False Positive on New York State Government Website

KDibble · 2017-01-10T15:01:15.000Z

avast! Endpoint Protection keeps popping up a Trojan Horse warning on this page:

www.criminaljustice.ny.gov

The “bad” object is body.js

This is an official New York State government website that is used by employers to conduct criminal background checks on potential employees. It is highly unlikely that it contains any actual malware.

I filed a ticket on this in October 2016. I got a response from Avast saying they were looking into it. Then in November I got a satisfaction survey from Avast asking me to tell them how they did. I never got email from Avast saying they had fixed the problem.

It’s still not fixed.

Perhaps someone here can poke them?

Thanks

Eddy · 2017-01-10T15:22:24.000Z

There sure are issues on that site.
They are using over 4(!) year old libraries.

http://retire.insecurity.today/#!/scan/cd999954f5ca9da24df4fd2c57ec588055144ae07ab26725b14bb2cbb9bc574f

And for a site that deals with personal information it sure shouldn’t be using http but https.

Pondus · 2017-01-10T15:26:15.000Z

This is an official New York State government website that is used by employers to conduct criminal background checks on potential employees. [b]It is highly unlikely that it contains any actual malware.[/b]

If samples of malicious code is posted on display there, then avast webshield may react

What is the full message avast give? … or post screenshot

polonus · 2017-01-10T15:57:11.000Z

At least 3 jQuery libraries are vulnerable: http://retire.insecurity.today/#!/scan/e2a3848c5f7423e938f4294af67c7a7fc694e230788877ea8da263e8fd7f53a2
Security could certainly be improved according to: https://observatory.mozilla.org/analyze.html?host=www.criminaljustice.ny.gov
This seems OK: https://sritest.io/#report/0e55f144-2f12-42c6-b658-6699a3898baa
C-grade status for server test here: https://www.htbridge.com/websec/r/www-criminaljustice-ny-gov-united-states/406d7f53f5a27e1b6f3b744e606f4968606d5dc8f7bb4929e68ad6f2f2673566
Do not really see it as being malcious as such, but wait for a final verdict for an Avast Team Member to react,

polonus

KDibble · 2017-01-10T17:12:33.000Z

Eddy post:2:

There sure are issues on that site.
They are using over 4(!) year old libraries.

http://retire.insecurity.today/#!/scan/cd999954f5ca9da24df4fd2c57ec588055144ae07ab26725b14bb2cbb9bc574f

And for a site that deals with personal information it sure shouldn’t be using http but https.

The pop-up occurs on the main, open-to-the public page of the website, before any data that could reasonably be expected to require https is requested or submitted.

The website is required for use by many people in the course of doing their jobs. It is inappropriate to interrupt or delay people’s work because a website contains something that could be, but has not been, exploited for dangerous purposes. As I’ve said before, Avast should not be blocking websites merely because they “might” contain something bad, but only if they actually DO contain something bad.

KDibble · 2017-01-10T17:15:10.000Z

Pondus post:3:

This is an official New York State government website that is used by employers to conduct criminal background checks on potential employees. [b]It is highly unlikely that it contains any actual malware.[/b]
If samples of malicious code is posted on display there, then avast webshield may react
What is the full message avast give? … or post screenshot

Pop-up image is attached.

As usual, clicking the “More details” button on the pop-up does not provide any more details; it just displays an advertisement for Avast products on a web page.

Eddy · 2017-01-10T17:21:01.000Z

avast doesn’t block sites because they might be malicious.
They only block sites if something malicious is detected.
And yes the detection can be wrong, that is why you can ask avast to have a look manually at the site.
https://www.avast.com/report-a-url.php

KDibble · 2017-01-10T17:40:52.000Z

Eddy post:7:

avast doesn’t block sites because they might be malicious.
They only block sites if something malicious is detected.
And yes the detection can be wrong, that is why you can ask avast to have a look manually at the site.
https://www.avast.com/report-a-url.php

At the risk of beating a dead horse:

I posted the screen shot that showed that Avast blocked the execution of an element on the website, apparently merely because some javascript on the site didn’t meet Avast’s expectations for “security” or “newness” or something. If blocking this element results in people being unable to use portions of the website that they need, then that is the same thing as blocking “the website” for those people.

And as I said in my original post, I filed a ticket in OCTOBER 2016, and this issue has not been fixed, even though Avast subsequently sent me a satisfaction survey asking me how I liked the way they “fixed” it.

It may be appropriate to warn the DEVELOPERS or OWNERS of websites when their websites contain code that may not be maximally secure, but that function should be limited to website development tools. Displaying warnings, or blocking website functionality, or blocking websites, merely because the code is “old” is not helpful, or useful, or appropriate, for ordinary end-users of these websites.

If Avast is going to insist on doing this anyway, then it should least give me a switch to turn it off in the SOA. I do not want to turn off the entire web shield, I only want to turn off the portion of the web shield that issues warnings and blocks for theoretical, not actual, threats.

polonus · 2017-01-10T18:25:15.000Z

Hi KDibble,

Avast only flags websites that are a threat to the visitors thereof.

What further is mentioned as insecurity is no reason for avast to have set up detection of that site,
however mitigating vulnerability and ‘no best policy’ website management can be helpful in many ways.

It should be taken as an advice.

Only Avast Team Members can comment on why your website or the IP address the domain is on is being alerted.
They are also the only ones that can come and unblock.

