While browsing, I tried to go to the following site (all URLs posted below have been edited to make them non-clickable): hXXp://www.gogglesandglasses.com/PRODUCT_REVIEWS.html
At which point access to the site was blocked and I received the following avast! pop-up:
MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.
Filseclab is a firewall I’ve used for years, and have never had avast! mention it in all the times I’ve run both on the same system.
Here’s what’s confusing about this message:
[ol]- I’m pretty sure I’ve been to this site before without any warnings.
WOT rates the site totally safe (though with not many people rating it).
I have NoScript 2.3.4 running and except for googleapis.com, the site was “completely” blocked (only gogglesandglasses.com and statcounter.com showed up in the NoScript button, and both were blocked). Also Adblock Plus 2.0.3 (with it’s Pop-up Addon) are running as well.
A few minutes later, I went to the site again (maybe dumb, but if avast! blocked me once, it should do it again), but the error did not pop-up this time (I had not changed any permissions).
Viewing the source code to the site, I don’t see either the string “25Ugfq3H5c” (from the warning), nor “southwestdiscus” (from the More Details page).[/ol]
I realize none of the above is any guarantee of this being a safe site, but combined, I’m just wondering if there was some glitch that caused the pop-up, or am I missing something obvious here?
Is this actually some conflict between avast! and Filseclab and not related to the website at all? If so, what might cause this conflict now? Filseclab hasn’t been updated in years (the developer doesn’t exist anymore), and other than a definitions update (120325-0), I’m still running avast 6.0.1367.
I still have the website source code as a text file if there’s anything else I can look for.
I’d like to be able to visit the site and not worry that I’m risking obvious exposure, but I want to understand this avast! warning a bit more first.
I checked out the site and it’s definitely clean. (verified by urlvoid and Virustotal)
By what your saying it sounds like that firewall you are using is obsolete, you might want to change to something else, but that is a bit drastic if your current setup is working for you.
A better solution would be to add your firewall process to the exclusion list in the webshield and fileshield.
I do not use the same firewall referenced in the OP. I believe the issue with whether the site is safe or not deserves more in-depth review. (I have attempted to visit the site 4 times now and each time Avast! is blocking access).
if you read my blog posts about the ponmocup malware you’ll learn that the web server is indeed infected (.htaccess file) and that services like virustotal and urlvoid are totally ineffective to detect this type of infection on web servers.
however, urlquery.net is able to verify the redirection to malware domains, but doesn’t recognize it as malicious or suspicious (yet) i think.
Pondus is right. I check websites with various resources I have depending on the type of infection. Sometimes I may search for IP Blacklists, other times code scanning, yet other times reputation, and other times previous attacks\hacks.
If none detect, I scan (with my eyes) the source code to clarify to some extent.
I usually use about 4-9 resources before I make the post in interesting situations.
Remember: Each scanner was made for a specific reason, thus using just one scanner for an unknown malware will not cut it!