False positive.... Now my own website is blocked -.-

So I developed an open source program.

Clicked on the link to ensure the download link works and now my whole site is blocked (since my program tested positive as a Drep (whatever that means)). What the hell? Only way to access it is by disabling Avast IS 2015.

Link: http://alltechtalk.net/Yoga/thread-yoga-patch

I have had Avast 2014 up until yesterday with no problems. Just updated my program today and when testing the download link, this c*** occurs. Any way to get this whitelisted locally and possibly globally so that this false positive does not block this OPEN SOURCE program?

http://zulu.zscaler.com/submission/show/b47f77f660d7782ba3b9ba6444a04882-1414857083

I am sorry but that website lost all credibility in my book. Heck virus total and other websites have my thing passing with flying color.

Yet when I re-ran it: http://zulu.zscaler.com/submission/show/b47f77f660d7782ba3b9ba6444a04882-1414858084

Seriously, that website sucks.

http://urlquery.net/report.php?id=1414858597763

Did you read the info at the first link? It appears the threat comes from elsewhere, outside the site.

Did you consider that possibly malware is being delivered through ads on that web site? Quite likely inconsistently, as not everyone sees the same ads all the time.

It’s a sad state of affairs, but some ad delivery services DO deliver malware laden ads. The webmaster who has chosen to partner with such a service should be informed and should stop his/her association with such service.

Maybe instead of criticizing the anti-malware software that blocks legitimate threats, as confirmed by others, you should take action that will actually help. Let the owner of alltechtalk.net know about the problem.

-Noel

I am the owner of the site and there is no ads on my site.

http://oi62.tinypic.com/i24sw3.jpg

This is really starting to annoy me. How can I at least disable this shit locally? Can’t believe that I paid $ for something that is a pain in the ass when it comes to whitelisting.

You can report a possible FP here: http://www.avast.com/contact-form.php

If the software makes it into the Virus Chest - which this may not have - you can open the Virus Chest and explore the right-click context menu options there.

For what it’s worth, Avast doesn’t block your whole site for me here. And good for you not having any ads. That’s an underhanded way to try to make money online.

It pays to take some time and work through all the many settings panels in Avast. There are a lot of things you may want to reconfigure. It really can be made to be non-intrusive, and it does respect exclusion lists - assuming you manage to get your exclusions in the proper list.

But if your program is legitimate, and somehow Avast is detecting it as a false positive, then it makes sense to report it to Avast, because your prospective users may see the file blocked as well. Avast does act on such reports and enhance their database.

-Noel

Not only avast seems to detect something:
http://r.virscan.org/report/0a53928722dceef402df0485604deddc

Site redirects: htxp://www.alltechtalk.net/forum/index.php
Sucuri comes up with: ISSUE DETECTED DEFINITION INFECTED URL
Internal Server Error 500-error?v1 htxp://www.alltechtalk.net/forum/member.php?action=register
Site error detected. Details: http://labs.sucuri.net/db/malware/500-error?v1
HTTP/1.1 500 Internal Server Error = It might be a temporary error, but it can also be related to a malicious injection gone wrong and breaking the site. Code hick-up:
ajax.googleapis dot com/ajax/libs/jquery/1.7.1/jquery.min.js benign
[nothing detected] (script) ajax.googleapis dot com/ajax/libs/jquery/1.7.1/jquery.min.js
status: (referer=wXw.alltechtalk.net/forum/member.php?action=register)saved 93868 bytes 9eb9ac595e9b5544e2dc79fff7cd2d0b4b5ef71f
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious: → http://jsunpack.jeek.org/?report=42ad21c2f991379d1d3449791376c3e67c0782ec

Here is the Anubis analysis for the executable: https://anubis.iseclab.org/?action=result&task_id=1cb43dcfc423250545d5f773b209af7d1

Has value name saved legacy settings that could give heuristic detection as Trojan/Win32/FakeAV.
Low risk analysis, Value Name: [ MigrateProxy ], also found up as trojan attack code, ​Volatile Environment - general cheat code.

pol

Hi Eddy,

As the executable is wrought with COMPILER:Borland Delphi 2.0 [Overlay] then it is FP Prone.
We see many misinterpretations of that, not forensic proof ;D
On "MountPoints2\X\BaseClass"read: http://www.velocityreviews.com/threads/re-truecrypt-problem.597748/
Cleansing routine for similar problems: http://www.bleepingcomputer.com/forums/t/200665/windows-cannot-find-recycler-malware/

Damian

New file, only one detection
https://www.virustotal.com/en/file/61c40403691df422f6fc3dcb44e4023b20e96e306cefd3e1535cb5f744605f43/analysis/1414866064/

IP history is different - Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.
https://www.virustotal.com/en/ip-address/208.113.152.212/information/

http://urlquery.net/report.php?id=1414864187612

LOL, some days online security starts to resemble a self-eating snake. See the attached image after trying to browse to the site you listed above, Eddy.

“Threat has been detected”

-Noel

@Pondus,

See: http://support.clean-mx.com/clean-mx/md5.php?Ikarus=Gen:Trojan - Trojan/Win32.Writos = Malpacked Gamethief

@NoelC,

Yep, self-eating snake Ouroboros, the symbol of infinity. ;D

pol

Thanks guys. I tried moving the file to http://www.alltechtalk.net/Yoga/Yoga_Patch.exe and even tried zipping up the same file http://www.alltechtalk.net/Yoga/Yoga_Patch.zip.

As a zip, Avast allows the file to be downloaded and allows it to be runned after it is extracted. As an EXE (http://www.alltechtalk.net/Yoga/Yoga_Patch.exe), it still blocks the download.

My only problem is that the patch has an updater that even block the updater from downloading the file located at http://www.alltechtalk.net/Yoga/Yoga_Patch.exe

This is frustrating. I have submitted a several reports to Avast with no response yet.

From VirusTotal: https://www.virustotal.com/en/file/2df3906a8a31c8a17b1b198395013404795b5de93d5696666898cdbb8e4b2381/analysis/1414862066/

You can contact the viruslab directly via: virus[at]avast.com

PS: It usually helps to sign your programs.

Strange NoelC, I can open it without a problem.

Polonus, I know.
But the op may wish to inform the other ones that are detecting something also.

Indest, did you told avast about it through the contact form or a ticket?

Yes, I open a ticket and submitted via contact form.

Thanks guys for the help.

You’re welcome.