Network Shield: WHY not configurable to "ASK"-mode???

[Anacunga]

Had to visit a website that is blocked by Network-Shield.

The only way is to totally disable Network-Shield - there is no ASK-mode provided ...

WHY???

[DavidR]

Well because the Network Shield has no user defined settings and it is blocking what it considers a malicious site.

You would be surprised by the number of people reporting false positive alerts on web sites in the virus and worms forum, only to find after investigation that it isn't an FP.

Avast has always followed a policy not to make it too easy, e.g. one click to exclude a file/site, etc. in a detection as the resultant damage to a users system either through accidental clicking or insufficient information to make a decision if it is clean or not.

So it has to be a deliberate act by a user to exclude or in this case disable to override the alert.

What you should be doing is reporting the detection as a possible FP (network shield) in the viruses and worms forum and it can be investigated. If found to be an FP then it can be modified in the viruses definitions, this usually happens quickly and benefits all avast users and not just one.

You can also use the on-line contact form, to ask for a review (network shield) in the site - http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

[polonus]

Hi Anacunga,

I was putting this down while reading a similar sort of response from DavidR, still I will post it here to give some additional information towards the same end.
Because the alerts of the Network Shield are very accurate and will block you from getting infected by malware. You cannot make that configurable with an ASK mode! What if I ask you, "Do you like to get infected with malcode", and you would answer: "Yes, I like to disable this, because I rather like to visit a possible malcious site?". I think the answer to that question is clear and obvious. Always have the Web and Network Shields up and running in the everchanging malware landscape of the Internet. A site may be clean one minute and a few minutes later may have been hacked and injected automattically with malicious code to infest the visitors thereof. If a Network Shield block really puzzles you, you can give an image of the Network Sield alert message and the URL that was blocked in non-click-through form like hztp or wXw on the virus and worms section to be checked. If then it would appear the site has been cleansed or an IP block could be lifted you should file a false positive report to avast, because they finally will decide what is alerted and what is not. Bringing an ASK"-mode to Network Shield would be as unwise as the reasoning of some gamers to disable av solutions and firewalls  because it "slows down" their gaming comps,

polonus

[Anacunga]

OK - so far ... but in that specific case, there is more behind! My first question was very simple - but ...

First of all, you have to know that the website is one of those sites that huge commercial software companies do not want that they exist - so it is not to exclude that blocking could be "politically motivated"; there is an other reason that could indicate to that. But let's first analyze the whole procedure.

And secondly you have to know that the whole procedure here was done with scripting turned off. I'll come back to the consequences this detail can have fürther below.

1. First level blocking: "network-shield blocks a malicous website".

Infection: URL:Mal

Very informative - isn't it?

so let's disable network-shield and look what's comin on.

2. second level blocking: Virus found

Infection: JS:ScriptIP-inf [Trj]

There is no direct info that this was the web-shield; you can only notice it by realizing that the infected object itself is in the shape of a web-url! You only can see it directly if you go to the web-shield window in the main menu and observe the red traffic shield event line move.

Clicking "abort connection" as action to take.

OK, so let's stop web-shield too.

3. third level blocking: again "virus found", again JS:ScriptIP-inf [Trj] - this time the object is the html-file for that page inside the IE-browser-cache.

So, let's click on OK with the action "move to chest" or "delete" or just click the window-close-x (on top right of the alert-popup). What happens? Immediately the alert-popup comes again - and when moving to chest, there is nothing in the chest if you check what's in there. Only solution is to set "block" as action - then the website opens.

4. please remember that scripting is still disabled - so malware that is bound to scripting can't do any harm. So next step falls away - but would be to expect that fourth level blocking would be Script-Shield. But I did not go so far.

Coming back to the infection itself called "JS:ScriptIP-inf [Trj]" ... If you google it, you don't really find what kind of malware that ought to be - and it really looks like a "preventive dummy alert" provocated by heuristics to ban disagreeable stuff.

So what's really going on?

The next step you could be instructed by the big sw-companies could be to find new names for that kind of malware so that the user can't see anymore that the malware can be immunized by disabling scripting? Or would that just a little too much conspiration theory?

Why are you not proposing the possiblility to access a website with scripting turned off when it's clear that the malware is inside a script - and by turning scripting off it can't do any harm?

And the main question remains: why is network-shield not overridable in the same way as other shields are?

And when we just discuss it: it's a kind of questionable to have windows that are in front of all - even in front of the system tray and the main menu on the bottom of the screen ... as it's making it very difficult to trace down the source of a problem without the possibility to get the entire alert info (including file path, registry change request range etc.) into a simple editable and (in a text file) pastable format.

[Pondus]

could you also post the url so we may have a look?
post it none clickable......http as hxxp and www as wxw

[Anacunga]

if you dare: download-crack-serial (without the w's in front; standard commercial tld).

