Other > Viruses and worms

False positive URL:Mal URL:Blaclist

(1/2) > >>

IvanMiha:
Hello Avast Team,

I am working for a streaming service provider and from several days ago we are receiving customer complaints about Avast blocking access to our CDN, effectively blocking our users to use our service on Windows.
So far, from customer reports these two URL were detected as URL:Mal and/or URL:Blaclist:
sbb-bg-ne-s1-3.ug-be.cdn.united.cloud
sbb-bg-ku-r1-2.ug-be.cdn.united.cloud
I have checked:
https://www.virustotal.com/pt/url/223a493c2068170719f5f4589812a63e0cec80ebbf3c81fad44b99ffb4e40906/analysis/1555602057/
https://sitecheck.sucuri.net/results/sbb-bg-ne-s1-3.ug-be.cdn.united.cloud
https://quttera.com/detailed_report/sbb-bg-ne-s1-3.ug-be.cdn.united.cloud
http://urlquery.net/report/579d0894-8eae-4451-853e-644f7daaae06

Please let me know why these URL's got blacklisted by Avast, since we are not seeing anything suspicious from our side.

Thanks,
Ivan

Asyn:
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

polonus:
Witam IvanMiha

Re:  The site returned an HTTP status code other than 200 (OK),
consider: https://observatory.mozilla.org/analyze/sbb-bg-ne-s1-3.ug-be.cdn.united.cloud
5 security related reconmmendations: https://webhint.io/scanner/03337b69-d7f7-4422-bf38-6e29ee8faab2#category-Security

At the crux of the problem are the various 404 not found errors we see here: -https://www.shodan.io/host/5.22.186.140
HTTP Connect    The remote server returned an error: (404) Not Found. (-http://sbb-bg-ne-s1-3.ug-be.cdn.united.cloud)
also a 404 Not Found on -http://5.22.186.140
So the issue could be completely unrelated to avast flagging.

Wait for an avast team member to give a final verdict, as we here are just volunteers with relevant knowledge,
but only avast team members can come and unblock. But this could be a DNS error returned by -dns3.sbb.rs,
as we get "Unable to connect to the remote server (-http://dns3.sbb.rs)".

Consider also: https://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fsbb-bg-ne-s1-3.ug-be.cdn.united.cloud

pozdravi,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

sibin.arsenijevic:
Hello polonus and Asyn,

thank you for your prompt answers and your help!

I just want to clarify few more things:

- That domain is not serving a website, it is a IPTV streaming server that is part of a larger CDN, it is not supposed to serve anything on it's bare (sub)domain (hence 404). There are other endpoints on that domain that will serve the video content (and use HTTPS) for user and apps should never request bare domain name. 404 on bare domain is "by design".
- I am not comfortable discussing security on an public forum but if you need further clarification as to why some things are done the way they are you are free to DM or (better yet) email me, i'll try to give you as much information as possible.

We've already reported some subdomains on url that you provided, but since we have hundreds of possible subdomains we can't manually whitelist each and every of them and we don't want to send you a lot of false reports from our side through some automated reporter. Is it possible to report *.domain.name there?

Our CDN nodes all have these domain names in common *.ug.cdn.united.cloud, *.ug-be.cdn.united.cloud and *.ug-af31.cdn.united.cloud, maybe that would be the way to "whitelist" them all?

Whitelisting a node at a time is hardly maintainable as we are adding new nodes all the time and we don't want to send you a whitelist request before the domain is blacklisted and by that time our users are already affected and we are getting user complaints. And requesting that users create rules to whitelist these domains on their own machines is not exactly good customer experience :)

We are willing to work with you in order to resolve these issues in a maintainable way.

Some more context - we are IPTV provider with content delivery network consisting of hundreds of nodes and hundreds of thousands of users on multitude of devices.

Thank you again for your support!

Best regards,
Sibin

polonus:
Hi Sibin,

Here you can see that the blocking is not caused by avast, but caused by DNSBL blocking:
https://www.robtex.com/dns-lookup/sbb-bg-ne-s1-3.ug-be.cdn.united.cloud

So you should take this up with clueless dot org in the first place,
and in case of an FP they should unblock  ;)

Still get the non-founds here: https://www.shodan.io/host/5.22.186.140
probably while http does not automattically redirects to https.
Your stratum 2.3 service 123 however seems OK. (on a zero day read -http://mvfjfugdwgc5uwho.onion )

Also read at serverfault: https://serverfault.com/questions/493121/ubuntu-open-udp-port-123

polonus

Navigation

[0] Message Index

[#] Next page