False Positive on New York State Government Website

KDibble · 2017-01-10T17:40:52.000Z

Eddy post:7:

avast doesn’t block sites because they might be malicious.
They only block sites if something malicious is detected.
And yes the detection can be wrong, that is why you can ask avast to have a look manually at the site.
https://www.avast.com/report-a-url.php

At the risk of beating a dead horse:

I posted the screen shot that showed that Avast blocked the execution of an element on the website, apparently merely because some javascript on the site didn’t meet Avast’s expectations for “security” or “newness” or something. If blocking this element results in people being unable to use portions of the website that they need, then that is the same thing as blocking “the website” for those people.

And as I said in my original post, I filed a ticket in OCTOBER 2016, and this issue has not been fixed, even though Avast subsequently sent me a satisfaction survey asking me how I liked the way they “fixed” it.

It may be appropriate to warn the DEVELOPERS or OWNERS of websites when their websites contain code that may not be maximally secure, but that function should be limited to website development tools. Displaying warnings, or blocking website functionality, or blocking websites, merely because the code is “old” is not helpful, or useful, or appropriate, for ordinary end-users of these websites.

If Avast is going to insist on doing this anyway, then it should least give me a switch to turn it off in the SOA. I do not want to turn off the entire web shield, I only want to turn off the portion of the web shield that issues warnings and blocks for theoretical, not actual, threats.

polonus · 2017-01-10T18:25:15.000Z

Hi KDibble,

Avast only flags websites that are a threat to the visitors thereof.

What further is mentioned as insecurity is no reason for avast to have set up detection of that site,
however mitigating vulnerability and ‘no best policy’ website management can be helpful in many ways.

It should be taken as an advice.

Only Avast Team Members can comment on why your website or the IP address the domain is on is being alerted.
They are also the only ones that can come and unblock.

We are just volunteers with relevant knowledge.
With thousands and thousands of all sorts of scans behind us, we can almost hear the website code-grass grow here. But whenever we place our ears to the ground, that does not mean you are bound to follow up our advice how to mitigate vulnerable code and issues we see. What we advice is a proposition only and can but need not be related to why avast blocks.

Wait for an Avast Team Member to give the final verdict on that site’s blocking,

polonus (volunteer website security analyst and wesbite error-hunter)

Eddy · 2017-01-10T18:35:10.000Z

What is the ticket ID ?

polonus · 2017-01-10T20:57:34.000Z

Main issue is the secure connection, not the initial one, that is secondary, but the real data transfer should be secure.

What security you want to exclude from your attention is your choice. Again the WebShield and the OAS warnings are all based on what a normal anti-virus vendor would detect and also what is outside their scope.

We do not advise you in the realms of firehole blocking, just show what best policy patterns are maintaining a website maintaining security standards (patch vulnerable and/or outdated code, uphold same origin (sri hashes generated), apply security headers, just stick to advisable standards. And again that is outside the scope of what avast should do.
Avast task is just to flag websites harmful to their end-users and that is where it stops.

Our forum advice is free, somewhere else it comes with a price-tag attached, and when the website is compromised or with a data-breach you have an even more expensive issue at your hands.

polonus

HonzaZ · 2017-01-11T08:29:34.000Z

This is blocked due to obfuscated redirection:

top['l'+'oc'+'a'+'t'+'i'+'on'] = location;

Remove this code (or at least the obfuscation!) and Avast will stop complaining

KDibble · 2017-01-11T14:55:40.000Z

HonzaZ post:12:

This is blocked due to obfuscated redirection:
top['l'+'oc'+'a'+'t'+'i'+'on'] = location;
Remove this code (or at least the obfuscation!) and Avast will stop complaining

Thank you. I am not the owner of the website, I am the CIO of an organization whose employees must use the website.

I am guessing that this refers to the website’s ability to allow a viewer to specify a location. This is a generic feature of most New York State websites. However, Avast does not pop-up a warning when I visit other New York State websites that have this feature.
And in fact, it does not actually work, on this or any other New York State website. If you choose that option you can enter a location and press an “update” button which does not do anything.

Further, if I click a link on the problematic page to go somewhere else, and then use the Firefox "bacK’ button to return to the page, I do not get an Avast pop-up. If this is really worth warning people about, shouldn’t it warn me every time?

Contrary to what others have said here, it appears you are flagging the site because the code does something that can be misused, not because the site actually contains a real threat. I request that you stop doing that.

Thanks.

Eddy · 2017-01-11T15:54:16.000Z

Ofcourse the back button does not trigger a alert as it is the webshield that detects it and the back button makes a browser load a local cache file.

I don’t think avast will stop doing that.
If they would they will put the users at more risk then is needed.

Tell the owner of the site to fix the issues that have been reported here.
That is the real solution.

