False alert (Bug)

[ates]

 I have a web, obfuscated html encode with ioncube, and avast free alert how trojan.

16/04/2010 21:56:17   SYSTEM   1392   Sign of "JS:FakeAV-EO [Trj]" has been found in "http://www.fotoadictos.es/\{gzip}" file.

 html encode is write in php and encode out html how javascript.

Sorry my bad english.

Fix this, please..

Thanks

[demonix00]

Firstly could you make that link non clickable by changing http to hxxp

Secondly Avasts web shield detection is always on the mark which means that site has been hacked and you should notify the sites admin to get the problem fixed.

[doppleganger]

I have also had several users of my website report a threat warning (JS:FakeAV-EO [Trj]) in the last couple of days.

I also use ioncube encryption, and the reports are associated ONLY with the two pages that are encrypted.  I have two sites using the encryption, and both sites trigger the threat reports on the encrypted pages.

I have confirmed that it is the ioncube encryption causing the trigger (by switching it off - no threat report!).

I have scanned the whole site with another leading virus checker and no viruses are found.

This is a false threat warning and the problem needs to be addressed by avast.

[Stran05]

Your site is unaccessable. 404 error.

[spg SCOTT]

Hi,

Please can you then report this to ALWIL, if it is a FP?

Send an email with the details, and the subject something along the lines of "Webshield False Positive", to virus(@)avast.com

-Scott-

[djdill]

Both sites I have been working with are now being reported..

Ioncube encryption is being used on both sites..

http://www.imagelimo.com.au

C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4IWFKC8H\index[2].htm

File name: http://imagelimo.com.au
Malware Name: JS:FakeAV-EO [Trj]
Malware type: Trojan Horse
VPS version: 100419-0, 19/04/2010

[Lisandro]

djdill, generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.

The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.