Hi Avast Team,

I am reporting a false positive for the domain: scientology49 (DOT) fr

The site was previously compromised (HTML:Script-inf) but it has been fully cleaned and updated to latest Prestashop.

Current Status:

• Google / Bitdefender / ESET / Sophos / Microsoft / Fortinet: ALL CLEAN.

VirusTotal score is currently 12/97 because major engines are already clearing the domain. You can check the report on VirusTotal for scientology49 (DOT) fr

Could you please re-evaluate the domain reputation and remove the block?

Thank you.

Best regards, Michel

First, I’m an Avast user and not an Avast Team member.

There are other sites that can also check a site link.

• https://en.internet.nl/
• https://sitecheck.sucuri.net/

New location to report both a False Positive and or a False Negative (for File or URL)

• Choose Your Sample Submission Type | Avast
• You won’t get a direct response but it should be analysed within 48 hours, if found to be false it will be removed.

Hi David,

Thanks for your help and links.

I’ve already submitted a False Positive report using the new location you mention several days ago, without response nor change re the false positive. That’s why I’m looking for help here.

I also clicked several times on the False Positive button in avast itself and filled the indicated link www.avast[DOT]com/report-false-positive#pc to no avail.

Michel

The other links are to see if they find any weakness that could be exploited.

Unfortunately the lack of a response and it still being present, is that the check may have been run automatically rather than manually.

I don’t know if you have been using the Avast Alert window to report a possible false positive, which I have just done. However they wouldn’t know me from Adam rather than an Avast Forum regular.

So you could also submit it using the link I gave previously as that allows you to input more information.

b10187750×659 43.1 KB

Hi David,

I really appreciate you taking time to help me.

Yes, I did use the Avast Alert Window to report a false positive, many times indeed:

And I know for a fact that Avast does react on reputation only and not on site analysis because I cloned my site onto another domain name and Avast does not signal any threat on that domain.

According to Gemini:

"What is Avast basing its block on? Avast does not scan your site every time a user clicks. It uses a hybrid system called CyberCapture and WebRep. Its judgment relies on three main pillars:

• Signature History (HTML:Script-inf): Avast has recorded that scientology49.fr previously hosted a malicious script. Even though the script has been removed, the “Infected Domain” entry remains in their Cloud database until a Time-to-Live (TTL) counter expires or a human validation clears it.

• SSL Certificate Metadata: Occasionally, if the SSL certificate was issued or active during the infection, Avast flags the certificate’s digital fingerprint as suspicious.

• Lack of ‘Healthy’ Traffic (Trust Score): Avast assigns a trust score to domains. A hacked site’s score drops to zero. To recover, it requires either time or for the domain to be “cleared” by other authorities. The fact that Microsoft and Bitdefender are now ‘Clean’ is your strongest argument, as Avast monitors the decisions of its competitors.

Why is Avast the hardest to unblock? Avast is particularly tenacious because it is highly protective of its free-tier users. Unlike Microsoft, which often unblocks as soon as a scan comes back clean, Avast frequently requires proof of cleanup or manual intervention from one of their technicians."

I used again the link you mention to input more information:

image1254×917 41.4 KB

Thanks again for your help David.

Michel

I fear that Gemini isn’t entirely correct and googles AI is similar using the same search string.

What is Avast Basing its block on

But what else can be done as an Avast user there isn’t a great deal more I can do.

I will try to attract some attention to this in another area of the forum.

Hi David,

Great news: CRDF Labs has just officially whitelisted my domain (Ref #20260117543786) after manual review. They have confirmed the site is now clean.

Summary of the current status:

• CRDF Labs: CLEAN (Manual review completed).

• Infrastructure: DNSSEC active and verified.

• CMS: Fully restored from clean backup and upgraded to 1.7.8.11.

• Threat: ClickFix/ClearFake confirmed as eradicated.

Since the primary blacklist has been cleared, can the Avast Team finalize the process on your side? Many thanks for your help

I tried to connect and got an alert, which I reported as a possible false positive. Which you can do and possibly better with the manual link for reporting a possible false positive given earlier.

I tried to connect and got an alert, which I reported as a possible false positive. Which you can do and possibly better with the manual link for reporting a possible false positive given earlier.

