Author Topic: [RESOLVED] FALSE POSITIVE VBS:Malware-gen warning in AVAST Web Shield  (Read 14387 times)

0 Members and 1 Guest are viewing this topic.

Offline daodeltaforce

  • Newbie
  • *
  • Posts: 6
 :) AVAST TECHNICAL SUPPORT RESOLVED ISSUE :)
AVAST WEB SHIELD FALSE POSITIVE AT URL http://ocampoelectronics.8m.com
SUSPICIOUS JAVASCRIPT WAS JUST HARMLESS URL TRACKING CODE

[ASW #PVG-519167]: VBS:Malware-gen
Friday, February 18, 2011 1:58 AM

Hello,

It should be fixed.
Please let me know if the problem persist.


Miroslav Jenšík
AVAST Software a.s.

Notice for UK, Canada, US and Australian users:
You can also get free phone support from our partner iYogi phone number (USA) 877-314-5079, UK customers call 808-101-9216

Ticket Details
===================
Ticket ID: PVG-519167
Department: Virus
Priority: High
Status: On Hold

Freeservers.com confirms VBS:Malware-gen web shield alert is a false positive, this code is not malware:

The code that Avast software has detected as malware is not malware, it is tracking code that has been added by freeservers to track its sites.

Please be assured that this will not cause any harm.

If you have any further questions, feel free to reply to this message and either I or another support agent will assist you.

Thanks,
Julianne Neve
Freeservers Escalation Team


Symantec Enterprise Edition reports no threat found at URL hxtp://ocampoelectronics.8m.com/.  Freeservers uses javascript to embed its advertising links to free-hosted sites, that's why succuri detects threat outside HTML.  AVAST web shield is detecting a threat in javascript but it is a false positive.  There is no threat.  AVAST needs to update its definitions to resolve this false positive.  A similar problem using AVAST web shield occurred at URL yahoo.com. See http://www.techrepublic.com/forum/discussions/102-267134 :) :) :)
« Last Edit: February 19, 2011, 09:55:13 PM by daodeltaforce »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36925
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #1 on: February 12, 2011, 11:31:49 PM »
Quote
There is no unsafe VBS hosted on this domain.
yea.....they always say that, when avast detect...but avast is usually correct   ;D

This page seems to be <suspicious> 7 suspicious inline scripts found.
http://www.UnmaskParasites.com/security-report/?page=ocampoelectronics.8m.com


VirusTotal - index.html
http://www.virustotal.com/file-scan/report.html?id=4fb6240ac4c1f7c836fc52283a48dc7fd11f3c938cd9c4668a240336d3871f94-1297549979
« Last Edit: February 12, 2011, 11:34:47 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84566
  • No support PMs thanks
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #2 on: February 12, 2011, 11:44:28 PM »
There is no such thing as a known good URL as things change so rapidly and hacking sites is the most frequent means of infection.

However, I get no alert on this page with firefox 3.6.13 and 110212-1 virus definitions and the site appears to be incomplete (like a place holder page), it just appears to have a freeserver log on, an enquiry page and selling AVG. So I have to wonder if this isn't link promotion.

So unless it has been taken down to clean house
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.1.2449 (build 21.1.5968.561) UI-1.0.597/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #3 on: February 13, 2011, 06:42:42 AM »
Please never assume yourself that the site is not infected and its a false positive by avast just because you know the site or you have been using it for a long time. Please wait at least until you have got an update from avast.
Please make sure that you enable the webshield again. It's gonna hurt your computer if the website is really infected.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31333
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #4 on: February 13, 2011, 06:48:00 AM »
Currently it is affiliate site for Amazon products.
It means the site owner gets a little payment each time someone purchases a product through that site. Better directly by at Amazon i.m.o.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36925
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #5 on: February 13, 2011, 12:00:46 PM »
NORMAN analysis

Quote
The parent domain is a web hosting site with both free and premium categories, if it is a free hosting then Ads will be on the site, due to the suspicious behaviour of the unescape and decode functions and possibilities of redirecting to a malicious advertisement currently adding detection will monitor this and update according to their actions.

detection added for - ocampoelectronics.8m.com.htm : Processed - JS/Agent.JP


« Last Edit: February 13, 2011, 08:39:58 PM by Pondus »

Offline Gopher John

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2098
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #6 on: February 13, 2011, 05:14:54 PM »
I'm wondering why the link in the original post is still a live link.  In most moderated forums, such links are killed.  Why not here? :-\
AMD A6-5350M APU with Radeon HD Graphics, 8.0GB RAM, Win7 Pro SP1 64bit, IE11
i7-3610QM 2.3GHZ, 8.0GB Ram,  Nvidia GeForce GT 630M 2GB, Win7 Pro SP1 64bit, IE 11
Common to both: Avast Premium Security 19.7.2388, WinPatrol Plus, SpywareBlaster 5.5, Opera 12.18, Firefox 68.0.2, MBam Free, CCleaner

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36925
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #7 on: February 13, 2011, 05:35:59 PM »
I'm wondering why the link in the original post is still a live link.  In most moderated forums, such links are killed.  Why not here? :-\
Then you click "report to moderator" ......just did so lets see if anything happens   ;)

Offline daodeltaforce

  • Newbie
  • *
  • Posts: 6
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #8 on: February 13, 2011, 07:40:29 PM »
I've been reading a lot of blogs.  It look like VBS:Malware-gen is reported by many Avast users giving a false positive.  I have informed the web hosting service provider which is owned by United Online to examine this issue to determine if there is any infection.  I am fairly certain that there is no malicious Visual Basic Script and Avast Web Shield is reporting a false positive because I tested the URL on my Windows 7 PC.  (1) I ran a full AVAST system scan after viewing the website and Avast reported no infection found, and (2) I ran a full Malwarebytes system scan which reported no malicious code found.  United Online does embed advertising on some of its members' hosted web pages but this does not appear to be related to the VBS:Malware-gen false positive.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84566
  • No support PMs thanks
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #9 on: February 13, 2011, 09:27:12 PM »
You can't use that as any sort of confirmation as the VBS:Malware-gen is a generic signature designed to catch new versions of a particular type of malware. So what was being alerted on could be entirely different in each case.

