Author Topic: Need more information about false positive  (Read 4096 times)

0 Members and 1 Guest are viewing this topic.

Offline boffin13

  • Newbie
  • *
  • Posts: 5
Need more information about false positive
« on: August 05, 2021, 01:09:59 PM »
Hello,

Several weeks ago my domains started to get blocked due URL:Mal threat.

Each time I tested the domains with different other antiviruses and found nothing.
Then I filled false-positive form and after some time the domain's reputation was cleared by Avast team.


Is it possible to receive more information about why the block of the domains were issued at all?

I think that this because one of advertisers but I need more information to detect problematic one to disable it.
Where can I get it?



The reference IDs of several last tickets:

#13743151 / ref:_00Db0Z3Sf._5005p2WRgNg:ref   <--- this one was cleared today

Tickets from some time ago:
#13725708 / ref:_00Db0Z3Sf._5005p2WRCyy:ref
#13689837 / ref:_00Db0Z3Sf._5005p2VCZZD:ref


Offline boffin13

  • Newbie
  • *
  • Posts: 5
Re: Need more information about false positive
« Reply #1 on: September 24, 2021, 12:49:00 AM »
Hello,

I am writting again to this topic because since my last post we have several more alerts from avast which resulted in site being closed with URL:Scam message.
After submitting false-positive form the alert was cleared and false positive confirmed but no other information about what happened and how we can prevent future problems was provided.

Here are reference IDs of these confirmed false positive reports:

#13656161 ref:_00Db0Z3Sf._5005p2VBNp7:ref
#13745447 ref:_00Db0Z3Sf._5005p2WRl4J:ref
#13743151 ref:_00Db0Z3Sf._5005p2WRgNg:ref
#13855818 ref:_00Db0Z3Sf._5005p2WsFg4:ref
#13865482 ref:_00Db0Z3Sf._5005p2WsXcG:ref
#13929101 ref:_00Db0Z3Sf._5005p2XrCHV:ref
#14044880 ref:_00Db0Z3Sf._5005p2Xuf27:ref

The last one happened two days ago.
The patterns is all the same.

Site marked as URL:Scam => we are scanning the site and the advertisers and nothing is found => we are reporting false-positive => false positive confirmed by avast, alert is disabled and the site's reputation is cleared.

Each time the ONLY reply we receive is that the reputation is cleared and no information is provided about WHAT caused the problem.

We are struggling to keep our sites very clean to provide best user experience.
However it's very difficult to operate when about once a week sites are marked as URL:Scam and then cleared as false positive.

If we were given any additional info - we would tune our ads to prevent such cases in the future.
But right now - our users and our partners are affected and there is nothing we can do about it.

Please assist!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Need more information about false positive
« Reply #2 on: September 24, 2021, 09:26:09 AM »
You could report your site here: https://www.avast.com/report-malicious-file.php
Wait for a final verdict from avast's.

I could say something about a 3rd party cold recon analysis of the site and accordingly error-hunting,
but as you do not mention the site in question, that is hard for me to do.


polonus (volunteer 3rd party cold reconnaissance website security-analyzer and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline boffin13

  • Newbie
  • *
  • Posts: 5
Re: Need more information about false positive
« Reply #3 on: October 01, 2021, 12:43:16 AM »
>> You could report your site here: https://www.avast.com/report-malicious-file.php
But it can help me? The form just say "thank you for reporting your site. we will check" and again. No information.




Let me describe the process again:
My domain is banned because of some malicious advertiser. Say my domain is domain.com load ad with URL ad-broker.com which redirects multiple times and finally arrives to some malicious-ad.com

Because of these redirects - my domain is banned. So two questions:


1. WHY my domain is banned and not the domain malicious ad was served from?
2. WHY avast doesn't provide ANY information about how he arrived to this malicious ad (i mean whole redirect chain) so i'll be able to ban the broker or to ban the advertiser to prevent similar cases in the future?



>> I could say something about a 3rd party cold recon analysis of the site and accordingly error-hunting,
>> but as you do not mention the site in question, that is hard for me to do.
The domains in question are:
1. xtits.xxx
2. xozilla.xxx
3. analdin.xxx

If you can provide more information about why these domains had multiple false-positives (in my prev message I've listed all ref IDs of the tickets) it would help immensely. Thank you.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Need more information about false positive
« Reply #4 on: October 01, 2021, 01:02:04 AM »
>> You could report your site here: https://www.avast.com/report-malicious-file.php
But it can help me? The form just say "thank you for reporting your site. we will check" and again. No information.
<snip>

Normally you should get a response within 48 hours.

So to start with we Avast users, can't say why it would be blocked/alert as we don't have any screenshot of the alert to work with.

What I will say is that none of the p o r n sites you listed is alerted on by Avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Need more information about false positive
« Reply #5 on: October 02, 2021, 01:44:12 PM »
Hi boffin13,

The only suspicious flag for this came from Quttera's at VT, but a detailed report now gives it the all green:
https://quttera.com/detailed_report/xozilla.com
Also clean: https://sitecheck.sucuri.net/results/xozilla.xxx

Also take this up with DataWeb Global Group B.V. the hoster of mentioned sites at 31.220.24.117
Consider these vulnerabilities - outdated scripts:
see: https://snyk.io/test/website-scanner/?test=211002_BiDcRW_dafe1c6c0d65a45c7858ef1971260139
Also see the pdf and report here: https://www.immuniweb.com/websec/www.xozilla.com/kZMss68a/

Have a nice new week, you all,

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
« Last Edit: October 03, 2021, 01:04:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!