False positive report - feeling ignored - need help!

[LuisF]

While working on a webpage that I am building for my business (that needs to go live in July) I found out that my site had been blacklisted by Avast.
The blacklisted domain is: *https://www.baronatelier.com*

For context, I am using Wix, and have not added any customization to the page beyond the default components of the platform.

I have since submitted several false positive reports (https://www.avast.com/report-false-positive#pc) to no avail.

I also checked with several malware detection pages and the only issue found was one detection by CRDF on VirusTotal, which I have seen as a common theme with other similar posts on this forum.

This issue has been going on for over 10 days now, and I have run out of ideas. I'm desperate as I cannot delay the launch of the business.

Any help would be greatly appreciated!

Thank you in advance,

[DavidR]

Avast User here - Avast recently ceased sending out email responses to FP reports.

Potentially suspicious content reported here - https://quttera.com/detailed_report/baronatelier.com
Considered a Low Security Risk here - https://sitecheck.sucuri.net/results/baronatelier.com - with hardening improvements.
Not sure if this isn't a host related issue - https://www.abuseipdb.com/check/185.230.63.171
A further refreshed check at VT - Only two hits on this check - https://www.virustotal.com/gui/url/a0eab7ac0ae8c7d0b5867e1139254791947ec1b02fcdfe2daa94d2d6f1a2f37a?nocache=1

[LuisF]

Hi DavidR,

First off, thanks a lot for your reply. I had read that they were no longer replying, but without feedback and the site remaining blocked, I did not know what to do...

With regards to the reports you sent:

Potentially suspicious content reported here - https://quttera.com/detailed_report/baronatelier.com
From the looks of it, seems to have to do with the cart, but I did not alter anything form the original code from wix. I am looking into it, any ideas are welcome.

Considered a Low Security Risk here - https://sitecheck.sucuri.net/results/baronatelier.com - with hardening improvements.
On it!

Not sure if this isn't a host related issue - https://www.abuseipdb.com/check/185.230.63.171
I assume it must be, I have only had this domain since a couple of months ago, but the alerts go way back. Also, the site was published for some time without issue, so I assume if the blacklist was due to this it would have triggered earlier.

A further refreshed check at VT - Only two hits on this check - https://www.virustotal.com/gui/url/a0eab7ac0ae8c7d0b5867e1139254791947ec1b02fcdfe2daa94d2d6f1a2f37a?nocache=1
And this one seems to be just a result of the first one

I am a bit puzzled by the /cart suspicious code. I'm afraid I am not that savvy when it comes to coding. If anyone could take a look and point me in the right direction, that would mean the world.

[LuisF]

Hi,

Quick update:

Just got off the phone with Wix's support team, they said the following:

On the /cart code issue: In all honesty, I do believe they did not review the code that I sent on my call request... however, I am inclined to agree with their logic. They said that since the code is the default Wix implementation it cannot be faulty, as millions of sites run it without issues with Avast.
As a side note, I have tried to access the bit of code myself and it does not seem to be possible to alter that section within Wix's editor other than selecting the font and the display.

And with regards to the firewall: they said that the site is "fully secured" with Wix's own security; that the site does have a firewall and that everything is running smoothly...

So, back to square one...

I know they don't usually answer, but Is there any chance at all to get someone from Avast to provide any feedback, or to look at the case again? I am so sorry for asking, but I really do not know how to proceed from here.

If anyone has any idea about how to move forward, please, I am desperate...

[LuisF]

Further update:

Wix's support has suggested contacting Quttera directly to report the case as a false positive. I have just done so. Hopefully that alert will get removed soon.

As for the rest of the issues, I have been digging into wix's documentation and I don't believe there isn't a lot I can do about security headers or the site's firewall as those seem to be managed by wix.

Any ideas?

[DavidR]

Unfortunately as an Avast User I'm limited in what I can do - one thing I have seen before is historic web domains/Ips with previous issues remain an issue.

This certainly isn't my area of knowledge web site development.

I will try and draw some attention to this topic.

[LuisF]

It means a lot DavidR, thank you!