HonzaZ · 2017-01-11T15:57:21.000Z

KDibble post:13:

HonzaZ post:12:
This is blocked due to obfuscated redirection:
top['l'+'oc'+'a'+'t'+'i'+'on'] = location;
Remove this code (or at least the obfuscation!) and Avast will stop complaining
I am guessing that this refers to the website’s ability to allow a viewer to specify a location.

No, the code I mentioned is for redirecting users to another location (URL). It means it can redirect you to an arbitrary website. Redirecting users is fine per se, obfuscated redirection is something usually done by “the bad guys”, and will be blocked.

KDibble · 2017-01-11T18:57:43.000Z

Just a few minutes ago I received an email purportedly from Avast that contained an attachment which Avast deleted as malicious.

This has happened to me twice, both times in connection with the ticket I mentioned in this thread. The first time was on October 21, 2016, right after I filed the ticket. This time it happened a bit more than 24 hours after I sent update replies to the Avast “Help is on its way” and “Tell us how we did” emails that were generated for this ticket.

Both messages had the subject line: Re: Hi! You have a new message from the team.( Ticket ID: [#557683] )

This is the correct ticket number.

Both messages had from and reply-to addresses: Avast Customer Care customer.care@avast.com

This raises the distinct possibility that something or someone is monitoring Avast email and attacking senders.

I have Avast set to delete, not quarantine, suspect attachments so I can’t provide the file. I can give you the full headers for the suspect emails, but I tried to post them here once and the post didn’t go through–perhaps a length limitation?

Modified to attach a text file containing headers and body text for the infected email.

Pondus · 2017-01-11T19:21:10.000Z

Just a few minutes ago I received an email purportedly from Avast that contained an attachment which Avast deleted as malicious.

Did avast give a malware name?

Eddy · 2017-01-11T19:26:30.000Z

According to the headers : X-Attachment: \mai183A.tmp Virus: JS:Redirector-BLW [Trj] Deleted

Pondus · 2017-01-11T19:34:51.000Z

Eddy post:18:

According to the headers : X-Attachment: \mai183A.tmp Virus: JS:Redirector-BLW [Trj] Deleted

same as here > https://forum.avast.com/index.php?topic=195198.msg1358764#msg1358764

did somone from avast put a code sample in the attachment?

HonzaZ · 2017-01-12T08:41:21.000Z

Can confirm, they did put the code (to be deleted from the domain) into the ticket body, which then triggers the detection.

Eddy · 2017-01-12T08:51:09.000Z

That is good news.
The mail shield is working ;D

Pondus · 2017-01-12T10:06:13.000Z

HonzaZ post:20:

Can confirm, they did put the code (to be deleted from the domain) into the ticket body, which then triggers the detection.

Should have sendt it with password protected attachment

KDibble · 2017-01-12T14:08:08.000Z

Thanks folks.

KDibble · 2017-01-12T15:00:20.000Z

These are my final words on this topic.

This morning I have tested the URL with five different online scanners:

VirusTotal
WebInspector
Sucuri
Quttera
AVG Threat Labs (now OWNED by Avast)

None of these testers find anything wrong with the URL. I could keep going because there are zillions of these testing sites, but I’m betting the results will be the same.

I could contact the webmaster of the site and ask them to remove the code that Avast objects to, but the webmaster is likely to tell me that when all of the rest of the anti-malware companies have no problem with this code, he or she is not going to spend the time necessary to remove it.

The only sites that find a problem here are those that purport to “improve security”, not those that purport to find malware.

Avast Endpoint Protection is supposed to be software that finds malware, not software that advises web developers on how to improve security.

When you constantly pop up messages to warn people about dangers that aren’t really there, they stop paying attention to your warnings. Then when something that is truly dangerous is found, they will ignore that too. (This is a modern example of the ancient European folk tale of “The Boy Who Cried Wolf”.)

Avast’s insistence on flagging this kind of thing is a mistake. I wish you would realize it and correct it.

That’s all. You won’t hear from me again about this particular website.

polonus · 2017-01-12T15:05:21.000Z

“Silence is golden”…

polonus

HonzaZ · 2017-01-12T15:09:11.000Z

Avast does not flag the domain. Avast does flag the code that is used in many malware campaigns. Disabling this detection would mean stopping protecting other users, which is obviously something that we don’t want.

Eddy · 2017-01-12T15:24:31.000Z

Avast Endpoint Protection is supposed to be software that finds malware, not software that advises web developers on how to improve security.

AES doesn't advise developers on how to improve security, it is trying to protect systems from getting infected. Blocking/stopping malware is just one part of it. Another part (amongst many more), is preventing users to be redirect to malicious sites/files.

If other scanners don’t block things like this, it means there is room for improvement on the security they are offering.

Announcements