false positive - [solved]

Hello!
Avast sends my domain https://dte.twp.cl to the blacklist and I can’t find a reason.

I would like to know the reason for correcting and leaving the list, I have sent all the information to the form https://www.avast.com/report-false-positive#pc but I cannot get it removed from the list black.

please your help.

scan:

https://urlscan.io/result/6b883b74-f645-4f1d-bcf1-1557a17be62c/
https://check.getsafeonline.org/check/dte.twp.cl?inputUrl=dte.twp.cl
https://www.ssltrust.com.au/ssl-tools/website-security-check?domain=dte.twp.cl&ssl=true
https://www.virustotal.com/gui/url/e587c57a6cbcaf6fbcdc047f5a73a94ad67c31e3b532a65518452107f60630e9?nocache=1
https://transparencyreport.google.com/safe-browsing/search?url=dte.twp.cl
https://transparencyreport.google.com/safe-browsing/search?url=twp.cl
https://unmask.sucuri.net/security-report/?page=dte.twp.cl
https://quttera.com/detailed_report/dte.twp.cl
codes:
c47ad7327228/2024-07-17T17:08:11.060Z
1c1dd596f76a/2024-07-24T19:56:47.248Z

Suspicious links were found:

What about hxtps://region1.google-analytics.com/g/collect?v=2? &tid=G-T915SD7BNP%3Em=45je47o0v9119105494za200&_p=1721857051493&gcd=13l3l3l2l1&npa=1&dma_cps=syphamo&dma=1&tag_exp=0&cid=1402193343.1721857052&ul=en-us&sr=800x600&frm=0&pscdl=noapi&_s=1&sid=1721857051&sct=1&seg=0&dl=https%3A%2F%2Fdte.twp.cl%2F&dt=XML%20a%20PDF%20-%20Archivos%20DTE%20del%20SII%20Chile&en=page_view&_fv=1&_nsi=1&_ss=1&_ee=1&tfd=1401 It could be a legit Google tracker

blocked https://www.clarity.ms/s/0.7.41/clarity.js because of clarity dot ms. uMatrix blocks for me.

This script: htxps://dte.twp.cl/polyfills-LZBJRJJE.js Third-party script injection: Although the script is hosted on a trusted CDN, there’s still a risk of malicious actors injecting malicious code into the polyfill script. This could happen if an attacker compromises the CDN or uses a vulnerable version of the script.
Execution context: Since the script is intended to be executed in a web page context, there’s a risk of it being used to exploit vulnerabilities in the hosting page or other scripts.
Bypassing browser restrictions: Some polyfills may potentially bypass browser restrictions or security features, such as the Content Security Policy (CSP) or Same-Origin Policy. However, in this case, the script appears to be designed for browser compatibility and doesn’t seem to intentionally bypass security controls.

But again, as said many times before, wait for a final verdict by avast’s

polonus

I would like to know the reason for correcting and leaving the list, I have sent all the information to the form https://www.avast.com/report-false-positive#pc but I cannot get it removed from the list black.
When did you report it, today?

I thank you very much for responding.

  1. regarding google tracker, this is what google analytics tells me to add to the website

  2. regarding clarity. It is the Microsoft script, it is totally legitimate, I am attaching a screenshot of that.

  3. Regarding polyfills, I am going to review how I can replace it from Angular. (I am not using cdn, it is from the same server when packaging the app.)

Again, thank you for responding with that security analysis!

In the last week, *It’s been 9 days since the first report I made.

It is quite frustrating, because they could give you a tracking number, to have evidence of the shipments that have been made to the form.

I have continued checking with other tools and they do not detect a problem.

https://radar.cloudflare.com/scan/c214fd90-0693-4c0e-ad9f-e0af18102fec/security
https://safeweb.norton.com/report?url=https:%2F%2Fdte.twp.cl

I’m worried because I do this and my clients are affected.

Many thanks to the Avast team who removed us from the blacklist!

Thanks for the confirmation.

Yesterday they deleted my site and today it appears again, blocked, please help.
Again the false positive form.

Please help me understand what is happening.

https://dte.twp.cl

With VT, there is only the CRDF Threat Centre that flags; Isitphish gives 90.9% legitimacy and 9.1% phishing.

Here it is getting all green: https://quttera.com/detailed_report/dte.twp.cl

Polyfill Script: Regarding the polyfill script from htxps://dte.twp.cl/polyfills-LZBJRJJE.js, it’s crucial to verify its source.
As with any script, there’s a risk if the CDN is compromised or if a vulnerable version is being used.
If you have control over the CDN or the script, make sure it’s up-to-date and verify its integrity.

Again, wait for a final verdict from the Avast team.

polonus

Thanks for replying again.

You are indeed right, my deployment process does not delete that file, that is why it kept appearing.

I updated the versions of zone.js and angular (due to the polyfills bug)
and the URL of the previous version of htxps://dte.twp.cl/polyfills-LZBJRJJE.js is no longer there.

I sent the false positive request to https://threatcenter.crdf.fr/false_positive.html
and the problem no longer appears.

I see that it has been fixed in Avast and in CRDF.

https://www.virustotal.com/gui/url/e587c57a6cbcaf6fbcdc047f5a73a94ad67c31e3b532a65518452107f60630e9?nocache=1
https://www.urlvoid.com/scan/dte.twp.cl/

Thanks a lot bro.

Hi francisco129,

You are welcome, good that this is out of the way now.
As they say, all is well that ends well.

polonus