We are just volunteers with relevant knowledge.
With thousands and thousands of all sorts of scans behind us, we can almost hear the website code-grass grow here. But whenever we place our ears to the ground, that does not mean you are bound to follow up our advice how to mitigate vulnerable code and issues we see. What we advice is a proposition only and can but need not be related to why avast blocks.

Wait for an Avast Team Member to give the final verdict on that site’s blocking,

polonus (volunteer website security analyst and wesbite error-hunter)

Eddy · 2017-01-10T18:35:10.000Z

What is the ticket ID ?

polonus · 2017-01-10T20:57:34.000Z

Main issue is the secure connection, not the initial one, that is secondary, but the real data transfer should be secure.

What security you want to exclude from your attention is your choice. Again the WebShield and the OAS warnings are all based on what a normal anti-virus vendor would detect and also what is outside their scope.

We do not advise you in the realms of firehole blocking, just show what best policy patterns are maintaining a website maintaining security standards (patch vulnerable and/or outdated code, uphold same origin (sri hashes generated), apply security headers, just stick to advisable standards. And again that is outside the scope of what avast should do.
Avast task is just to flag websites harmful to their end-users and that is where it stops.

Our forum advice is free, somewhere else it comes with a price-tag attached, and when the website is compromised or with a data-breach you have an even more expensive issue at your hands.

polonus

HonzaZ · 2017-01-11T08:29:34.000Z

This is blocked due to obfuscated redirection:

top['l'+'oc'+'a'+'t'+'i'+'on'] = location;

Remove this code (or at least the obfuscation!) and Avast will stop complaining

KDibble · 2017-01-11T14:55:40.000Z

HonzaZ post:12:

This is blocked due to obfuscated redirection:
top['l'+'oc'+'a'+'t'+'i'+'on'] = location;
Remove this code (or at least the obfuscation!) and Avast will stop complaining

Thank you. I am not the owner of the website, I am the CIO of an organization whose employees must use the website.

I am guessing that this refers to the website’s ability to allow a viewer to specify a location. This is a generic feature of most New York State websites. However, Avast does not pop-up a warning when I visit other New York State websites that have this feature.
And in fact, it does not actually work, on this or any other New York State website. If you choose that option you can enter a location and press an “update” button which does not do anything.

Further, if I click a link on the problematic page to go somewhere else, and then use the Firefox "bacK’ button to return to the page, I do not get an Avast pop-up. If this is really worth warning people about, shouldn’t it warn me every time?

Contrary to what others have said here, it appears you are flagging the site because the code does something that can be misused, not because the site actually contains a real threat. I request that you stop doing that.

Thanks.

Eddy · 2017-01-11T15:54:16.000Z

Ofcourse the back button does not trigger a alert as it is the webshield that detects it and the back button makes a browser load a local cache file.

I don’t think avast will stop doing that.
If they would they will put the users at more risk then is needed.

Tell the owner of the site to fix the issues that have been reported here.
That is the real solution.

HonzaZ · 2017-01-11T15:57:21.000Z

KDibble post:13:

HonzaZ post:12:
This is blocked due to obfuscated redirection:
top['l'+'oc'+'a'+'t'+'i'+'on'] = location;
Remove this code (or at least the obfuscation!) and Avast will stop complaining
I am guessing that this refers to the website’s ability to allow a viewer to specify a location.

No, the code I mentioned is for redirecting users to another location (URL). It means it can redirect you to an arbitrary website. Redirecting users is fine per se, obfuscated redirection is something usually done by “the bad guys”, and will be blocked.

KDibble · 2017-01-11T18:57:43.000Z

Just a few minutes ago I received an email purportedly from Avast that contained an attachment which Avast deleted as malicious.

This has happened to me twice, both times in connection with the ticket I mentioned in this thread. The first time was on October 21, 2016, right after I filed the ticket. This time it happened a bit more than 24 hours after I sent update replies to the Avast “Help is on its way” and “Tell us how we did” emails that were generated for this ticket.

Both messages had the subject line: Re: Hi! You have a new message from the team.( Ticket ID: [#557683] )

This is the correct ticket number.

Both messages had from and reply-to addresses: Avast Customer Care customer.care@avast.com

This raises the distinct possibility that something or someone is monitoring Avast email and attacking senders.

I have Avast set to delete, not quarantine, suspect attachments so I can’t provide the file. I can give you the full headers for the suspect emails, but I tried to post them here once and the post didn’t go through–perhaps a length limitation?

Modified to attach a text file containing headers and body text for the infected email.

Pondus · 2017-01-11T19:21:10.000Z

Just a few minutes ago I received an email purportedly from Avast that contained an attachment which Avast deleted as malicious.

Did avast give a malware name?

Eddy · 2017-01-11T19:26:30.000Z

According to the headers : X-Attachment: \mai183A.tmp Virus: JS:Redirector-BLW [Trj] Deleted

Pondus · 2017-01-11T19:34:51.000Z

Eddy post:18:

According to the headers : X-Attachment: \mai183A.tmp Virus: JS:Redirector-BLW [Trj] Deleted

same as here > https://forum.avast.com/index.php?topic=195198.msg1358764#msg1358764

did somone from avast put a code sample in the attachment?

HonzaZ · 2017-01-12T08:41:21.000Z

Can confirm, they did put the code (to be deleted from the domain) into the ticket body, which then triggers the detection.

Announcements