[DavidR]

So you just had to visit that site, but avast's network shield wouldn't let you. Reality check, the network shield doesn't block because "the website is one of those sites that huge commercial software companies do not want that they exist."

It blocks it because it considers the site malicious and cracks aside from any moral or legal implications, they are very high risk as they frequently come with uninvited guests.

[polonus]

What if you know  this  JS:ScriptIP-inf malware from hxtp://download-crack-serial.com/search.php?s= is now dead, but was found to be active from there for 7202.8 hrs.
Would not you blacklist the site, like Bitdefender does actually. 
PUA.Packed.ASPack malware was found active for a 3333,5 hrs period before finally being closed down.
These findings are supported by this http://www.mywot.com/en/scorecard/downloadcrackserialkeygen.com?utm_source=addon&utm_content=popup-donuts
And the website av warning from here: http://www.webutation.net/go/review/downloadcrackserialkeygen.com
That it has this IDS warning: Suricata /w Emerging Threats   
Timestamp   Source IP   Destination IP   Alert
2012-05-10 17:04:19   85.159.233.95   urlQuery Client   ET RBN Known Russian Business Network IP (386)
see: http://urlquery.net/report.php?id=53518
This all could imply that that the contents of the site is being frowned upon by US officials to say the least,
aside from the risks of receiving additional adware/spyware/malware (who is going to complain in the aftermath?)
that could be an additional bonus for visiting such sites.,

polonus

[Anacunga]

@DavidR:

I had to visit that website at a customers disposition to trace down some possible sources of problems he had. And as I use AVAST as protection, I ran into the described problem of just getting blocked that website without usable information why it is blocked - not more and not less.

But your answer seem to be a confirmation that the site is blocked only "for political reasons" - and that seems to be even confirmed as the detailed information about the blocking reason is not given. That's also what I complain about: just only "URL:Mal" is not enough information to see what's the problem with the site! And to find out, you have to disable part of your protection.

It blocks it because it considers the site malicious

The problem here is still: you do not get ANY information why AVAST considers this site as being malicious! And the way you are answering implies that you'd like to deny the right of the user to know what the reason for blocking is. Considering it as justifide just by knowing that it is a "crack-serial"-website is another question ...

and cracks aside from any moral or legal implications

... that's another battlefield ... but considering crack-websites per se as "virus/malware-infected" is just a lie to the user (I don't use only "malicious" here!) - and the consequence can be that the user is disabling protection and opens the doors for much worse problems. That's also why it is necessary to have appropriate information.

they are very high risk as they frequently come with uninvited guests.

... that's known - but a valuable protection is intercepting that - as long as it was not disabled because of the reasons mentioned above.

@polonus:

My complaint is not the fact that the mentioned site is blocked by network shield, but that you do not get enough information why it was blocked - without disabling part of the protection! If you want to know some minor details, you have to disable protection. That's what I am complaing about!

btw: urlQuery reports: - No alerts detected

Sorry, but that a crack-serial-site has a poor reputation by it's own (just by the stuff itself that is put there), and that (some of the) cracks found there additionally are infected with ghastly and excruciating malware is also well known. So that's not the real topic here. Topic here is the behaviour of AVAST in such cases - and the lack of information you get by AVAST about the flaw  - without disabling part of the protection!

[DavidR]

First there was no mention in your post that you were trying to investigate this site, just that you wanted/had to visit it - that would have put a different spin on things as my comments are also a general warning to others who may be reading this topic.

We frequently investigate suspect sites which are reported in the in the viruses and worms forum (but most would be taking other pro-active precautions) and we have to in some cases disable the Network Shield, but in most cases we don't need to disable it as we use several other on-line analysis tools (some polonus mentioned) to do that.

So in your investigating the site, is more an exception than the rule so giving configurability and exclusion to "more than 150,107,324 active users" isn't something I think avast! would do as they are looking at protecting the majority of their average users.

You say people shouldn't have to disable a part of avast to get more information, well by having an exclusion to be able to visit that site is one and the same thing.

As I said the network shied does what it says on the tin, blocks what it considers malicious sites, not political or commercial blocking. It also isn't blocking just on the fact it has cracks or because of a bad rep, but that because it has had multiple actual malware detections previously.

I have no personal wish (or influence, I'm just another avast user) that all crack sites are blocked, there are plenty that aren't. So there clearly is no policy to block crack/serials sites by avast to do so, the blocking is based on prior actual detections.

If you want to ignore that, the that is entirely up to you.

[Anacunga]

First there was no mention in your post that you were trying to investigate this site, just that you wanted/had to visit it - that would have put a different spin on things as my comments are also a general warning to others who may be reading this topic.

Sorry to confess - but that was also on purpose for provocating answers that show how such kind of problems are intercepted here in the forum - and what the tenor here is ...

