« previous next »
Pages: [1]   Go Down

Author Topic: False positive (again)  (Read 1088 times)

0 Members and 1 Guest are viewing this topic.

Offline multu40200

  • Newbie
  • *
  • Posts: 16
False positive (again)
« on: July 17, 2024, 10:52:20 PM »
Hello,

I'm writing here because the false positive form is ignoring my requests.

It concerns the https://notube.fi website.

The site is blocked by Avast and prevents thousands of users from accessing our site: we receive complaints from users almost every hour to let us know.

This is simply unacceptable, as we have done everything necessary to meet Avast's requirements, including removing entire categories from our advertising network.

It's also very strange and dangerous to block our site when it's simply ads you don't like.

Can you please :

Unblock the entire notube.fi site, subdirectories and subdomains.
And if you want, block notube.fi/p/ and notube.fi/p2/, which do indeed redirect to mainstream advertising (unless you consider amazon or aliexpress to be dangerous advertising).

Another funny thing is that you've whitelisted the notube.net domain, which is exactly the same site but in English (.fi is the Spanish version).

This makes it very difficult for me to justify this to my users, and I will systematically redirect them to the url of this topic so that they can have a transparent report from you.

Sorry if the post can be a bit prickly, but I've been fighting with you for years over the same request, and you're the ONLY antivirus company to act in this way against my site.


Thank you in advance
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34029
  • malware fighter
Re: False positive (again)
« Reply #1 on: July 18, 2024, 01:04:00 PM »
But there is a reason: check out hxtps://notube.fi/
Xmark
Checking for cloaking
There is a difference of 4351 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but makes Google think there's something else on the page. show. See: https://www.isithacked.com/check/https%3A%2F%2Fnotube.fi%2F  (Google may not like cloaking.).

Xmark
Status codes
These should normally be the same.

GoogleBot returned code 403
Google Chrome returned code 301 to -https://notube.fi/es/youtube-app-2

No malicious content found here: https://quttera.com/detailed_report/notube.fi
nor here: https://www.virustotal.com/gui/url/b2bf27266b9867430d6abaa69beaf25a906d17dff4cf35f55bb9325025c84a3b

So wait for a final verdict from the Avast team.

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline multu40200

  • Newbie
  • *
  • Posts: 16
Re: False positive (again)
« Reply #2 on: July 18, 2024, 01:19:30 PM »
I can confirm that there's no reason for this: It's just a redirect to the home page.

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>

I've been waiting for several months now, and Avast's last reply dates back to May 20, 2 months ago. How long do I have to wait?

« Last Edit: July 18, 2024, 01:21:27 PM by multu40200 »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
Re: False positive (again)
« Reply #3 on: July 18, 2024, 02:15:29 PM »
Avast has recently ceased sending direct responses to FPs - yes they will investigate and if confirmed as an FP it would be removed.

That said I tried to visit the site and it still throws up an alert (see attached screenshot), but it doesn't match what you have posted.

Before shooting the messengers neither of us work for Avast but are Avast Users.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline multu40200

