Author Topic: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?  (Read 2568 times)

0 Members and 1 Guest are viewing this topic.

Offline Zitrus

  • Jr. Member
  • **
  • Posts: 32
For some time Avast Free Antivirus reports: "Threat secured, We've safely aborted connection on www-notebookcheck-com.webpkgcache.com because it was infected with URL.Mal"

This seems like a persistent false positive to me. I checked the said URL on www.emailveritas.com/url-checker-results and on www.virustotal.com. Both sides recognize the URL as CLEAN!

And this URL was not blocked on 2 other PCs, each with a different and also well-known antivirus program (BitDef... and Kasp...).

https://webpkgcache.com is a service from Google - I can't imagine something like that sneaking past these security fanatics.

I sent the said URL as a false positive to www.avast.com/false-positive-file-form.php.
Response from Avast: "...Thank you for contacting Avast and reporting a suspected false positive detection. I'm happy to help. Our virus specialists checked the detection and confirmed it as correct. If you're the owner of the reported website and want to change the detection, feel free to contact us again for a new analysis once the website is cleaned..."

In both the Avast Antivirus alert and the Avast response, I'm missing any information about the nature of the alleged infection - this lack of information saddens me!

I'm still leaning towards this being a case of false positive as apparently only the Avast antivirus engine is alerting this as a URL:Mal. I don't like false positives. I would like to ask about the experiences of other users. Is this really a URL:Mal and if so, what kind - or is it a false positive? :-\
I have my contributions translated online into English
For misunderstandings please blame the translator ;-)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89340
  • No support PMs thanks
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #1 on: May 18, 2023, 05:30:14 PM »
At the time of the alert are you actually trying to connect to the site notebookcheck-com.webpkgcache.com as why it would be doing that seems somewhat strange (to me).  But then again I don't use the Chrome browser.  As to mee this mashed URL appears to be trying to get cached content for notebookcheck-com (presumably the '-' would be a '.' period) for the actual site.

Some security issues reported here - https://en.internet.nl/site/webpkgcache.com/2097274/

Nothing found here - https://quttera.com/detailed_report/webpkgcache.com - Not sure what this is/relates to security "SSL Certificate details: Available via API only."

The last VT scan was 2 months ago, running it again - whilst it still comes up clean - https://www.virustotal.com/gui/url/ba166a1eb4fe092df2e45d92e935868da87ba0a56e6f36342c46a62ba0f2977d?nocache=1  - have a look at the Links tab.  I don't know if one of those may be responsible.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Zitrus

  • Jr. Member
  • **
  • Posts: 32
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #2 on: May 18, 2023, 06:51:36 PM »
The warning message is independent of the browser used.

This warning pops up whenever I search something on google.com with the term 'notebookcheck' e.g. 'flip cover samsung a54 notebookcheck' or search something else with notebookcheck.

www.notebookcheck.com is a trustworthy site and Avast does not complain when you visit it.

As said, webpkgcache.com is a site owner caching service provided by Google. When I go directly to https://webpkgcache.com I'll be redirected to https://developers.google.com/search/docs/appearance/signed-exchange and Avast doesn't nag (just give it a try).

But when I do the google search mentioned above or type 'https://www-notebookcheck-com.webpkgcache.com/' directly, the Avast alert comes up.

When I now disable Avast and type 'https://www-notebookcheck-com.webpkgcache.com/' directly, I'm landing redirected again on 'https://developers.google.com/search/docs/appearance/signed-exchange' (just give it a try).

So obviously there seems in fact nothing right with URL:Mal. I have now entered a corresponding exception in the Avast settings because I am fed up with questionable false positives, especially since I have not received any information about the type of infection.

