False Positive by Avast - Please address immediately

Viruses and worms
1

Cognitive Match is a Dynamic Ad Serving company and since Friday we’ve been getting many complaints that Avast has flagged our domain contains as containing a trojan virus. We tracked the problem to a virus definition update that Avast released on 4th October which incorrectly reported a trojan virus in the javascript file we use to launch our adverts. It’s possible this was fixed with releases over the weekend, but we have been unsuccessful in reaching anyone at Avast via phone. We have tickets in but response has been slow.

This is severely effecting our business and needs to be addressed immediately.

Reference Ticket#SAB-830-89827

Kori
CognitiveMatch

2

Can you give us the URL please?

3

cdn-s3.cogmatch.net

4

Just a guess, you have a old version of WordPress/Joomla installed.
Why not first check with the latest vps instead of reporting a problem with a old version?

Edit:
I just checked and avast is not flagging it as bad.

5

Eddy -
This is not a problem I am experiencing. Our engineering team has been unsuccessful in replicating the issue. Display ads that our company is serving for our clients are being blocked because Avast, a service that media vendors use to scan domains for viruses, has flagged our domain as potentially containing a trojan virus. This is a false positive.

Thank you for checking.

6

Hi Eddy,

To shed more light into this – the domain mentioned is our CDN domain, there is no content management system installed on it (e.g. Joomla, Wordpress etc). It simply serves our images, flash, javascript and html files.
Does this help?

7

There could be a general IP block involved see the IDS alerts here: http://urlquery.net/report.php?id=2708128
In recent reports on same IP we find alerts for: ET POLICY PE EXE or DLL Windows file download on htxp://cdn.growmatecdn.us/nsi/nsis-html/ZIP_RAR_Free_Editions_6917.exe and on another domain ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging), this latest detection could be general heuristics and therefore is in a sense FP-prone.

Understandable there cannot be any alert towards this:


Source code
<html>

<head>
<title> cm.matchmaker.assets </title>
</head>

<body bgcolor="white" text="blue">
<h1> Hello ! </h1>

</body>

On the application octet stream nothing: {“sha256”: “85527fd7ecf84927855dacf5462cfd84d777630a96331d2d7cb4063ce38e6a77”, “result”: 1, “last_analysis_url”: “/en/url/85527fd7ecf84927855dacf5462cfd84d777630a96331d2d7cb4063ce38e6a77/analysis/”, “timestamp”: 1369757194, “positives”: 0, “last_analysis_date”: “2013-05-28 16:06:34”, “total”: 38, “url_exists”: true, “reanalyse_url”: “/en/url/submission/?force=1&url=http://cdn-s3.cogmatch.net/ads/53CE989426364D7CA7D99FD4FBE4E0C5/A9E477357AEE4D66A071C67E0A0720BF.swf&token=f71d3f5bf37336c97abe71cf8efa6548dea3b04ae58e42c75730dd9aa3bab5f8”} → https://www.virustotal.com/nl/file/30db8d8f8440806a69f5666e9d674a310eb63c7ab6b36b39d5855b98a7b0f3aa/analysis/1369755970/
There is some other problem because at Sucuri I get: System Details:
Running on: PWS/8.0.16 (open to XSS attacks)
Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Not Found
There are some web rep problems: http://www.mywot.com/en/scorecard/cdn-s3.cogmatch.net?utm_source=addon&utm_content=popup-donuts
And there is this report to be considered: http://support.proboards.com/thread/485792/trojan-detected?page=1#scrollTo=5558742

The avast detection is for cdn-s3.cogmatch.net/adtagv2.html?ci|{gzip} (customerId should come specified in request!)

If there really is an existing JS:Iframe-DPX [Trj] infection then this is a cause of concern because this is an infostealer trojan of sorts.
On infested computers with this spyware rootkit it appears as AppData/Protector/random, the process should be halted and removed in Task Manager and the registry should be cleansed from

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "random "
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\random

but this is a task to be performed under guidance from a qualified removal expert here in the forums.

polonus