I don't know if it will help, but I got good news regarding the other false positives:
I wrote yesterday to CRDF asking them to remove the alert and they have done so.
Also, Quttera wrote back and they also removed their alert, so now, the site should not rise any flags on virustotal!

[DavidR]

You're welcome, hopefully it will bare fruit.

[polonus]

San oversight:
HOSTING DETAIL
Web Server:
Pepyaka
IP Address:
34.149.87.45
Hosting Provider:
GOOGLE-CLOUD-PLATFORM
Shared Hosting:
317 sites found (use Reverse IP to download list)
Title:
Inicio | Baron Atelier
0 issues
Issues found during a high level analysis of the target site. It is recommended that further active scanning be undertaken for a more accurate assessment.
  Blacklists and Threat Intel

A check of threat intelligence sources and blacklists was performed against the hostname and IP address of the target. The findings will identify reputation issues or even the presence of malicious code.
DShield   CLEAN
AlienVault OTX
CLEAN
Cisco Talos   CLEAN
abuse.ch (Feodo)   CLEAN
URLhaus   CLEAN
Spamhaus (Drop / eDrop)   CLEAN
   
Google Safe Browsing is maintained by Google and used to by Chrome to warn users that they are about to visit a malicious site. Use the link to perform a live check of the target site.
   
Virus Total is a powerful analysis engine that uses threat intelligence and antivirus to help researchers track malware. References found on Virus Total may contain live malware. Use with caution.

If the IP address of a shared hosting server is listed in a blacklist, it may simply indicate one of the hosted websites has been compromised. It does not neccessarily indicate an immediate threat to another site on the same host, but should be investigated. Multiple listings from a shared hosting server may indicate a hosting service with poor reputation or poor security practices.
Take care visiting the listed threat intelligence resources. Links, hosts and references may contain live malware and should be treated with caution.
 
Plugins are a source of many security vulnerabilities within WordPress installations, always keep them updated to the latest version available and check the developers plugin page for information about security related updates and fixes.

There are likely more plugins installed than those listed here as the detection method used here is passive. While these results give an indication of the status of plugin updates, a more comprehensive assessment should be undertaken by brute forcing the plugin paths using a dedicated tool.
 

Reputation checks have been performed on the IP address for each of the linked sites. Hosts found on blacklists with poor reputation may be a threat to users of the site. Hosting and locations are also included in the results.
   Externally Linked Host    Hosting / Company    Country    
   pinterest.com    FASTLY       
   instagram.com    FACEBOOK       
  Javascript Resources

IP address blacklists have been checked for each of the linked hosts. Addresses with poor reputation could be a threat to users of the site or may point to the presence of malicious javascript. Hosting and location are also included in the results.
   JS Link    Hosting / Company    Country
   -https://static.parastorage.com/services/wix-thunderbolt/dist/thunderbolt-commons.f5f1fc96.bundle.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/services/wix-perf-measure/1.1095.0/wix-perf-measure.umd.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://polyfill-fastly.io/v3/polyfill.min.js?features=fetch    FASTLY    
   -https://static.parastorage.com/services/tag-manager-client/1.859.0/siteTags.bundle.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/services/wix-thunderbolt/dist/main.renderer.1d21f023.bundle.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/unpkg/focus-within-polyfill@5.0.9/dist/focus-within-polyfill.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/unpkg/react-dom@18.3.1/umd/react-dom.production.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/unpkg/lodash@4.17.21/lodash.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/unpkg/core-js-bundle@3.2.1/minified.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/services/wix-thunderbolt/dist/main.90b29617.bundle.min.js    GOOGLE-CLOUD-PLATFORM    
   -https://static.parastorage.com/unpkg/react@18.3.1/umd/react.production.min.js

Consider also -> https://www.abuseipdb.com/check/34.149.87.45

Known bad hash: https://zulu.zscaler.com/submission/6d666582-993f-4a42-90ba-e88c14c7e445 but given as BENIGN.

Wait for a final verdict from avast team,

polonus

[LuisF]

Hi,

Final update:

I just tried accesssing my site and I FINALLY CAN!

Avast lifter the blacklist!

I cannot thank you enough!
The work that you do here is incredible!

Cheers!

[DavidR]

You're welcome, glad it has been resolved.