Author Topic: Could this be a false positive (Read 4358 times)

donbt09 · « **on:** March 03, 2009, 11:11:59 PM »

Today the http://translator.live.com from microsoft is triggering avast virus alert (HTML:Script-inf) Could this be a false positive?

RejZoR · « **Reply #1 on:** March 03, 2009, 11:22:49 PM »

The address itself seems to be legit, however it could be a hijacked webpage. But then again, it could just as well be false positive of some sort. You may want to report it to virus@avast.com for further inspection or just wait for someone from ALWIL team to check this thread.

DavidR · « **Reply #2 on:** March 03, 2009, 11:34:15 PM »

Well it looks like there is a redirect script on that page that redirects to a site that is being blocked by the network shield.

03.03.2009 22:23:33 Network Shield: blocked access to malicious site wXX.microsofttranslator.com/Default.aspx?br=ro [ C:\Program Files\Mozilla Firefox\firefox.exe ( 3588 ) ]

Since this also belongs to Microsoft I think this could be an FP:

Quote

Name:      microsofttranslator.com
IP:      65.55.177.207
Domain:   microsofttranslator.com
Querying root.rwhois.net:4321 for microsofttranslator.com...

Querying whois.tucows.com for microsofttranslator.com...
Registrant:
Microsoft Corporation
1 Microsoft Way
Redmond, WA 98052
US

Domain name: MICROSOFTTRANSLATOR.COM

I have sent report to avast, but I guess it won't hurt for another.

donbt09 · « **Reply #3 on:** March 03, 2009, 11:38:56 PM »

Quote from: RejZoR on March 03, 2009, 11:22:49 PM

The address itself seems to be legit, however it could be a hijacked webpage. But then again, it could just as well be false positive of some sort. You may want to report it to virus@avast.com for further inspection or just wait for someone from ALWIL team to check this thread.

thanks

I reported. It looks like Microsoft is doing changes to their windows live translation URL http://liveside.net/main/archive/2009/03/03/windows-live-translator-rebranded-under-live-search.aspx.

DavidR · « **Reply #4 on:** March 03, 2009, 11:47:00 PM »

I paused the network shield to see if I could find anything obvious on the page source (I didn't) but the web shield fired this time, so I have also submitted that for further investigation.

kubecj · « **Reply #5 on:** March 03, 2009, 11:54:16 PM »

It's a FP, my mistake. Had report, virus inside, typical scamsite name

and not whitelisted. We have whitelisted most of the big companies webs because this is exactly the situation we want to avoid.

DavidR · « **Reply #6 on:** March 04, 2009, 12:10:51 AM »

Thanks for the prompt response kubecj I trust it will be corrected in the next VPS update.

kubecj · « **Reply #7 on:** March 04, 2009, 01:03:26 AM »

Yep, it's out.

RejZoR · « **Reply #8 on:** March 04, 2009, 01:30:14 AM »

Now thats what i call instant FP fixing.

DavidR · « **Reply #9 on:** March 04, 2009, 01:46:15 AM »

Yes very fast, but of course it doesn't pay to go blocking Microsoft

Lisandro · « **Reply #10 on:** March 04, 2009, 01:50:13 AM »

Quote from: RejZoR on March 04, 2009, 01:30:14 AM

Now thats what i call instant FP fixing.

Nobody wants a fight with MS

Author Topic: Could this be a false positive (Read 4358 times)

donbt09

Could this be a false positive

RejZoR

Re: Could this be a false positive

DavidR

Re: Could this be a false positive

donbt09

Re: Could this be a false positive

DavidR

Re: Could this be a false positive

kubecj

Re: Could this be a false positive

DavidR

Re: Could this be a false positive

kubecj

Re: Could this be a false positive

RejZoR

Re: Could this be a false positive

DavidR

Re: Could this be a false positive

Lisandro

Re: Could this be a false positive