Not sure where to post this..........

[AU4U]

I was doing some research on a past VLC vulnerability and came across 2 sites that avast blocked.
VirusTotal results show no problems with the site.
M86(Finjin) gave a green lite for the sites in question.

SITE: wXw.coresecurity(dot)com/content/vlc-activex--vulnerability   THREAT: JS:Shellcode-BQ[Expl]
VirusTotal results:
1) http://www.virustotal.com/url-scan/report.html?id=0b42dd5f7572a0a033af4710555265a6-1302295169
2) http://www.virustotal.com/file-scan/report.html?id=dbe4a19f0512f3f69faa08936cbbb891851e0b2d381fb6232e30053c838f4b6e-1302302371

SITE: wXw.securiteam(dot)com/windowsntfocus/6A0011FKKS.html  THREAT: JS:Shellcode-BQ[Expl]
VirusTotal results:
1) http://www.virustotal.com/url-scan/report.html?id=9be1f2cca75602f33913bb673bebce4c-1302296304
2) http://www.virustotal.com/file-scan/report.html?id=704f860b87a8e7f2729ae385e7aa260868ff6e9e3dfeef349975884f2152bae9-1302303507

WHY is avast! blocking apparently clean sites?

[igor]

Cause the guys are posting the exploit code (PoC) on these pages.
While the pages are not dangerous, I wouldn't call it "clean".

[DavidR]

Should really be in the viruses and worms forum since it is detection/malware related.

Hopefully one of the moderators can move it.

I have to wonder what a legit site is using shellcode for.

1st one, see image1:
OK I see it someone has posted the actual shellcode exploit code in the web page, rather than use an image of the exploit code. Interestingly I didn't get an alert

2nd one, see image2:
This page appears to have been removed (not active or under revision), possibly because of the same problem, exploit code posted on the page and not in an image.

[pcclean3453]

Are you sure you didn't have site block enabled? For example, one avast! person said that he has malware that avast! finds and Kaspersky doesn't malware that avast! doesn't find but Norton does, and viruses that avast! will find and AVG won't. No antivirus is perfect. Did you try a boot time scan? It might help.

[DavidR]

What you are suggesting has nothing to do with this topic, avast appears to have legitimately detected a shellcode exploit on a web page. The fact that it wasn't posted with the intent to exploit, examples of exploit code should really be displayed as images.

[AU4U]

What you are suggesting has nothing to do with this topic, avast appears to have legitimately detected a shellcode exploit on a web page. The fact that it wasn't posted with the intent to exploit, examples of exploit code should really be displayed as images.

OK, so it's the sites issue with how the page displays the code.

BTW, Thanks for the FYI, but why is it that M86 gives the page a green OK, does there search engine recognizance the difference?

[DavidR]

I rather think that it isn't even looking for this type of thing.

The web shield often finds stuff that no other AV finds and that can be seen in the many VT results seen in the virus and worms forums and contrary to what most people think they aren't suspect FPs that they are reporting.

Whilst in this case as Igor said posting exploit code in this case wasn't dangerous as there didn't appear to be a way to actually activate it, but the web shield isn't going to that kind of depth, it just sees the exploit code within the actual page HTML code, etc.

It is just safer to post this type of PoC (Proof of Concept) code in an image, if for no other reason the script kiddies out there don't just have to do a copy and paste to have a workable exploit.

[AU4U]

It is just safer to post this type of PoC (Proof of Concept) code in an image, if for no other reason the script kiddies out there don't just have to do a copy and paste to have a workable exploit.

It's been patched since '98

[igor]

Whilst in this case as Igor said posting exploit code in this case wasn't dangerous as there didn't appear to be a way to actually activate it, but the web shield isn't going to that kind of depth, it just sees the exploit code within the actual page HTML code, etc.

Well, don't take my word for it, I'm just guessing here... but I can imagine a tiny javascript appended to such a page - which would extract the exploit text from the page and copy it into the real HTML, i.e. activate it. That way, including the exploit code "as a text" would be a nice way of fooling the AV scanner (if the AV scanner ignored the text fields on purpose).
So, I am not sure if we'd really want to perform that kind of deep analysis...

[pcclean3453]

I guess you could try to scan all the files on the page. But don't take this seriously. I'm just giving some try-outs.

[BTCentral]

If you really want to access those sites, you could always just add them to the Web Shield exclusions list yourself.
Expert Settings -> Exclusions -> Tick URLs to Exclude -> Enter URL in box -> Click OK.

Personally, if anything it sounds like a good thing to me the way it currently is.

[DavidR]

I guess you could try to scan all the files on the page. But don't take this seriously. I'm just giving some try-outs.

Basically they already are as they are all downloaded to the browser cache, via the avast web shield proxy where they are scanned.

[DavidR]

If you really want to access those sites, you could always just add them to the Web Shield exclusions list yourself.
Expert Settings -> Exclusions -> Tick URLs to Exclude -> Enter URL in box -> Click OK.

Personally, if anything it sounds like a good thing to me the way it currently is.

Not a good idea to exclude sites as the web shield has been very accurate in its detections in the past as you have no idea why the avast web shield alerted. So reporting it as has been done is the best option and if it is good no problem then you can inform the site, etc. Or if it does happen to be a false positive then avast can take corrective action, simply adding it to the web shield exclusions won't achieve either of these.

Without opening the page or you know how to analyse the page content from the outside (which the OP tried, but they didn't find anything), or use other methods were the user isn't at such risk whilst investigating. The easier, safer option is reporting it here.

[BTCentral]

If you really want to access those sites, you could always just add them to the Web Shield exclusions list yourself.
Expert Settings -> Exclusions -> Tick URLs to Exclude -> Enter URL in box -> Click OK.

Personally, if anything it sounds like a good thing to me the way it currently is.

Not a good idea to exclude sites as the web shield has been very accurate in its detections in the past as you have no idea why the avast web shield alerted. So reporting it as has been done is the best option and if it is good no problem then you can inform the site, etc. Or if it does happen to be a false positive then avast can take corrective action, simply adding it to the web shield exclusions won't achieve either of these.

Without opening the page or you know how to analyse the page content from the outside (which the OP tried, but they didn't find anything), or use other methods were the user isn't at such risk whilst investigating. The easier, safer option is reporting it here.

I never said it was a good idea - I said if they really want to. I was simply pointing out that they could exclude it, not that they should.

If you are visiting sites for security research that potentially have exploits you should be doing so in a Virtual Machine and preferably a Sandbox inside that VM too in my opinion.

[DavidR]

Why even suggest it if you don't think it a good idea, we have no control over who are reading this forum might do or their experience level.

Those with the VM setup and sandbox, etc. etc. are most likely not to need a pointer in that direction.