Our website is schoolandhousing.com. We have been running for two years and serve many customers online. Today, we receive a report from our customer saying our website is blocked by avast. Could someone please tell me what is wrong with our code and how to remove us from the block list?
I know it is the table_tooltip.js file that triggers this, but that file does not contain anything like “newportalse.com” or "var _0x4de4=[“x64x20x35x28x29x7B…” We have no idea no how to change the code to avoid that. Any hints? Thanks
We do have obfuscated code for code safety purpose, but I am surprised if that is considered as virus.
Quttera gives another result: http://www.quttera.com/detailed_report/www.schoolandhousing.com
Potentially Suspicious
Details: Detected procedure that is commonly used in suspicious activity.
Reason 1.: Too low entropy detected in string '<span style=‘text-decoration:underline;cursor:hand;cursor:pointer;’ onclick='openNewWindow(' of length 22951 which may points to obfuscation or shellcode.
2. Potentially Suspicious
Details: Detected hidden reference to external web resource.
Reason: Detected generation of hidden DOM element [iframe],
Does avast use both sucuri and quttera to verify the code cleanliness? Any other more websites that are used? The problems is that even if we fix one, we do not know how many other verification websites avast is using and if we can pass the others.
In the quttera link, there are two types of warnings: The first one is " Detected abnormal use of [iframe] elements. Treat it as suspicious.". What does that mean? What is considered as an abnormal use of iframe?
The second is “Too low entropy detected in string '<span style=‘text-decoration:underline;cursor:hand;cursor:pointer;’ onclick='openNewWindow(' of length 22951 which may points to obfuscation or shellcode.”. We guess this is because we remove all newline characters in javascript for code safety purpose. Any hints on this one?
Avast uses its own functions to determine if a site is infected, etc. It is just that we avast users use other tools to visit suspect sites to investigate.
Landed there where we wanted to land with a clean slate and avast unblocking the site.
That is what we were after in the first place, weren’t we?
No the third party scanning we do here (sucuri’s, urlquery, quttera, jsunpack, clean mx, virustotal, redleg’s file viewer, etc. etc. )
are just so many ways for “cold reconnaisance” of what is wrong with particular website code.
There is a small group of forum users, all voluntarily involved, to check resources to help establish the presence of malcode.
And as I may say some have achieved quite some expertise in this field (!Donovan, Pondus, and quite a few others).
This is quite unrelated to what the avast team does (although we report to them via virus AT avast dot com).
My main advice, update all your website software, check your input for what should not be there,
harden your server software, check on best protocol practices.
And you will feel alot better knowing that visitors of your site are not being endangered…
Stay safe and secure online and offline with avast,