Author Topic: Avast Web shield detects url:blacklist for svchost.exe  (Read 1503 times)

0 Members and 1 Guest are viewing this topic.

Offline velvetine

  • Newbie
  • *
  • Posts: 10
Avast Web shield detects url:blacklist for svchost.exe
« on: February 23, 2024, 04:55:32 PM »
Good day. I had one detection from Avast earlier which said that it blocked something that read: "We've safely aborted connection on 151.139.180.24 because it was infected
with URL:Blacklist"

When viewing the details, it reads:

URL: (h)ttp://151.139.180.24/filestreamingservice/files/de941d9c-0764-425e-bbb9-51f48d6e5a46/pieceshash?
cacheHostOrigin=dl.delivery.mp.microsoft.com

(The (h) in parentheses to break the link)

Process: C:\Windows\System32\svchost.exe

I'm currently running Windows 11, with Avast free version 24.1 with everything fully up to date.

From a quick Googling, it seems like this is a false positive, but I rather err on the side of caution and ask.

Boot time scan and full system scan both come up clean, no history of past infections on this machine; this is the only time Avast has detected anything so far. Worth noting that there were no repeat detections and blocks from web shield other than the initial one.

Offline New_Style_xd

  • Sr. Member
  • ****
  • Posts: 397
Re: Avast Web shield detects url:blacklist for svchost.exe
« Reply #1 on: February 23, 2024, 05:23:09 PM »
Good day. I had one detection from Avast earlier which said that it blocked something that read: "We've safely aborted connection on 151.139.180.24 because it was infected
with URL:Blacklist"

When viewing the details, it reads:

URL: (h)ttp://151.139.180.24/filestreamingservice/files/de941d9c-0764-425e-bbb9-51f48d6e5a46/pieceshash?
cacheHostOrigin=dl.delivery.mp.microsoft.com

(The (h) in parentheses to break the link)

Process: C:\Windows\System32\svchost.exe

I'm currently running Windows 11, with Avast free version 24.1 with everything fully up to date.

From a quick Googling, it seems like this is a false positive, but I rather err on the side of caution and ask.

Boot time scan and full system scan both come up clean, no history of past infections on this machine; this is the only time Avast has detected anything so far. Worth noting that there were no repeat detections and blocks from web shield other than the initial one.

To get a second opinion. and make sure there is nothing on your infected machine. Run Malwarebytes to see if it finds anything.
OS: Windows 10 PRO / Intel(R) Core(TM) i7-6500U CPU 2.60 GHz.
Real Time: Avast Premium Security: 24.2.6104 (compilação 24.2.8904.819) IU: 1.0.799
Moble: Avast Security: 24.3.0-1004091
VPN: Avast SecureLine VPN: 5.29.9498
On Demand: Malwarebytes: 4.6.9.314

Offline JGram

  • Newbie
  • *
  • Posts: 9
Re: Avast Web shield detects url:blacklist for svchost.exe
« Reply #2 on: February 24, 2024, 01:04:38 AM »
URL Blacklists are usually done for a reason; indicates that the URL (Uniform Resource Locator) link is known not trustworthy... either from Avast or from partners/industry that share "known bad" URLs.

You would probably need to use something like Process Explorer from Systinernals to investigate what specific service is using that instance of svchost.exe and see where it's located... not that that would be easy to connect to the URL warning given.

Anyway, if it's not a behavioral block I'd be very wary. Also, did you happen to be doing any other misc. web browsing at the time of the alert?

Offline velvetine

  • Newbie
  • *
  • Posts: 10
Re: Avast Web shield detects url:blacklist for svchost.exe
« Reply #3 on: February 24, 2024, 02:40:58 AM »
Thanks for the replies!

All scans indicate that the machine is clean.

The only thing running at the time was Discord open in Chrome, which it had been for an hour or so. I wasn't browsing anything at all, and I was away from the computer when the Avast alert happened.

Also, what does behavioural block mean? Cheers

Offline JGram

  • Newbie
  • *
  • Posts: 9
Re: Avast Web shield detects url:blacklist for svchost.exe
« Reply #4 on: February 24, 2024, 02:56:37 AM »
I'm leaving stuff out here, but to try to explain it on a basic level:

There are a bunch of ways that Antivirus programs try to keep you safe. Over time it's not enough to just rely on old methods.

A URL blacklist block - Generally this means that Avast has recognized this as a 'bad actor' -- either from their own data points or often many reputable companies/organizations/etc will publish lists of 'known bad actors', and then the security community will update their 'lists' so that they can preemptively block connections to those. Basically: Hey, I know that place is probably a bad place to go to

Fingerprinting - This is where they have "fingerprints" they have gotten from known malicious software/code/scripts/files/etc. and match what's on your machine against a database of these 'known fingerprints' to ID bad things on your computer

Behavioral - This is a 'next step' where they try to look for things that just don't seem right. Even if it doesn't actually match a fingerprint or some remote resource that's blacklisted, they have ways to determine if something seems -- as Velma from Scooby Doo would say -- "hinky". These processes/files/etc. can then be stopped/quarantined/etc. and/or any related connections stopped.

If your curious, I'm sure you can find a bunch of material out there that's more in-depth and specific

Offline pavel.novak

  • Avast team
  • Newbie
  • *
  • Posts: 5
Re: Avast Web shield detects url:blacklist for svchost.exe
« Reply #5 on: February 26, 2024, 01:45:13 PM »
Hi, thank you for notifying us. We reviewed your report and disabled URL detection as False Positive. If the issue persists, please send us the detection dialog screenshot.

Best,
Pavel.