Author Topic: False-Positive on Google Analytics  (Read 9462 times)

0 Members and 1 Guest are viewing this topic.

ziucqea

  • Guest
False-Positive on Google Analytics
« on: August 22, 2010, 12:58:43 PM »
avast! claims there's something called 'JS: Redirector/ga.js' on each and every one of the webpages with Google Analytics, which seems to be a false-positive.
(File Name: http://www.google-analytics.com/ga.js)

:

It seems that avast! wouldn't show alerts when downloading hxxp://www.google-analytics.com/ga.js straight away.
Here's the scan report from VirusTotal: http://www.virustotal.com/file-scan/report.html?id=a5511fd969bab9f8c5f4f08940fe805384a80847479598e143da9df82375c531-1282133169
Only four (including avast! 4.8, 5.0 and GD ) out of the 41 AVs asserted it was 'infected'.

Haozip.exe is an RAR manager, in case you don't know about it.
This file is extracted from a machine running avast! which blocked the js. Let me know if you want a copy of the file.
 
« Last Edit: August 23, 2010, 11:46:31 AM by ziucqea »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89323
  • No support PMs thanks
Re: False-Positive on Google Analytics
« Reply #1 on: August 22, 2010, 03:12:06 PM »
Well I have just downloaded that file and no alert by avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ziucqea

  • Guest
Re: False-Positive on Google Analytics
« Reply #2 on: August 22, 2010, 04:39:11 PM »
Also, refer to these links: http://zhidao.baidu.com/question/175037246.html?push=ql
and http://forum.avast.com/index.php?topic=62876.0 .Use google or yahoo! or whatever you like to translate his post into English.

« Last Edit: August 22, 2010, 04:45:53 PM by ziucqea »

ziucqea

  • Guest
Re: False-Positive on Google Analytics
« Reply #3 on: August 22, 2010, 04:46:43 PM »

fp on another website

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33929
  • malware fighter
Re: False-Positive on Google Analytics
« Reply #4 on: August 22, 2010, 05:02:31 PM »
Hi ziucqea,

I cannot find anything when I go to where you get the alerts. So it must be something in your browser cache that is being alerted, or in the profile of this. Cleanse your firefox browser and then try again,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

ziucqea

  • Guest
Re: False-Positive on Google Analytics
« Reply #5 on: August 23, 2010, 10:22:26 AM »
Hi ziucqea,

I cannot find anything when I go to where you get the alerts. So it must be something in your browser cache that is being alerted, or in the profile of this. Cleanse your firefox browser and then try again,

polonus
It is screen shots I found on another forum. Also, have you seen the links I posted? The poster of the second link seems to be a staff from a Chinese enterprise, Kingsoft, whose official website is also blocked by avast!.
There are hosts of guys having the same issue. Neither could I get alerts when opening the link directly, though. But since it's claimed to be a 'redirector', perhaps it would be blocked only by Webshield or whatever.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89323
  • No support PMs thanks
Re: False-Positive on Google Analytics
« Reply #6 on: August 23, 2010, 03:02:14 PM »
There have been instances of the script tag for Google Analytics being hacked, but I can't recall if this also indicated the ga.js file (I don't think so). Given the masses of script tags out there pointing at this ga.js file is this file was infected or even an FP there would be a flood of posts on the forums about it and we aren't seeing that.

See this avast blog, which also points to a forum post about it, http://blog.avast.com/2010/07/07/are-you-a-nerd/.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: False-Positive on Google Analytics
« Reply #7 on: August 24, 2010, 10:26:02 AM »
It should be OK now.
Best regards
Jan Sirmer


[modified][Official Google Analytics code is OK, this sample is not a false]
« Last Edit: August 31, 2010, 05:25:22 PM by Sirmer »

ziucqea

  • Guest
Re: False-Positive on Google Analytics
« Reply #8 on: August 24, 2010, 12:06:06 PM »
It should be OK now.
Best regards
Jan Sirmer
No, it IS NOT OK

Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: False-Positive on Google Analytics
« Reply #9 on: August 24, 2010, 12:22:49 PM »
Hello,
i wrote you yesterday on email. Could you send me content of js if you are still performing any problem? Becouse i can't find this detection on http://www.google-analytics.com/ga.js
Do you have VPS up-to-date?
Best regards
Jan Sirmer

Offline Sirmer

  • Avast team
  • Sr. Member
  • *
  • Posts: 324
Re: False-Positive on Google Analytics
« Reply #10 on: August 24, 2010, 04:03:23 PM »
Hello,
thanks for a sample. This sample is not a false positive.
Thanks David.
Script is in David's post


Best regards
Jan Sirmer
« Last Edit: August 24, 2010, 09:20:31 PM by Sirmer »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89323
  • No support PMs thanks
Re: False-Positive on Google Analytics
« Reply #11 on: August 24, 2010, 05:04:36 PM »
@ ziucqea
Certainly looks like a hacked google-analytics script tag/file, this has included a call to another site 17bbj.com, which is most likely suspect in a similar way to the reference I made to the blog post. See image of the decoded script with the inclusion/insertion of the call to the 17bbj.com site.

@ Jan
It is possible that this script could be detected by avast which would kind of defeat the purpose of displaying it, I always display script example as images to ensure there is no possibility of avast alerting in the forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Gepetto

  • Guest
Re: False-Positive on Google Analytics
« Reply #12 on: August 31, 2013, 01:49:45 PM »
Avast is still reporting a virus with Google analytics code embedded........I do wish it would get fixed.

www.samslobsterbakes.com

The company website that hosts the site also triggers a virus alert on my machine, I wonder if the virus alerts are related.

www.superwebhost.com

Strange that another site I manage with google analytics script does not trigger the alert.  Its hosted by Maine Hosting Solutions.

www.shapefabrication.com

Any insight/solutions would be appreciated.

Thanks, Mike


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76032
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: False-Positive on Google Analytics
« Reply #13 on: August 31, 2013, 05:47:40 PM »
Any insight/solutions would be appreciated.

Note: You posted to a three year old topic. ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Gepetto

  • Guest
Re: False-Positive on Google Analytics
« Reply #14 on: August 31, 2013, 11:06:48 PM »
3 years old..........gotta pay more attention to detail I guess.  Your comment made me smile a little, but a little miffed?

Why does the problem still exist after 3 years. or is the current version of the Google script "clean".  Thinking about re-registering the site with google and using
the latest(?) script.  Does that make any Sense?

thanks, Mike