False Positive or Real Problem?

dougjp · 2015-10-02T20:11:01.000Z

At this site, unfortunately you have to be a subscriber to download the newsletter, so it won’t be easily possible to check. All previous months’ pdf newsletters downloaded fine. Screen shot of the error message is below.

http://www.paintingezine.com/

I have corresponded with the site, they have another complaint which coincidentally is from an Avast AV user, no other complaints from others.

http://home.powergate.ca/~dougjp/Paintingezine.jpg

jeffersonsant · 2015-10-02T20:35:35.000Z

how private link only you have access
PDF they are not malicious contain link to sites external
I have not received any alerts.

redirects

< script type='text/javascript' src=hxxp://stats.wp.com/e-201540.js' async defer> < / script >

Blacklist

https://www.virustotal.com/en/url/0a3e4ef5625e1ca6dd4ba54c16cfd77d4dbf66a4a25e3354c8b55256320667c3/analysis/1443817639/

https://urlquery.net/report.php?id=1443817584436

polonus · 2015-10-02T22:35:01.000Z

See IP badness history and detections: https://www.virustotal.com/nl/ip-address/192.0.76.3/information/
See the alert for malware here: https://urlquery.net/report.php?id=1443817584436 info in ochre.

polonus

dougjp · 2015-10-02T22:41:44.000Z

I’m “struggling to keep up” in terms of understanding. However I’ll try by saying those links both of you provided seem to conclude there is no problem with the site or the file, and Avast incorrectly identified the download. Ie; its a false positive and shortly an updated virus definition will solve Avast’s problem.

Is this correct, yes/no?

polonus · 2015-10-02T23:16:51.000Z

Seems a larger campain, see these scan results: https://urlquery.net/report.php?id=1443826150664
For the malware flagged by Fortinet’s → https://www.virustotal.com/nl/url/9541793536572b449d19fe297bd9dbd737b48deff438fe24204189530ee23289/analysis/
but here no results: https://www.virustotal.com/nl/file/01a2603f5878905ffb8eb7a8c8ea5323a56c559405b608b2b07736bb1d8cc137/analysis/1440856103/ DrWeb gives as clean - others flag anomalies → http://www.domxssscanner.com/scan?url=http%3A%2F%2Fstats.wp.com%2Fe-201540.js → WordPress Theme
The theme has been found by examining the path /wp-content/themes/ theme name / h4
Linked javascript: -https://s1.wp.com/home.logged-out/js/modernizr.js?v=2
See: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fs1.wp.com%2Fhome.logged-out%2Fjs%2Fmodernizr.js%3Fv%3D2
as given clean here: https://www.reasoncoresecurity.com/modernizr.js-e151eacb7cf103f5487611c66ebbb18e259e2f88.aspx
seems OK: http://toolbar.netcraft.com/site_report?url=https://s1.wp.com

As these were Fortinet’s Web Filter Web Traffic Detections the last word should come from Avast Team whether these are genuine detections or anomalies that can be classified as false positive? So let us wait for the fiinal word from Avast Team.

The anomaly I get flagged with a Javascript check on : s1.wp.com/home.logged-out/js/modernizr.js?v=2= Suspicious code

ect|textarea|object|iframe|option|optgroup)$/i,f=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|spam|strong|table|tbod

Could be Adware and spy call option chain malcode…

polonus (volunteer website security analyst and website error-hunter)

HonzaZ · 2015-10-04T06:18:57.000Z

dougjp,
without the file, we cannot do much. The detection name is a generic name for a PDF, in which a link to a blocked URL is. Can you send the file to virus@avast.com or submit a ticket via support.avast.com? If you do, post the info here or shoot me a PM and I will look into it.
Thanks!
Honza

system · 2015-10-04T08:03:39.000Z

HonzaZ post:6:

dougjp,
without the file, we cannot do much. The detection name is a generic name for a PDF, in which a link to a blocked URL is. Can you send the file to virus@avast.com or submit a ticket via support.avast.com? If you do, post the info here or shoot me a PM and I will look into it.
Thanks!
Honza

hххp://paintingezine.com/?wpdmdl=3606 —>> PaintingEzine_October2015.pdf (22.3 Mb ( 23350138 bytes ))

https://www.virustotal.com/ru/file/8af57a8ea59523c2f6c5d4adda21939f31f0ea36b2b89cb17c32a8ebe9f4b731/analysis/1443945457/

HonzaZ · 2015-10-04T08:17:14.000Z

Oops, I thought he said private, so I didn’t even test it :-).
In this case, Avast complains about seeing a clickable link to “gmil.com”, which we block. I suppose this is a typo, isn’t it? If you remove/correct it, Avast will stop complaining.

dougjp · 2015-10-04T12:36:31.000Z

Thanks so much for that! Now that I have this specific information I’m getting in touch with the site. Being a small subscription type ezine, my bet is its a typo in an e-mail link and not intentional use of gmil.com. My wife just went to the site and successfully downloaded past months’ issues but not the latest one, which seems to confirm this.

Announcements