Help removing false-positive url (cld.pt)

Viruses and worms
1

Hello,

Everything from hxxps://cld.pt/dl/* is beeing blocked by Avast as “URL:Mal”.
I have tried to use the application false positive form, and also the website contact form, but after almost two weeks it is still beeing blocked.

To give some context, cld.pt belongs to Portugal Telecom’s MEO Cloud (meocloud.pt) which is a personal cloud storage provider.
The cld.pt domain is used to serve shared user generated files, and as such, some shared files might be virus/malware, but we are continuously checking the public shared files, taking down the malicious ones.

We have mechanisms to detect malware hosted at our cloud service, actively and automatically monitoring sites such as cleanmx and virustotal in order to identify threats and immediately remove them. Once identified we store the file hash to prevent new copies of the file from being publicly shared.

Also, we have a CSIRT team that monitors multiple sites and takes care of any reports of malware. We would be vastly grateful if you could report any malware findings at that domain to csirt@telecom.pt instead of marking the cld.pt domain as malicious. If we get the reports we remove them immediately.

Despite that, we are not against marking URLs as malicious, we are just concerned about marking the whole domain or large paths as malicious because of a very specific path. Block the specific path instead please, or you are affecting all of our clients, including those who pay us for the service.

We are available for any questions.

EDIT: Example url: https://meocloud.pt/link/b2152ed1-ad03-44a9-a297-5fa223cc0a35/0928ce16f67311e2adc122000a1f9ace_7.jpg/

2

Blacklisted by Yandex
https://www.virustotal.com/nb/url/24c4355084d0b0a08df4d9c129082826b4db6943b1d6f18f1d59522c6749c6ad/analysis/1447861463/

Sucuri: https://sitecheck.sucuri.net/results/cld.pt/dl

avast team is notified :wink:

3

I get a 404 on MEO Cloud for that site. Could not resolve domain www.cld.pt…
So you have to take that up with your hosting party.
IP badness history: https://www.virustotal.com/nl/ip-address/213.13.26.152/information/
Last seen to be launching Win32:Banker-MGE [Trj] malware as an executable.
See: http://www.dnsinspect.com/cld.pt/1447861888

polonus

4

url:mal means that there is a IP block.

avast is not the only one blocking it.

McAfee, Spamhaus and many others are having it on their blacklist.
http://multirbl.valli.org/lookup/213.13.26.153.html
http://urlquery.net/report.php?id=1447861848544

5

Hi,
I unblocked the domain yesterday evening (CET). Do you still get the warnings?

6

Thanks, but I still receive the warning (http://cl.ly/image/2w0y2x0M3H2L), but not for all links.

cld.pt have currently three IP addresses:

> dig @8.8.8.8 cld.pt A +short
213.13.26.154
213.13.26.152
213.13.26.153

Maybe one of the IP Addresses is also blocked?

7

Nope, the IPs aren’t blocked.
Can you try disabling/enabling shields or restarting your computer? Sometimes the cache is not flushed often enough…

8

That was it. It is all fine now.

Thanks for your help. :slight_smile:

9

My pleasure :wink: