There is a FP with Avast web shield, it thinks that the malwaremustdie.blogspot.com feed is malware.
URL: http://malwaremustdie.blogspot.com/feeds/posts/default?alt=rss
I have manually confirmed that this site is not serving any malware, so please look into the issue and thanks in advance!
and what does avast say?
a screenshot would help…
since this is a blog/forum about malware, my guess is that avast see something that is posted in the forum
maybe a code sample on display?
Avast says its URL:Mal, so maybe Avast’s own blacklisting system is doing this. I’ve set up an exception from within Avast, but it didn’t help.
At first sight his seems a good valid detection.
But it might be a FP after all, because the link that is detected was broken in an unconventional way at that blog web page…
Analyze the code on that blog site for line 1044 and we see → injected Javascript from < b> hXXp://anie50sdark.rr.nu/nl.php?p=d < /b>
The address is broken like h00p and possibly avast! shield does not detect the link to be broken in this unfamiliar way!
Why it was flagged?
Re: Fake AV redirect → http://pastebin.com/3Q8tEXjp
This Trojan Horse is detected by avast! Web Shield as HTML:RedirBA-inf[Trj]
This is flagged and should be analyzed whether it is a FP.
When found to be a false positive in the latest avast av version one can directly report a FP from within the pop-up message.
Site given clean here: http://urlquery.net/report.php?id=1212663
and here: http://evuln.com/tools/malware-scanner/http%3A%2F%2Fmalwaremustdie.blogspot.com/
polonus
I believe its still a FP, despite what the 5 AVs say. The malwaremustdie blog does not contain real malware, only the text/hexdump, and that too, neutralised by masking most of the malicious code in it with *'s and other characters.
If the avast team still intends to keep the site blacklisted, maybe it should make the site whitelist effective for the avast malicious site blacklist too. At present the whitelist prevents the avast engine from detecting, but the whitelist does not supersede avast’s blacklists.
As for polonus’s comment, I would like to point out the detection is URL:Mal, so reporting of FP isn’t possible. Pastebin is whitelisted
Hi access2godzilla,
Agree with you there. Report a false positive from within the web shield pop-up then. The avast team coders are known to react soon to credible FPs , sometimes even with an upcoming update. If links to malware are broken like hxxp or h00p or even like -http or by spacing the shields should recognize these as broken links and not as live links to malcode. Or it should be the policy even to alert on broken links (better safe than sorry), because it does not need rocket science to launch a live link from a broken one. These decisions rest with the avast coders.
The same is with parts of malicious code without payload being given in security blogs and malcode write-ups. There a solution is not that easy, because part of that code should always be alerted (some malcode is as small as 20 kb’s size). That is why here in our forums we tend to give code in the form of an image as that image cannot hurt anyone & can easily be recognized for what it is and is not being flagged by anti malware scanning. So a question of fine tuning detection or to decide this on a as per link basis…
polonus
Hi all,
I also agree that this is a false positive. Malicious code is wrapped inside of the pre tag, so naturally it would’ve been detected. However, HTML characters for the script tag are not present in the script, thus the malicious code would not be executed. There is no direct DOM manipulation as far as I’m aware of.
Also See: http://www.w3.org/TR/html5/grouping-content.html#the-pre-element
~!Donovan
Thanks, !Donovan, for checking this for us,
polonus
Quttera scan flags 1 potential suspicious file
http://www.quttera.com/detailed_report/malwaremustdie.blogspot.com
alexgorbatchev dot com/pub/sh/current/scripts/shCore.js
Severity:
Potentially Suspicious
Reason:
Detected potentially suspicious content.
Details:
Detected potentially suspicious initialization of function pointer to JavaScript method write __tmpvar734929188 = write;
see threat dump (bad trim implementation)
The location line in the header above has redirected the request to: htx://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shCore.js
packed code for SyntaxHighlighter code…https://bitbucket.org/alexg/syntaxhighlighter/src/b7578b438a6951b64e9108423babd6a0a5db3dc1/scripts/XRegExp.js?at=default
polonus
Can anyone please tell how to tell the avast guys its a FP? I have emailed them but received no replies, neither does avast stop reporting URL:Mal.
Polonus, the detection is on avast’s side (that’s why the name is like URL:Mal and not HTML:Script-inf or similar), and wherever the detection is on avast’s side, a FP can’t be reported from the UI.
I have also whitelisted the domain(s) in avast, but it isn’t helping.
you can report it here. http://www.avast.com/contact-form.php. change subject to suite your case
you may add a link to this topic in case they reply…
Going to the first mentioned url, I still get ab avast! Web Shield detect for object http://…/default?alt=rss!{gzip}
Infection: BV:Dropper-L[Drp] in the browser executable…
This is a trojan script detection (enough of the original script without being malicious being exposed to set of the alert)
polonus