click on "Web Shield"
in the context menu over Web Shields, choose "stop indefinitely" (or another 'stop' option)


- Jim

p.s. the verification scribbles are getting ever more illegible even for us actual humans (sigh)

[REDACTED]

Getting the same thing here. From trying to open our own webpages on our own web server. Not all of our sites, but the one we were working on today (if that matters). We develop in Adobe Muse, and by "we" I mean ME. So no, there is no extra virus stuff put in there.

I turn off avast and all is well. But obviously, very concerned about others having this issue and assuming it is our website. It says, in brief:

HTML: ChaseBank-A [phish]
Then lists the URL is blocked
Then lists the issue with chrome.exe
Detected by Webshield
Status:  Aborted

[REDACTED]

I've had the same issue today on my site (www.ilgrandeinverno.it). In particular a page users continuously reload/refresh as it's part of a web roleplay gaming interface.

Here are the reports from various online url safety checkers:
Google: https://transparencyreport.google.com/safe-browsing/search?url=http:%2F%2Fwww.ilgrandeinverno.it%2Fgioco%2Fsx_location.php
WebInspector: https://app.webinspector.com/public/reports/88558442
Quttera.com: https://quttera.com/detailed_report/www.ilgrandeinverno.it
Pcrisk.com: https://scanner.pcrisk.com/detailed_report/www.ilgrandeinverno.it#details
Virustotal: https://www.virustotal.com/it/url/8827af9b0d03381f0ce053661e23ac9edac92c8a305cf3eb556c8545c2c468d1/analysis/1540237890/
Securi.Net: https://sitecheck.sucuri.net/results/www.ilgrandeinverno.it/gioco/sx_location.php
Rescan Pro: https://rescan.pro/result.php?cd1696266cf1cf832f7c52e7ffbbd577

All of them mark our domain as clean, and either the two checking directly the supposed-to-be-infected page haven't found anything of suspect/malicious.
Our site is an amatorial, free web community of roleplayers. No "freemium" rules, no gadgets, no ad campaign, neither a stupid "buy me a coffee" web button.
We're completely non commercial.
The incriminated page just contains a call to a google fonts content and the google analytics scripts, a selfmade javascript to control the page tools (pm, chat, meteo info, game locations, accessing the playing character's sheet and so on), and a flash .swf calling some *.mp3 sfx in case of certain game events. And it refreshes automatically about every 120-180 seconds. Period.

Now, the question is: according to the workflow explained here, what the hell of "manual analysis" do you perform in your beloved Avast Threat Labs, before deciding to mark a reported link as phishing?

Players are strange. What I figure out is that some "competitor" players had decided to have fun sending you massive false phishing reports.
Really it's the only reason I can figure out HOW the hell an inner page of a web gaming interface could have been listed as malicious/phishing (a banking one?? on a RP community??)

Mayhaps I'd have some thoughts about the way you accept anonymous (sorry "confidentially") reports, withouth either a registration or an email confirm request; even a small wolfpack of idiots can easely send you massive false reports against the targeted site, easely changing their IP addresses using proxies and just inventing each time a new (formally valid, but useless because you don't either verify it) email address to provide in the report form.

This is not "protecting users from treats", this is giving idiots the weapons to harm and bother other users.

This time we solved the issue reporting you the false positive, suggesting our users to update Avast to last engine and virus defs and, finally, to mark our domain as trustworthy.
Next time, maybe, we'll just suggest them to change their antivirus.

PS: Please change the captcha settings, it's really crappy and I'm for sure not blind. I had to reload the image 8 times before reading the required letters 

[REDACTED]

I've been getting a false positive on my Active Campaign account and am unable to work there without Avast knocking me out, then locking me out.

[Asyn]

-> https://forum.avast.com/index.php?topic=222744.msg1480753#msg1480753