There are if you browse the viruses and worms forum, many such cases of users reporting false positives, but by the end of the topic most are found to be good detections.

MBAM won't find anything as it isn't even looking for that sort of thing any way, plus you are scanning your computer and the avast alert effectively blocks anything getting on the the system.

Whilst generic signatures are a fine balance between not catching new variants or detecting something that is good, but avast in the past has been very accurate. So each case really has to be investigated on its own merits.

In this case there certainly is something strange going on with this number of obfuscated scripts outside of the closing HTML tag a standards no, no.

So whilst this is ongoing:
- Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

~~~~
You can use the new - Contact avast http://www.avast.com/contact-form.php?loadStyles form to report what you consider a false positive on a web site for further analysis.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.1.2449 (build 21.1.5968.561) UI-1.0.597/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36925
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #10 on: February 13, 2011, 09:42:00 PM »
@daodeltaforce check your message box, top right corner

Offline daodeltaforce

  • Newbie
  • *
  • Posts: 6
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #11 on: February 14, 2011, 10:48:15 PM »
Currently it is affiliate site for Amazon products.
It means the site owner gets a little payment each time someone purchases a product through that site. Better directly by at Amazon i.m.o.

So why better to buy direct? There's nothing wrong with hosting Amazon's products--that's why Amazon.com has setup the Amazon Affiliate Network.  The customer pays the exact same price at the Affiliate website, and there's never any extra fees, and the customer makes his purchase directly through Amazon.com's https portal, so you just don't want to see this guy make a little money for selling Amazon stuff?  That's not a good reason.  Just picking on him because he's an Amazon Affiliate member.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31333
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #12 on: February 15, 2011, 11:10:21 AM »
Learn to read.
Did I say there is something wrong with hosting products from a company? No.
Did I say I don't want that person to make a little money? No.
Did I pick on that person? No.

I only said it is a affiliate site and in my opinion it is better to buy directly from a store than through this affiliate. That is all I said.
The reason for this is simple. Multiple tests/checks say the site is at least suspicious. Why using a suspicious site instead of using a trusted one?

Offline daodeltaforce

  • Newbie
  • *
  • Posts: 6
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #13 on: February 15, 2011, 05:38:16 PM »
Learn to read.
Did I say there is something wrong with hosting products from a company? No.
Did I say I don't want that person to make a little money? No.
Did I pick on that person? No.

I only said it is a affiliate site and in my opinion it is better to buy directly from a store than through this affiliate. That is all I said.
The reason for this is simple. Multiple tests/checks say the site is at least suspicious. Why using a suspicious site instead of using a trusted one?

I read quite well, thank you.  Your cautionary statement is well taken but even the biggest newbie knows better than to circumvent Avast web shield and expose their system to a potential malware infection (unless they are using a test system or running VM). It is highly unlikely that anyone who is relying on Avast web shield protection who then encounters an alert blocking a potentially infected site is going to (1) disregard it, (2) turn off web shield, or (3) add an exclusion, without first checking that the potential threat is confirmed benign.  Even the most popular websites are susceptible to infection because they rely on third party providers for advertising which makes them susceptible to unsafe script.  In any event, Avast technical support has confirmed nothing detected.  Symantec and McAfee also report nothing detected.

[ASW #PVG-519167]: VBS:Malware-gen
Tuesday, February 15, 2011 7:20 AM

Hello,

avast! does not detect this site now. Please update your program + database and check it again to confirm.

If the problem persists, please send us the  screen shot with avast! message.

Miroslav Jenšík
AVAST Software a.s.

Notice for UK, Canada, US and Australian users:
You can also get free phone support from our partner iYogi phone number (USA) 877-314-5079, UK customers call 808-101-9216

Ticket Details
===================
Ticket ID: PVG-519167
Department: Virus
Priority: High
Status: On Hold

Offline daodeltaforce

  • Newbie
  • *
  • Posts: 6
Re: FALSE POSITIVE VBS:Malware-gen warning for confirmed safe URL.
« Reply #14 on: February 18, 2011, 03:41:04 PM »
Currently it is affiliate site for Amazon products.
It means the site owner gets a little payment each time someone purchases a product through that site. Better directly by at Amazon i.m.o.

Avast Technical has resolved the issue.  
It was a FALSE POSITIVE at URL hxtp://ocampoelectronics.8m.com/.  
THERE WAS NO SUSPICIOUS CODE AT THIS WEBSITE.

[ASW #PVG-519167]: VBS:Malware-gen
Friday, February 18, 2011 1:58 AM

Hello,

It should be fixed.
Please let me know if the problem persist.


Miroslav Jenšík
AVAST Software a.s.
« Last Edit: February 18, 2011, 04:29:32 PM by Milos »