Domain blocked by Avast (Clickfunnels and Clouflare problem?)

[marcello.furli]

Hi everyone,

our domain is blocked by Avast (users with Avast installed can't access our entire domain)

domain: amzmasterclassitalia.com

additional info: domain is hosted on Clickfunnels and uses Cloudflare.

I have found a very recent thread on this forum that apparently shows the very same problem for other clickfunnels users.

Link: https://forum.avast.com/index.php?topic=238367.0

That thread is marked as solved but I think the problem has come back or has never gone away.

I have already submitted the false positive report on Avast (yesterday, and I haven't received any response so far)

Needless to say this problem is affecting our business with very damaging effects (thousands of dollars).


I hope to hear from support team regarding this problem that apparently many clickfunnels users have.

Marcello

[polonus]

Hi marcello.furli,

See the 3209 bytes of Cloaking flagged here: http://www.isithacked.com/check/amzmasterclassitalia.com

There is a difference of 3209 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page. show.

Whenever that is due to Clickfunnel's or CloudFlare's anti-bot obfuscated code, should be taken up with these parties. Also it would be good to know what avast is actually detecting here as a False Positive or whether this should be seen as a genuine detection, anyway real Cloaking is going on there (fact).

So it takes three to tango here, clickfunnel, CloudFlare and avast av.

Just wait for a reaction from avast team, as we here on the forums are just volunteers, and have some expertise in website security intelligence (3rd party cold recon error-hunting), but we cannot come and unblock as just avast team members can.

Curious what has been going on in the mean time?

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

All sites flagged are making use of the Phusion Passenger Enterprise 6.0.2 webserver app to be used on either nginx or apache webservers. Their website at -https://www.phusionpassenger.com/ is qualified by avast as being untrustworthy, not because they found any phishing etc, but because of avast users voting it down.

From the WOT reputation service example, that went awfully wrong by selling all data to the highest bidder by a final interim entrepreneur, we found that qualifying by user votes could mean "open to abuse of sorts"and/or some kind of common down-voting. Was this checked to not be the case here by avast's?

polonus

[polonus]

See scan on the initial redirect, here:
https://webint.io/result/09b0d180-13d6-11eb-ab63-49b9220d1749

Somewhat more info in the field of applying best known policies,
where this website's security is being concerned.

A meager 5/10 checked issues, applied for security recommendations:

1. disown-opener: 2 hints;
2. no-disallowed-headers: 6 hints;
3. strict-transport-security: 4 hints;
5. x-content-type-options: 4 hints;
6. validate-set-cookie-header: 2 hints;
7. x-content-type-options: 4 hints.

See: https://webhint.io/scanner/c5e069f0-375a-4578-bdec-d86783e0bfb7#category-security

Now the waiting is for an official final verdict from avast team
on the status of that particular detection at hand.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[marcello.furli]

Thank you guys!

I am keeping monitoring the problem even though I have already received the green light to my false positive from Avast by email, yesterday.

They say it can take up to 1 day to see the problem fixed.

[polonus]

You are welcome,

polonus

[Milos]

Hello,
thank you for the notice. Detection of the domain was disabled and fix was released yesterday afternoon.

Milos

[marcello.furli]

Hi everyone,

it is me, again (the OP).

The same problem has showed itself once again.

I have just sent again the false positive request and hopefully it will be cleared again, since nothing has changed on the site.

My question is this: is it possible to know what causes this block?

The main suspects are Clickfunnels and Claudflare (as written in precedent posts).

Is it possible to know which one is the culprit? If it was Claudflare we could think of not using it anymore (although we would prefer not to)

Last time Avast just sent me this by email:

Thank you for reporting this false positive.

Our virus specialists have now cleared its reputation in our database.

With URLs this change should be instant, but it might take up to 24 hours with files.

For future reference you might also find the following article to be useful: Avast Clean Guidelines.

Thank you for your time