  • Newbie
  • *
  • Posts: 16
Re: False positive (again)
« Reply #4 on: July 18, 2024, 02:38:50 PM »
"Avast has recently ceased sending direct responses to FPs" What does this mean? How can the problem be followed up and resolved if they no longer respond to requests?
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34029
  • malware fighter
Re: False positive (again)
« Reply #5 on: July 18, 2024, 03:57:14 PM »
Have a look at the json output at urlscan.io:
Quote
{
  "data": {
    "requests": [
      {
        "request": {
          "requestId": "FFE6D6FEEB069E1E19910A33FB555A6A",
          "loaderId": "FFE6D6FEEB069E1E19910A33FB555A6A",
          "documentURL": "-https://notube.fi/",
          "request": {
            "url": "-https://notube.fi/",
            "method": "GET",
            "headers": {
              "Upgrade-Insecure-Requests": "1",
              "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"
            },
            "mixedContentType": "none",
            "initialPriority": "VeryHigh",
            "referrerPolicy": "strict-origin-when-cross-origin",
            "isSameSite": true
          },
          "timestamp": 57648272.519988,
          "wallTime": 1721310675.71098,
          "initiator": {
            "type": "other"
          },
          "redirectHasExtraInfo": false,
          "type": "Document",
          "frameId": "1E27BB1678EB4EDB4DB53869E4B60ABC",
          "hasUserGesture": false,
          "primaryRequest": true
        },
        "response": {
          "encodedDataLength": 0,
          "dataLength": 0
        }
      }
    ],
    "cookies": [],
    "console": [],
    "links": [],
    "timing": {
      "beginNavigation": "2024-07-18T13:51:15.707Z",
      "frameStartedLoading": "2024-07-18T13:51:15.710Z"
    },
    "globals": []
  },
  "lists": {
    "ips": [],
    "countries": [],
    "asns": [],
    "domains": [
      "notube.fi"
    ],
    "servers": [],
    "urls": [
      "-https://notube.fi/"
    ],
    "linkDomains": [],
    "certificates": [],
    "hashes": []
  },
  "meta": {
    "processors": {}
  },
  "page": {
    "domain": "-notube.fi",
    "url": "-https://notube.fi/",
    "apexDomain": "-notube.fi"
  },
  "scanner": {
    "country": "fi"
  },
  "stats": {
    "IPv6Percentage": null,
    "adBlocked": 0,
    "domainStats": [
      {
        "count": 0,
        "ips": [],
        "domain": "notube.fi",
        "size": 0,
        "encodedSize": 0,
        "countries": [],
        "index": 0,
        "initiators": []
      }
    ],
    "ipStats": [],
    "malicious": 0,
    "protocolStats": [],
    "regDomainStats": [
      {
        "count": 0,
        "ips": [],
        "regDomain": "notube.fi",
        "size": 0,
        "encodedSize": 0,
        "countries": [],
        "index": 0,
        "subDomains": [
          {
            "domain": "",
            "failed": true
          }
        ]
      }
    ],
    "resourceStats": [],
    "securePercentage": 0,
    "secureRequests": 0,
    "serverStats": [],
    "tlsStats": [],
    "totalLinks": 0,
    "uniqCountries": 0
  },
  "submitter": {
    "country": "NL"
  },
  "task": {
    "apexDomain": "notube.fi",
    "domain": "notube.fi",
    "method": "manual",
    "source": "web",
    "tags": [],
    "time": "2024-07-18T13:51:45.707Z",
    "url": "-https://notube.fi/",
    "uuid": "bf57160a-1946-4d6d-8c5c-2d321b8c3179",
    "visibility": "public",
    "reportURL": "https://urlscan.io/result/bf57160a-1946-4d6d-8c5c-2d321b8c3179/",
    "screenshotURL": "https://urlscan.io/screenshots/bf57160a-1946-4d6d-8c5c-2d321b8c3179.png",
    "domURL": "https://urlscan.io/dom/bf57160a-1946-4d6d-8c5c-2d321b8c3179/"
  },
  "verdicts": {
    "overall": {
      "score": 0,
      "categories": [],
      "brands": [],
      "tags": [],
      "malicious": false,
      "hasVerdicts": false
    },
    "urlscan": {
      "score": 0,
      "categories": [],
      "brands": [],
      "tags": [],
      "malicious": false,
      "hasVerdicts": false
    },
    "engines": {
      "score": 0,
      "categories": [],
      "enginesTotal": 0,
      "maliciousTotal": 0,
      "benignTotal": 0,
      "maliciousVerdicts": [],
      "benignVerdicts": [],
      "malicious": false
    },
    "community": {
      "score": 0,
      "categories": [],
      "brands": [],
      "votesTotal": 0,
      "votesMalicious": 0,
      "votesBenign": 0,
      "malicious": false,
      "hasVerdicts": false
    }
  }
}
actually see: https://urlscan.io/result/fd2e2c48-60e4-4ca8-8565-e944558003eb/

polonus
« Last Edit: July 18, 2024, 06:28:17 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
Re: False positive (again)
« Reply #6 on: July 18, 2024, 06:03:50 PM »
Quote from: multu40200 on July 18, 2024, 02:38:50 PM
"Avast has recently ceased sending direct responses to FPs" What does this mean? How can the problem be followed up and resolved if they no longer respond to requests?

They don't send email notifications/replies if your possible email FP report is/was considered an FP.

Did you use the on-line Web form (see below) which is the recommended reporting method - this won't draw a direct response other than internal investigation and correction if considered an FP.
-  Possible False Positive - New location to report both a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

In the meantime - Investigate the link in my screenshot as to why it might be considered a URL Scam.
Test by temporarily removing that youtube-app-2 link.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline multu40200

  • Newbie
  • *
  • Posts: 16
Re: False positive (again)
« Reply #7 on: July 18, 2024, 06:04:00 PM »
Yup all the code is OK. No way to contact them now? It's been 2 months that the site has been blocked for no reason, it's just unbelievable!
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89611
  • No support PMs thanks
Re: False positive (again)
« Reply #8 on: July 18, 2024, 06:16:23 PM »
The way to contact them is via the form link that I gave.

But did you try removing that link as suggested, as an Avast User I'm limited in what I can do
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34029
  • malware fighter
Re: False positive (again)
« Reply #9 on: July 19, 2024, 01:11:55 PM »
The detection has been lifted, and Avast does not flag the website any longer.

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »