avast! blocking Firefox Sync

Avast Free Antivirus / Premium Security
1

Can someone check what’s going on here? From the looks of it, avast! is blocking Firefox sync for some reason. And this started happening this evening, no problems before.

2

I have syncing setup for my firefox installations - my primary system is my XP Pro desktop and secondary win7 netbook.

I just did a manual sync from my win7 netbook and no issues or alerts from avast.

3

I’m having the same issue. I also just noticed it today.

Upon launching firefox and reaching the firefox default homepage, Avast gives me a pop up notification that a malicious URL:MAL has been blocked. The address changes slightly for me. Its a variation of these two.

URL: https:// 54.149.18.169:443/1.0/sync/1.5 (or just https:// 54.149.18.169:443)

INFECTION: URL:MAL

PROCESS: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe

4

Avast isn’t alone in alerting on this as Firefox SafeBrowsing alerts if you try to connect directly to this IP address - image1

Checking the security exceptions - it is saying the site is identifying itself with invalid information - image2

If I check the firefox certificate manager it reports this certificate as services.mozilla.com (image3), yet this IP resolves to Amazon.com.

So this one is certainly weird - I don’t get the alerts as this I believe must have happened at some time before and I have added an exception in the certificate manager for that IP and port number.

5

Same here:

6

DavidR, those are great screenshots and very useful. I think you may be misinterpreting the information, however.

From my understanding this is simply a Mozilla service that is located on Amazon’s server farm. Pretty standard. Of course if someone has hijacked the URL to point to another server on Amazon’s server farm, that would be a different story (sorry, I don’t have the time to check at the moment).

Avast blocking it is most likely another Avast false positive. I’m not sure why Avast hasn’t fixed it in a timely manner - they have been notified through their Labs and obviously by multiple people on their forum. Avast hasn’t responded through their Labs or on this forum.

7

My sync is blocked too.

8

We know it’s mozilla’s service. But the fact is, avast! is blocking parts of it as seen above.

9

I haven’t really tried to put that much of an interpretation on it, when firefox itself is saying that the certificate is for firefox, yet the IP resolves to Amazon, I know it is a server farm given the amazonaws.com domain listed as the Host of this IP in image4.

All I’m saying is that there is some latitude for confusion, how that might be interpreted by avast I simply don’t know.

10

Yep, got me too: “Https://54.149.18.169:443/1.0/sync/1.5” avast blocking malware. Something has spooked avast in an Amazon server farm from what I hear/read? False positive? Still syncing here.

11

Your thought is an interesting one: that maybe Avast is actually performing some sort of intelligent interpretation in real time. My limited understanding is that for “URL:Mal” Avast is simply blocking the specific URL or IP as specified in the Avast definitions. Whether or not Avast actually interprets data on the fly for this sort of thing will have to be disclosed by someone at Avast. Can anyone at Avast provide more details?

12

I am having the same popup from avast for that URL

13

Same for me, too.

14

been getting this too, had spooked for bit then i read that other seeing same things. hopeful this is fixed soon, I use cyberfox x64 though, so it looks slightly diffrent

15

If this pop up, look for anything that been added. seem like, everytime i update firefox, it always seem to add something. just now, i’ve noticed that it added a smiley face and the caption was, “start a conversation”. when i disabled and remove it, the warning stopped.

16

Well, here goes nothing…going to speedguide.net and with this address info, the ip address is allocated for Merck and co. in Woodbridge, N.J. With that said, attempted to do a trace route, and came up with this:

traceroute to 54.149.18.169 (54.149.18.169), 30 hops max, 60 byte packets:

1 68-67-73-17.static.as19844.net (68.67.73.17) 0.275 ms 0.316 ms 0.401 ms
2 ve103.e2-13.core-b.jcvnflcq.as19844.net (198.205.127.13) 4.692 ms 4.729 ms 4.785 ms
3 64.125.193.61.available.above.net (64.125.193.61) 6.183 ms 6.188 ms 6.180 ms
4 ae4.mpr4.atl6.us.zip.zayo.com (64.125.31.198) 6.818 ms 6.382 ms 6.413 ms
5 ae2.cr1.dca2.us.zip.zayo.com (64.125.25.45) 17.290 ms 17.301 ms 17.345 ms
6 ae6.er1.iad10.us.zip.zayo.com (64.125.20.118) 18.194 ms 18.271 ms 18.208 ms
7 ae9.er5.iad10.us.zip.zayo.com (64.125.31.142) 18.001 ms 18.005 ms 17.996 ms
8 zayo-amazon.iad10.us.zip.zayo.com (64.125.12.30) 18.126 ms 18.082 ms 18.091 ms
9 72.21.220.17 (72.21.220.17) 75.952 ms 75.907 ms 205.251.244.9 (205.251.244.9) 76.522 ms
10 205.251.245.137 (205.251.245.137) 76.166 ms 76.128 ms 76.134 ms
11 54.239.41.23 (54.239.41.23) 75.767 ms 54.239.41.27 (54.239.41.27) 76.873 ms 54.239.41.29 (54.239.41.29) 75.762 ms
12 205.251.232.209 (205.251.232.209) 77.275 ms 205.251.232.203 (205.251.232.203) 76.599 ms 205.251.232.197 (205.251.232.197)
76.280 ms
13 205.251.232.61 (205.251.232.61) 79.247 ms 79.540 ms 77.304 ms
14 * * *
…not much to say except for more addresses…!

Furthurmore, wont paste, but can find other neat stuff concerning this address/s using same site, and going to Related tools at the near bottom of page, clicking on Network Tools, clicking every box in the Host Info and Connectivity on top of page using addx 54.149.18.169, and voila…Amazon Technologies Inc. … for the OrgName. Not the Amazon I was expecting for shopping! Something to research in a bit, but first why it took to ping the addrx 4 seconds (4000 ms) from Wash, D.C.?? Nothing about Firefox yet except for the popup avast put on all my screens about 20-30 times. After confirming, or better yet, understanding a good possibility of a false positive by Reading alot of shtuff…or getting sick of the warning, the next step is to silence the popup, which is not the brightest thing I’ve ever done…

To silence popup, since I believe it is a false positive, I went to avast User Interface by right clicking notification area avast icon:
-clicked Settings
-clicked Exclusions
-clicked URLs tab and
-entered (without quotes) “https://54.149.18.169:443/1.0/sync/1.5*” on the (enter address) bar, and made a note of it on my monitor to keep it in mind of the exclusion temporarily while avast! and co. works on the true meaning of the action/s.
Hope this works for all.
Avast moderators can contact me anytime. You’ve got my email addx.

17

Same thing happened to me starting last night around 9PM CST.

18

…yea, I noticed it here about 8:00p.m. est

19

Started about 6:50 PM EST here.

FFox flags hxxps://54.149.18.169/1.0/sync/1.5 as Untrusted/Invalid certificate

20

Still happening… Is anyone from avast! looking into it? Thx