But, that’s NOT how it happened, and blocking an IP in a cloud is NOT a good idea. Because of its nature, that same malware host can resurface at any number of AWS’s other nodes, for instance. At that point, you wind up, eventually, having to block ALL of that cloud host’s IP’s.
Normally, however, YES, I can agree that blocking a NORMAL IP is a good idea, until/unless that host removes the malware site(s). Amazon should have been notified, first. THEY could have contacted any known GOOD hosts at that IP, and moved them. Apparently, if that happened, Amazon’s legitimate hosts were not notified. Not to mention those of us who are also Desura customers.
At this point, I’m more interested in hearing official word from AVAST, rather than just some other poster from the forums. While Jeff DID say better safe than sorry, he was more advocating making sure a working antivirus was scanning software you download before playing it, he was NOT advocating deep-sixing an IP that’s part of a CLOUD platform, again that really doesn’t seem like a good idea.
I said it’s better for end users to be safe than sorry.
In terms of Avast’s actions, I think it’s fundamentally wrong to flag an IP in a pool like EC2, because the user of that IP can chance once every 5 minutes, or once every 5 years. It does everyone a disservice, because end users end up having to whitelist things and get in the habit of telling Avast it’s wrong, while AWS customers have to deal with nonsensical false positives, while legitimate threats shut down the instance and come up on a new IP minutes later, making the IP flag irrelevant.
I’ve tried to contact Avast twice. I’ve gotten nowhere. If you have a contact, I’d love to have it.
It is up for avast staff to decide to unblock or make an exclusion for that domain on IP.
We here on the support forums are just good-willing volunteers with relevant knowledge.
Unblocking is for avast team members only. Contact them at virus@avst.com referring to this thread.
Hope you can also covince your server hosting party to pay more attention to their pending server insecurities,
sometimes the website admins are quite responsible in their attitudes,
but the bulk domain hoster is just in the game for the money involved and has security for a last resort issue,
polonus (volunteer wesite security analyst and website error-hunter)
It is a business model mainly, insecure interfaces and api’s and the dependancy chain to consider (cloud-security is as as weak as the weakest chain)- from authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
No, it’s NOT how it happened. Jeff TRIED to contact Avast
I tried to contact Avast, both here and via false positive reports. We got a posting here from Sirmer, instead of it getting unblocked:
Again, at this point, official word from Avast is what’s needed, not you, but either Sirmer, or one of his co-workers. What you said is one way it SHOULD have happened, or Avast COULD HAVE notified Amazon that their EC2 node is hosting some bad stuff and THEY take care of it (really, that’s what STILL needs to happen). Instead, they simply blocked a distributed-network-computing node, without telling ANYONE, and, when people DID ask Avast, we get told they AREN’T going to unblock it.
Unless you have contact information to help Jeff, I’d suggest leave this thread to actual AVAST employees, moderators, or other affected individuals at this point; so far you really haven’t added anything useful or helpful to this incident.
The “server hosting party” is AWS. The AWS that also hosts netflix, instagram, reddit, et al. It allocates and reallocates tens of millions of public IP address that shift client-to-client hourly. They’re AGGRESSIVE with abuse. So aggressive, in fact, that when abuse is detected, the client is killed and the IP reassigned.
Guess what happens when you blacklist an IP and it gets reassigned to a normal user?