Nevertheless, I hope, also in the interests of other users, that Avast will take a closer look at it again. Something must be wrong if only Avast recognizes a URL:Mal there and on https://www.virustotal.com/gui/url/db4b4aa2696fe266b076d8217fac68918d9eb423918b79e11d95dc6763c10e34?nocache=1 zero of 89 security vendors flagged this URL as malicious.
« Last Edit: May 18, 2023, 08:37:42 PM by Zitrus »
I have my contributions translated online into English
For misunderstandings please blame the translator ;-)

Offline Zitrus

  • Jr. Member
  • **
  • Posts: 32
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #3 on: May 18, 2023, 08:10:18 PM »
URL:Mal inflation: hXXps://wXw.hct-busvermietung.de = URL:Mal according to Avast

see image and

https://www.virustotal.com/gui/url/e2750a2d690de1e73480bf1ee3f71f8369aeaeac2b564d27d1b94e3e8558737c?nocache=1

Maybe this hXXps://wXw.hct-busvermietung.de is a URL:Mal, because with google search you see very strange things in the cache of the site
« Last Edit: May 19, 2023, 12:15:34 AM by Zitrus »
I have my contributions translated online into English
For misunderstandings please blame the translator ;-)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89340
  • No support PMs thanks
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #4 on: May 18, 2023, 11:32:59 PM »
As an Avast User I can't say why Avast might be alerting on this URL as I'm not in possession of the full information available to the Virus Labs Team (who responded).

But security weaknesses could lead to exploit.

Personally I would avoid cached data in search results, not only could that cached data be outdated.  But also I don't know what checks might be done by Google when caching previous search data.

When posting URLs to suspect sites drop the hXXps://wXw elements (or change them as I have) before the domain name to prevent them being active and exposure to suspect sites.

You're VT link still has cached results from a site also considered malicious by Avast, my previous VT link had many more domains in that and not only the hXXps://wXw.hct-busvermietung.de/ on in your link.  Which just goes to show those results are constantly changing.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #5 on: May 19, 2023, 12:14:12 AM »
The first link you gave is no longer being flagged for PHISHING.

The second detection has blacklisted links:
Blacklisted External Links
-https://hct-busvermietung.de/ticketsystem/index.php
-https://hct-busvermietung.de/t-gera/index.php
Referenced Blacklisted Domains
-hct-busvermietung.de

Google Chrome returned code 301 to -https://hct-busvermietung.de/
GoogleBot returned code 301 to -https://hct-busvermietung.de/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Zitrus

  • Jr. Member
  • **
  • Posts: 32
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #6 on: May 19, 2023, 12:29:35 AM »
The first link you gave is no longer being flagged for PHISHING.

The second detection has blacklisted links:
...

Thanks a lot! You're the first one to let me know what's behind URL:Mal in the first link (www-notebookcheck-com.webpkgcache.com), PHISHING. There was only a sparse "URL:Mal" in the Avast AV alert. Now I can do more with it.
And with the 2nd link hct-busvermietung.de I also assume that it is a malicious website. A little research revealed information about an immensely dubious company.
« Last Edit: May 19, 2023, 12:49:26 AM by Zitrus »
I have my contributions translated online into English
For misunderstandings please blame the translator ;-)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #7 on: May 19, 2023, 11:29:06 AM »
Ha der Zitrus,

Gerne gemacht. Richtig herausgefunden was da hinter steckt  ;)
Abhilfe schaffen ist das Ziel.

S.G.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: False Posive URL-Mal www-notebookcheck-com.webpkgcache.com ?
« Reply #8 on: May 19, 2023, 11:43:57 AM »
This is the phishing link: 
Quote
-Dior カードケーxxxス 期間限定セーxxxル -wXw.hct-etc.
Quote
Re: -htxps://www.qwant.com/?q=Dior+%E3%82%AB%E3%83%BC%E3%83%89%E3%82%B1%E3%83%BC%E3%82%B9+%E6%9C%9F%E9%96%93%E9%99%90%E5%AE%9A%E3%82%BB%E3%83%BC%E3%83%AB+wXw.hct-&client=ext-chrome-sb&t=web
-htxps://www.qwant.com/?q=Dior+%E3%82%AB%E3%83%BC%E3%83%89%E3%82%B1%E3%83%BC%E3%82%B9+%E6%9C%9F%E9%96%93%E9%99%90%E5%AE%9A%E3%82%BB%E3%83%BC%E3%83%AB+wXw.hct-&client=ext-chrome-sb&t=web

Do not click or go to above links - AOS&P blocks  them all. It is all a big phishing scheme/campaign. A japanese Amazon phishing scheme. Links broken for security by me (pol).

Also see: https://de.trustpilot.com/review/www.hct-busvermietung.de (some had negative experiences)
Checked link here and it was given as suspicious: https://easydmarc.com/tools/phishing-url

polonus
« Last Edit: May 19, 2023, 02:23:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!