False Positive: Site Blocked - HTML:Script-inf

Avast is blocking our website wxw.vagamundos.pt claiming that it is infected with HTML:Script-inf[Susp].

We believe it is a false positive because our website is monitored 24/7 by Sucuri (premium account) and all the reports say that it is clean of malware.
We also checked for virus in several websites and all of them show that the site is not infected/blacklisted:

https://www.virustotal.com/gui/url/9cc4af13183fbbff4724da3174298b7d27eea4d8e4cf76c69ef37c400ea84c2c?nocache=1
https://labs.sucuri.net/blacklist/info/?domain=vagamundos.pt
https://www.siteadvisor.com/sitereport.html?url=vagamundos.pt
https://yandex.com/safety/?url=vagamundos.pt&l10n=en
https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fwww.vagamundos.pt%2F

We already filled a report yesterday at https://www.avast.com/false-positive-file-form.php but we got no feedback.

Since we work in the tourism sector weekends are usually very busy and many readers of our site are reporting that they cannot access our website, and that is hurting our brand image and company profit.

Can someone here helps us checking these false positive issue and help us with the site unblock?
Thank you so much for your time.

Unmask/Sucuri. https://unmask.sucuri.net/security-report/?page=www.vagamundos.pt

Thank for your help. The Suspicious Inline Script is from WP Rocket plugin, a very popular plugin:
class RocketLazyLoadScripts{constructor(){this.v=“1.2.3”,this.triggerEvents=[“keydown”,“mousedown”,“mousemove”,"touchmove…

We have Sucuri premium monitoring the site and I runned another scan and it keeps showing no issues, even on server side (print screen in attach). Therefore it seems a false positive to me.

I just tried running the test again and it is showing no issue now:
https://unmask.sucuri.net/security-report/?page=vagamundos.pt

Still website will kick up a 404 error and cannot be scanned:
hxtp://vagamundos.pt/.git/HEAD
This is being flagged at Sucuri’s.
Read:
httpss://serverfault.com/questions/128069/how-do-i-prevent-apache-from-serving-the-git-direc

polonus

Thanks a lot for your help. I read the info you send me and for what I understand the only page that Sucuri can´t read in the sitecheck page is the .git/HEAD (it even shouldn´t try to read it in the first place). Like I mentioned I have Sucuri Pro monitoring my site and I have no errors scaning the site or warnings at all.

Anyway I´m going to follow your tip and try to prevent apache from serving the .git directory. Hopefully it works.
Once again thank you for your help.

Just to give some feedback: Avast team already confirmed that it was a false positive and cleared the reputation on their database and therefore the site is not blacklisted anymore. I really apreciate the efforts of the ones who tried to help. Thank you guys!

I’m having the same issue with our website www.reno.solar Can someone help please?

First there is little detail to work with, a screenshot of the Avast Alert, with the details option selected would also help.

Please modify your link (as I have in the quoted text) or just post the domain name leaving the www out completely, so it isn’t active to prevent accidental exposure.

There are lots of links above where you can investigate and see what else may be found.
There is also a link in the first to report a suspected FP.

  • Attaching Images to your post - When you Click the Reply button it opens a text window for you to post your comment (reply or post).
    Click the Preview button, that shows what you have input and expands it to include ‘Attachments and other options’. Click that it further expands, here you can attach images, etc. at the bottom of your post.
    See my attached image, click to expand.

The site is no longer being blocked by Avast.

polonus

Avast blocks access to the site’s Sukututkijan sanasto -pages. How can I bypass the block?
https://www.juuret.org/sanasto

Malware detected https://sitecheck.sucuri.net/results/www.juuret.org

This page includes a JavaScript/iframe from [b]hxxps://js.localstorage.tk/s.js?qr=888[/b] that is blacklisted by Sucuri Labs, see hxxps://labs.sucuri.net/?blacklist=js.localstorage.tk hxxps://js.localstorage.tk/s.js?qr=888

https://www.virustotal.com/gui/url/d7ddbcb38657da97fc3089d8973255648355e529691a2fcfcc564cecf55afe1c?nocache=1

Cleanse the live link, like with hxtp:// or -http://

See the 16 malicious files given here: https://quttera.com/detailed_report/www.juuret.org

Infested with M.BL.Domain.gen. Also see: https://sitecheck.sucuri.net/results/www.juuret.org

Belonging to compromised website categories.

polonus

I’m having the same issue trying to access zbj.com
it works on my cell phone but Avast blocks it on my laptop
Blacklisted HTML:Script-inf [Susp]
Please see attached screenshots

New location to report either a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

@Pondus
I suggest that the new FP FN reporting page should be added to the information and guidance located in your post here: https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Quttera also flags as Detected Malicious Files
File name /fw/1928094.html
Threat name M.BL.Domain.gen
File type HTML
Reason Detected reference to malicious blacklisted domain -homesitetask.zbjimg dot com
Details Detected reference to blacklisted domain
Threat dump [[homesitetask.zbjimg dot com]]
Threat MD5 D17ED955D52B07C816EEFBFDA6A60017
File MD5 58619576420A044529D3D1B08D0DCF8B
Line Available via API only.
Reason: The file contains a reference to a blacklisted domain, -homesitetask.zbjimg.com, which is known to be malicious.
Threat dump: The blacklisted domain -homesitetask.zbjimg dot com
Threat MD5: D17ED955D52B07C816EEFBFDA6A60017
File MD5: 58619576420A044529D3D1B08D0DCF8B

Also consider: https://www.virustotal.com/gui/url/af592aa3aa8984375bb8e3518c32e5a20c65cfc0eac2b1604435349872c5bbce

Wait for a final verdict from avast, as with generic finds there is always the possibility for a FP.
Redirections

HTTP Status Code 404

Content Size 30

Content Type application/json

IP Address 27.221.82.41

Country CN

Web Server JSP3/2.0.14

polonus

Why is it flagged? M.BL.Domain.gen is likely a part of a GraphQL schema, specifically a part of a generated schema from a.NET Core project using the Microsoft.EntityFrameworkCore package.

When you run dotnet ef dbcontext scaffold to generate a DbContext and its related entities, it can generate a GraphQL schema using the Microsoft.EntityFrameworkCore.Tools package. The generated schema will include types like M.BL.Domain.gen, which represent the entities and relationships in your database.

In an API response, these types would typically be returned as JSON data, so yes, M.BL.Domain.gen could appear in an application/json response. For instance, the M.BL.Domain.gen type would correspond to the user entity in the GraphQL schema. The actual JSON payload would depend on the specific schema and the queries executed against the database.

polonus

Not my Post, I can’t modify it, that post is from Pondus.

Yes the FP FN info post was by @Pondus. I have Modified my post above in the hope @Pondus may see it and do the edit.

EDIT: Actually the “new reporting page” posted by @DavidR is the “selector” page that sits above the separate FP and FN pages that @Pondus posted. Both are valid and can be used, so not a big deal.