Probably false positive on "Tim & Eric" message board

[mbd35]

Clicking on the different pages in this thread is triggering the network shield in Avast. This is a legit message board for a TV show not some shady porn site. Try clicking on page 4 or page 3 and see if Avast blocks something. Try again if it doesn't block the first time. http://www.tgttm.com/jefferton/viewtopic.php?f=24&t=5486&start=25

And the supposedly malicious blocked urls involve image files. The last blocked connection was to http://www.tgttm.com/jefferson/images/smilies/sad.gif. But it seems to block something different each time.

I use Firefox 7 and the free version of Avast if that makes any difference.

[DavidR]

The fact that it is a legitimate board doesn't stop it becoming hacked/infected, possibly more so if it is a popular site.

If the site has been infected it wouldn't take long before the reported detections by the web shield triggered the site being added to the malicious sites list and blocked by the Network Shield.

No problem accessing the first link, without avast alerting and no block by the network shield. I was also able to access the second link without avast alerting and no block by the network shield.

So I don't know what is wrong, ensure that you have the latest virus definitions update.

Nothing found on http://www.urlvoid.com/scan/tgttm.com or http://sitecheck.sucuri.net/scanner/ for the site.

[mbd35]

I have the latest virus definitions.

The annoying thing is that you may have to click around the different thread pages for awhile before the network shield blocks anything. Sometimes it does it right away and sometimes it doesn't.

I wonder if anyone else can reproduce this.

[kyuuketsuki_kurai]

I got an alert the first time I clicked the 2nd link, but not when I went back to the site again. Very odd.
It alerted in hxxp://www.tgttm.com/favicon.ico

[DavidR]

The favicon.ico is one of the favourite (excuse the pun) targets as that is loaded when the page loads, so if hacked it can trigger an exploit possibly taking you to a site that is blocked by avast.

So what is needed really is an screenshot of the alert window as that would show the target.

I have tried to capture the tgttm.com/favicon.ico, but I just get a server error  and if I just visit the hXXp://wXw.tgttm.com page it loads fine and no fabicon.ico file is loaded into the firefox address bar.

[mbd35]

Whatever this was, it may have been resolved. It doesn't seem to be happening now. But we'll see.

[mbd35]

Okay, it's doing it again. Here's a screen capture.

http://oi55.tinypic.com/2461ez6.jpg

[DavidR]

Unfortunately this only makes it more strange the avast network shield alerting on that URL would normally be an indication that the 'domain' was in its malicious sites list. So I would expect the site to be blocked without actually alerting on a specific file. More so when that file is a .gif file, although just because the file type is .gif doesn't mean it is actually a .gif file. Though this time I have been able to download a copy of the file and find no malware 0/43, VirusTotal scan results. I have even viewed it as an image and it displays correctly, image1.

So I honestly don't understand what is going on with this intermittent detection.

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc.


http://www.tgttm.com/jefferton/images/ranks/0.gif

[mbd35]

Another screen grab. Different file blocked this time. http://oi55.tinypic.com/f4c3k.jpg

I wonder what about this site is sporadically triggering the Avast alerts.

[mbd35]

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review, etc.

I reported the url and they were very prompt and helpful. It's being fixed in next update.

"Hello,
thanks a lot. It will be fixed in next VPS. Problem was that we blocked
IP used for tgttm.com and parallel used for other site with malicious
content"

[DavidR]

Yes they are usually quite prompt to correct when it is confirmed.

There has just been a virus update, so you could check it out again and see if it is that one or the next which resolves it.

[mbd35]

Yes they are usually quite prompt to correct when it is confirmed.

There has just been a virus update, so you could check it out again and see if it is that one or the next which resolves it.

I can see why Avast releases definition updates so often. They must have to correct little things like this all the time, in addition to keeping up with all the malware, infected sites, etc.

[DavidR]

There are many that say they don't release enough, on average it is two VPS updates per day and for the most part they aren't for corrections.