as of right now I get a warning by Avast that malware has been blocked on a site that I visit regularly (it is a German site on mobile/portable OS) and is on the whole trustworthy. Is this a False Positive?
With an alert on the favicon.ico file, it looks like the site has been hacked as this file is loaded for every page (the little icon on the left of the address bar) and is a common target for hacking.
This one is even stranger as it is trying to load a a compressed script file (the {gzip} bit at the end of the path).
I have been trying to capture this file but I’m getting a 404 error, so the site may have taken it down.
I can currently open the site without alert (using firefox 12.0), but there is no favicon.ico being loaded, just the default firefox icon when there isn’t on on the site. So as I said looks like they are working on it and have taken down the favicon.ico file.
What can I do or rather what do I have to do know now? Is my computer in danger of having been infected? Is it infected already?
I wonder because usually picture files like jpeg etc. are considered to be no infectable and I figured that a favicon is sth. of a picture.
I visited the site with FF 12, NoScript, AdblockPlus and Avast.
Your computer isn’t in danger, that is the point of the web shield, it blocks any infected content from being downloaded and run/viewed in your browser. It aborts the connection for the infected element.
The favicon.ico isn’t an image as such but a file with a reference on where to find the image to display in the address bar. Image files like .jpg can be infected and we regularly see that in the forums, where a script is placed at the end of the image file to try and execute malicious content.
Obviously the site are aware of it as A) they appear to have taken it down and B) I no longer get an alert by avast.
I posted in a German security forum and people with Avast or GData IS still get an alert with the same report that I posted when visiting the site. Some only with IE, not with Opera, some as myself only with Firefox.
I can’t vouch for anyone else, certainly not knowing their browser, detection information or virus database version, etc. I can and have shown my result in visiting the site.
I got news from the site owner and maybe you can help me out with trying to understand. The reply reads as follows:
our site has not been using a favicon.ico in years. There is the possibility of a False Positive on the side of Avast because we have used a 404-redirect. This 404-site of his CRM uses JS.
Does that bring any light into the question whether there is really sth. malicious going on or whether it is a FP?
There is no issue with the 404 page or if there was a missing file and a hacked 404 page was present avast would have alerted on that page and not that relating to the favicon.ico and that it appeared to load a compressed file.
I have given as much information as I have been able to ascertain as an avast user like yourself.
As I said I have been unable to replicate the alert using firefox 12.0.