Interestingly after closing the alert windows, part of the site was displayed at which point Firefox was reporting a secure connection error/failure. I have no idea if this might be related to the Web Shield or not.

b10192700×248 65.6 KB

Hi David,

I have completed the final security hardening of the domain. Here is the definitive status of the infrastructure:

• Official Whitelisting: CRDF Labs has officially removed the domain from their database (Ref #20260117543786) after manual verification.

• Security Protocol (HSTS): I have enabled HSTS with a 12-month max-age, including subdomains, to ensure permanent encrypted connections.

• TLS Configuration: I am now enforcing TLS 1.2 as the minimum version, with TLS 1.3 enabled. The site achieved a 100% score on Internet.nl in TLS 1.3 mode, and I’ve maintained a 98% score in the current balanced mode to ensure maximum compatibility with the greatest number.

• Infrastructure: DNSSEC, IPv6, and RPKI are all fully active and verified.

• Integrity: The PrestaShop installation has been upgraded to 1.7.8.11 and verified clean.

The PR_CONNECT_RESET_ERROR you previously encountered should be resolved by these standardized TLS settings.

I transmitted all this data via the indicated form in the hope it will at last escalate to the Avast Lab for the final whitelist synchronization.

Thank you for your invaluable help during this process!

Michel

Obviously as an Avast User I’m limited in what I can do, I have bumped it again in another restricted area of the Community forum.

Hi David, Hi Avast Team,

I am writing this final update to report a critical anomaly in Avast’s filtering system regarding scientology49[.]fr.

As of today, the consensus in the cybersecurity industry has shifted decisively:

• VirusTotal: The domain is now marked as CLEAN by 91 out of 94 security vendors.

• Industry Leaders: Forcepoint, alphaMountain, Emsisoft, and Dr.Web have all manually reviewed and whitelisted the site in the last 48 hours.

• Technical Excellence: The site scores 98% on Internet.nl and implements HSTS with a 12-month max-age including subdomains.

• Legacy Issue: Avast is now among the last 3% of vendors worldwide still blocking this domain based on a resolved incident from November 2025.

At this stage, maintaining the block is no longer a security measure but a technical malfunction of Avast’s reputation database. This is causing unjustified prejudice to a site that follows the highest security standards (DNSSEC, RPKI, HSTS).

Could a staff member please perform a manual override? The community and automated tools have clearly spoken: the site is safe.

2026-02-05 20_20_04-Filtrés - michel.guillot@free.fr - eM Client1620×642 58.4 KB

I have bumped it yet again.

However I have just visited the site and it worked without an Avast Alert for me.

b10195700×440 186 KB

Looks like I will have to go back to where I bumped it and flag my post for deletion.

Hi David,

Thank you for the update. It’s great news that it’s working on your end.

However, despite updating my Avast definitions and flushing my DNS, I am still getting the HTML:Script-inf [Susp] alert on my local machine (Screenshot attached).

On VirusTotal, we are now down to 2/94 (only Lionic and MalwareURL remaining). Since the central database seems clear, could this be a synchronization delay with specific regional servers or the Web Shield’s heuristic engine?

I would appreciate it if you could mention to the team that while the ‘bump’ worked for some, the local block is still affecting users in my region.

2026-02-06 08_05_39-Avast Premium Security598×651 40 KB

Michel

I can’t explain the differences, I’m in the UK and I’m using Firefox as my default browser. You could check it with a different browser.

I’m not sure there are any regional differences.

Hello @utilisateur3483,

Thank you for reporting this.

We’ve also made a change in our database. Please update the Avast virus database, restart your device and see if the detection persists.

@DavidR, thank you very much for your help here!

Hi MJay and DavidR,

I am delighted to confirm that the issue is now fully resolved on my end.

After updating the Avast virus database and restarting, the website is accessible without any alerts.

Thank you MJay for your manual intervention in the database, and a huge thanks to DavidR for your continuous support and for ‘bumping’ the case multiple times. This confirms that our security hardening (HSTS, DNSSEC, 98% Internet.nl score) is now correctly recognized by Avast.

Great teamwork. This thread can now be closed.

Very pleased to hear this.