FP for a website, is it safe or what?

some of our users have a legitimate reason to go to http://stonco.com/ and http://www.stoncolighting.com

the site looks legit, but avast constantly blocks them with this:
avast! [PC7]: File “http://www.stoncolighting.com/” is infected by “HTML:Script-inf” virus.
“Resident protection (Web Shield)” task used Version of current VPS file is 100517-0, 05/17/2010

should i globally whitelist the url in our server, or is this really a false positive?

is the site dangerous or what?

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=stonco.com

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.stoncolighting.com

Diagnostic page for stonco.com
http://www.google.com/safebrowsing/diagnostic?site=http%3A//win.stonco.com/win.htm
Malicious software includes 2 scripting exploit(s), 2 worm(s). Successful infection resulted in an average of 8 new process(es) on the target machine

avast isn’t alone in this as in trying to connect to check it out, firefox’s safe browsing alert pops up saying this is an attack site. This is the same for both sites.

So it looks like this site might well have been hacked.

http://www.google.com/safebrowsing/diagnostic?site=http://stonco.com/

What is the current listing status for stonco.com?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-05-15, and the last time suspicious content was found on this site was on 2010-05-15.

Malicious software includes 2 scripting exploit(s), 2 worm(s). Successful infection resulted in an average of 8 new process(es) on the target machine.

Malicious software is hosted on 4 domain(s), including kh76t.3322.org/, love2012.info/, caipiaoyuce.info/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including tlinee.com.cn/.

This site was hosted on 1 network(s) including AS7018 (ATT).</blockquote>

http://www.google.com/safebrowsing/diagnostic?site=http://www.stoncolighting.com/

What is the current listing status for stoncolighting.com?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 10 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-05-16, and the last time suspicious content was found on this site was on 2010-05-16.

Malicious software includes 4 scripting exploit(s), 2 worm(s). Successful infection resulted in an average of 5 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including bioeye.3322.org/, kh76t.3322.org/, love2012.info/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including tlinee.com.cn/.

This site was hosted on 1 network(s) including AS7018 (ATT).</blockquote>

that’s what you call an FP ??? ;D

wow - thanks for that… my sheep called it a FP so i did too :slight_smile:

now i’m going to contact their webmaster and razz him a little - maybe they don’t mean to be harmful

hum…guys, what’s up, I don’t get any alert from the web or network shield on these two sites ??? (js off but still…)

same here, no avast warning… ???..fixed already ?

I tried in the sandbox with IE, then Firefox and js allowed >>> nothing. Wondering where the OP got the alert from ???

i get 300 of these per day from various users who have a legitimate need to go to that site… from their resident protection, with today’s updated pattern file:

avast! [PC7]: File “http://www.stoncolighting.com/” is infected by “HTML:Script-inf” virus.
“Resident protection (Web Shield)” task used Version of current VPS file is 100517-0, 05/17/2010

they come to me by email, as defined in our server settings

could you ask one of your users a screen shot of the alert?

i’ll do it right now - now i’m curious too

Google chrome doesn’t even allow the website to load enough for avast to check it.

Whilst avast no longer alerts, google safe browsing will take longer to remove this from its lists and as a consequence firefox which also uses this list will continue to block based in the listing. So they are going to have to contact google to have the listing revoked/reviewed.

Since google chrome also uses the google safe browsing list it will still block the site until the listing is revoked.

yeah I went beyond the Google alerts in Chrome to check Avast behavior (both Chrome and Mozilla are using the same Google malware blocking tool, it’s the same database) … No blocking from Google in Firefox though ??? and again Avast sends nothing.

edit: this said I’m a bit surprised because the two sites belong to the “Philips” group…they may have been hacked, but they’re in no case malware “providers” ;D …or the sites are fake which I doubt.

yep, same here. Just need to get it off of google’s list now I guess.

I edited my last post >>> Google alerts strangely just in Chrome and not in Firefox. Thought that was referring to the exact same Google database in both browsers.

still waiting on the users screenshots - i wasn’t able to reproduce it on another avast machine, so it’s got to be a specific link they’re going to (?)

i did send a nice little email over to their tech department and their VP of marketing, maybe they’ll be motivated to check it out themselves

i’ve seen this in the past with shared hosting - some real malware sites on the same server as a legitimate site

yeah there must be one page on the site that’s infected…may be the catalog downloads I don’t know…

oh hey i got a reply from one of the users

“we have been told by Crescent that they are having problems with their website… but i’ll try the screenshot anyway”

hmm… it’s a shame that such a big company is having these issues… i guess stonco/crescent/phillips are all the same entity in a way.