We frequently investigate suspect sites which are reported in the in the viruses and worms forum (but most would be taking other pro-active precautions) and we have to in some cases disable the Network Shield, but in most cases we don't need to disable it as we use several other on-line analysis tools (some polonus mentioned) to do that.

OK ... but where are the links to further investigation tools if you click on "more info" in the alert window?

So in your investigating the site, is more an exception than the rule so giving configurability and exclusion to "more than 150,107,324 active users" isn't something I think avast! would do as they are looking at protecting the majority of their average users.

Just a huge number of cases AVAST was active does not tell anything about the quality of one single problem. And to be honest: I would not expect to have a default setting set to "ask" for the network shield; but I assume not only me considers it as a better solution to override a protection just once (with the ASK-option) than needing to disable the protection itself and later on reenable it.

You say people shouldn't have to disable a part of avast to get more information, well by having an exclusion to be able to visit that site is one and the same thing.

Yes and no! Yes, overriding it once by ASK-option is just disabling it once - but also: No, disabling it once (by overriding the ask-option) reactivates it immediately and automatically - as it was just disabled once; and you even don't have not to forget to reactivate it manually. It's not totally the same - even if it has the same effect on the one affected website.

As I said the network shied does what it says on the tin, blocks what it considers malicious sites, not political or commercial blocking. It also isn't blocking just on the fact it has cracks or because of a bad rep, but that because it has had multiple actual malware detections previously.

Sure, that imputation was on purpose - with a wink ... But the thing is that by clicking on "more info" you even don't really get more (and detailed) info about the flaw: first of all, you only get the infor that you could read before in the alert windo - and secondly you only get it if you have script turned on - otherwise you do not get any info at all about the flaw. Additionally you get an (own) "commercial recommenation" to use AVAST Pro; nothing more!

I have no personal wish (or influence, I'm just another avast user) that all crack sites are blocked, there are plenty that aren't. So there clearly is no policy to block crack/serials sites by avast to do so, the blocking is based on prior actual detections.

There would not be any reason not to believe you. But as mentioned above: protection IS a multilevel affair with several levels of protection - that ALL should be configurable to a certain extent - and even it is only to include an ASK-option not to be forced to disable network protection manually.

If you want to ignore that, the that is entirely up to you.

Do I really look like as I'm doing that?

[Pondus]

also vipre detect this

https://www.virustotal.com/file/72314130bb400e0354834e1809c040b33744e9dc0e0c8aef1777108f0e966681/analysis/1336669083/

First seen by VirusTotal
 2012-05-10 16:58:03 UTC

[polonus]

There is a script there with recurring repeated //eval display() &  pre.js:249: InternalError: too much recursion
Insecure is the fact that the server gives away the full version of it out to the world and that should be remedied,
because these sites give away too much info to be eventually abused.

No alerts were detected but that IP still is listed with

2012-05-10 17:04:19   85.159.233.95   urlQuery Client   ET RBN Known Russian Business Network IP (386)

according to Suricata /w Emerging Threats list.
I guess you know what Client RBN stands for and that has nothing to do with political issues and keygen cracks.
For that site is hosted in the Netherlands (a 3 man firm) we see: DNS: ns2.p8.ru, ns1.p8.ru
Also consider: http://www.mywot.com/en/scorecard/85.159.233.95?utm_source=addon&utm_content=popup-donuts
RBN has been known as a nebulous organization, see: https://community.mcafee.com/community/security/gti/webthreats/blog/2011/11/29/russian-business-network-malware-sites-and-ip-addresses. But all this has apparently this nothing to do with the recent avast flag.
The reason for Network Shield blocking is solely known to the avast team member(s)  that implemented it.
Pondus now says avast/GData are not the only ones to flag it,

polonus

[Anacunga]

Sorry that I have to clarify again: I did not make ANY remark about the "grade or quality and quantity of infection" of the implied website. That's also why I did not mention it in the beginning! My complaint is SOLELY about the behaviour of the AVAST network shield: that there is no "short override just for once" (as it is with the other shields) and you have mandatorily disable that protection level to get some further info - and that the information about the reason for the alert is insufficient.

The reason for Network Shield blocking is solely known to the avast team member(s) that implemented it.

You mean that the information policy of network-shield is really insufficient?

[polonus]

There are just two options have the Network Shield installed or disabled. There are other scanning methods to analyze why the Network Shield might be alerting a certain site. In most cases it is because it has come accross a malicious site or IP. Why that IP or site has been blocked can be explained by those that have implemented the configuration of it. Overriding it in order to get further info is not advisable for the unaware user, because he would get infected or wan't blocked eventaully to visit a malicious site. In case of FP's the normal; procedure is to report a FP and avast team will look into the matter. Checking Network Shield flags by temporarily disabling it is bad practice and putting user protection at risk. If this prodecure is even used to circumvent the blocking of certain IPs and sites it seems even more questionable, even as it is being presented in a "luring" way in order to evaluate detection,

polonus