avast detects wikipedia as virus

[Jahn]

but why when some people go on the page avast don't detect it?

I don't know and as we only have one person saying they don't have an alert we would need to know what browser, OS and set-up they have as any of those things could lead to it not being detected.

I didn't watch the video (dial-up) so I have no idea what Jahn meant when he said he I followed the procedure you used in your video, and Avast doesn't detect anything.

Now why this didn't alert on one or more, is a different issue, but this detection is IMHO correct, why would a .jpg file be hacked in this way. It is still detected in the latest VPS 081227-0

I'm still not getting any detection on this page after a repair of Avast/reboot. I do believe Avast is working properly, though. Avast recently detected JS:XMLParse-A [Expl] during Scanit tests HERE, and later detected the leftover TIF's and SysVolume entries during a Standard demand scan.

My Avast providers are at default values, except I've added a redirected HTTP port (for proxy server) to Web Shield.

I can only guess that another security program is blocking the exploited jpg iframe before Avast sees it. XP SP2, Firefox 3.0.5 with ABP, Dr.Web link checker, Finjan, SiteAdvisor, NoScript, Perspectives and WOT. No detection either in IE7 with flash disabled by Toggle Flash, Finjan, WOT and Dr. Web link checker. I also use SAS Pro (my forever gratitude to CastleCops [R.I.P.] and Nick for my free lifetime licenses), Comodo Internet Security in ProActive Safe Modes (AV module not installed) and a custom Hosts file. I'm betting on CIS, though nothing shows in the firewall or Defense+ logs.

According to the video, mathboyx215 accessed the Wikipedia page via a link in a Google search for hunantv. I was attempting to duplicate the occurence, so that is what I meant when I said I went there in the same manner. Hope this clears some mud out, and sorry I couldn't get back here sooner.

[DavidR]

I don't know why you needed to add to the redirect port (what application ?), but I believe that you would also need to uncheck the Ignore Local Communication, or whatever is coming through the other redirect port might not be being scanned.

You could check the avast web shield detailed view and see if your web traffic is actually being scanned. Or if none or only partially scanned as I haven't a clue what your other proxy is doing.

You could also uncheck the option ignore local communication (see image) and try the above link again and see what happens.

[Jahn]

I don't know why you needed to add to the redirect port (what application ?), but I believe that you would also need to uncheck the Ignore Local Communication, or whatever is coming through the other redirect port might not be being scanned.

You could check the avast web shield detailed view and see if your web traffic is actually being scanned. Or if none or only partially scanned as I haven't a clue what your other proxy is doing.

You could also uncheck the option ignore local communication (see image) and try the above link again and see what happens.

Hi David, I have to add the port to Web Shield to enable Avast to scan Proxyconn traffic on port 6198. I have just verified that Avast is indeed scanning both ports 80 and 6198. I bumped Web Shield sensitivity up to High and went to the Wikipedia page - nothing. But if I run all browser tests at Scanit, or try to open a zipped file with eicar in it Avast will alert. Avast seems to be working. Checking or unchecking Ignore local communication doesn't seem to make any difference.

[DavidR]

All I think that is happening is the traffic is passing through the web shield and because it is effectively local traffic, it isn't being scanned. So why it isn't being detected when you uncheck the Ignore local communication is beyond me, but using additional port redirects you should uncheck that option.

Well I haven't got a clue what Proxyconn does or how it goes about its task, so I don't know what might go through its proxy port.

[DavidR]

After a little googling, I now know a little more about proxyconn that I did earlier and now possible a little more than you in one regard

The probably reason nothing is found, proxyconn is supposed to detect and block viruses, see image.

[Jahn]

After a little googling, I now know a little more about proxyconn that I did earlier and now possible a little more than you in one regard

The probably reason nothing is found, proxyconn is supposed to detect and block viruses, see image.

Thanks David, what you found through Google is Proxyconn's hard-sell product. I only use the accelerator, not their security suite. But it got me thinking about what security software they may have on their servers. I disabled Proxyconn and removed port 6198 from Web Shield. I went back to the Wikipedia page which did show as being scanned now on port 80, still no detection. I will leave Ignore local communication unchecked.

I don't know. I have turned off/disabled every security software I can think of; ran Firefox and IE in safe modes. Avast just isn't seeing it, yet does see other malware. Since a repair of Avast didn't help I will try a fresh download/install later tonight.

[DavidR]

Well I still get the alert, so I don't know what is going on in your system.

If you aren't going to use proxyconn (It didn't come out as making a significant difference in browsing according to comparative reviews, can't recall which) and you remove the proxy port redirect, then you should leave the ignore local communication enabled.

Only when addition ports are added to the web shield redirect should the ignore local communication be disabled.

[Jahn]

Success! Well, eventually... After a complete Avast uninstall including aswclear, a fresh install and VPS updates, Avast still didn't detect anything on the Wiki page and showed no last scanned activity in Web Shield. But after I added port 6198 to Web Shield and returned to the Wiki page, Avast alerted me to the jpg issue and I selected Abort the connection. I then deselected Ignore local communication since you say I should.

At this point my best guess is Avast became corrupted maybe through a VPS update. It's been more than a year since I installed the whole program.

I couldn't survive the net without Proxyconn which boosts my surfing speed from 40KB/s to 100KB/s according to CNET's bandwidth meter. It does nothing for download speeds, however. When I tried the local DSL it kept disconnecting me every few hours. The techs were out here weekly swapping modems and filters. Nothing helped so I finally told them to take it out.

I think I'm in good shape now, a thorough and boot scan with archives revealed no problems. Thanks again for your help, David. And thanks to mathboyx215 for starting this thread or I wouldn't have known there was a problem.

[mathboyx215]

i'm glad that i helped you through my thread

[DavidR]

You're welcome.

Getting other proxies to work in co-operation with the web shield proxy can take a little tweaking, though what you did previously should have resolved it as it was after all picking up the eicar test file. If the VPS was actually corrupt the avast integrity checking should have (I believe) picked up on that.

The main thing is that everything is now working as it should.

[zone12]

It  isnt a virus if you still get this come back and post what does the thing say about the page.

[DavidR]

I think you should read this topic again, this is most certainly not an FP, see the code in the .jpg that is causing the alert in my post, http://forum.avast.com/index.php?topic=41300.msg346726#msg346726.

Now that, no matter how you try to paint it shouldn't be in a .jpg file, so it has been modified.