Hello!

I use SugarSync as my cloud service. They have a feature for public URLs to files. When you go to the URL it takes you to a page that usually says something like “Angela has shared a file with you click the button below to download the file.” Recently, clicking on public links to my own files (actually all URLs that begin with sugarsync.com/pf/) leads to the page being blocked and the following message from Avast:

https://lh3.googleusercontent.com/hziJTcHdCz8OaAO2vzy7t-JR7DX0ZnJn-X1Gj3ReZ5PWxAuEY1JoZRzgzfRQfUsNx9vUoA-NDKR8M6u9dy_YQSeUp8f9FYXRFj8d-XcWCzklwEdwlFK71JeU-a96JGh3JOoWSi1r_Ob3Owo7i00LzCFPmQ-lUdY0tDDv9fKe3i4x20b2UaUA9vKtos7CzVFl7PSzF8C1Dek5HGeGhRM57QyJlPD_i2KvhUNzMhYx4RlQcNXEcA_SC9vb3m3d3aDYYjfCkTv3CWTIqvhxjvfAV1H4yqtZKAolbZ2E7ZF_iPT1mHwGmGqnsCcV-HPtEF8ApN8ZsFk-sVSahVqPTpCEKf22OecxPJK4iIfhB21jjyWxiueoPgDszBuGtkBJWKH78QDW73hAy64RhqwPM_DwOki8M-SxND5qRZPMMRyjav0XCk1vtSZvcpYAnGamoeZxdWMu7BB2GOZ7K2C1mNK2lotpD5N8I-sfqe9JiBEecMX7l5yVm2B1GRC6bn4YHBAerhKVV88-u-B96SuehTuZbovkBSEtDdg9lJYfqFavXqWM=w378-h263-no

“Avast Web Shield has blocked a harmful webpage or file.
Object: https://www.sugarsync.com/pf/
Infection URL:Mal2
Process: C:.…\chrome.exe”

This message sounds like it blocked a virus before infecting my machine. Just to be safe I ran a full scan with Avast, Malwarebytes, and Spy-Bot (with all proper updates and whatnot). All three said my system, including the files that were in public links, are clean. So, I contacted SugarSync to resolve the issue as this scenario sounds like their webpage where the download link usually appears is infected. They are swearing that they have no issues on there end: “After checking with our engineering department. We currently don’t have any virus on our site. It could be that anti-virus does not recognize the site. If you have scan the documents they don’t have virus. Then you should be able to public link.”

So, is this a false positive as SugarSync suggests or do I need to go back to them and get them to work on it more? Other than the image above I don’t have any information on what is happening and I am not sure how to persuade SugarSync that there is an issue. Is there a log or something within Avast that I am missing that would provide more details?

Any advice on what to do would be much appreciated. As it is I am stuck between trusting Avast and not being able to use a service that I rely on regularly or trusting SugarSync and by passing Avast and potentially getting the virus.

If you want to try and replicate the issue here is a public link to a text file I made that just contains the text: “This is just a test document to share with SugarSync tech support.”
https://www.sugarsync.com/pf/D9990207_06909892_796749

Thanks!
-Angela

URL:mal means blacklisted URL or IP

Blacklisted here
https://www.virustotal.com/en/url/d2ab2a2f6e703147b594317b2aa577ccaaac0c08e7dd834d60ca8869fc5774e6/analysis/1446055577/

Dr.Web info: known infection source

IP History: https://www.virustotal.com/en/ip-address/74.201.86.21/information/ click MORE button under list(s) for more info

Thank you! This all makes so much more sense now! I searched the web for so long and could not find this information. I am so grateful for your quick response!

Hi,
Yes, sugarsync.com was indeed blocked. Most likely because we spotted a malicious file there - which is after all understandable for a file sharing domain.
I unblocked the domain now
Honza

Hi, I am having the exact same issue with the website lovetoner.com, I manage it and from what I can tell there is no malicious content or viruses yet I still get the URL:Mal2 when I try to go to the site, how can I resolve this? I believe that at some point there may have been but it would have been a long time ago and has been resolved long ago.

Thanks!

URL:Mal = IP and/or Domain is blacklisted.
It doesn’t mean by default that there is malicious activity on the site.

Browser difference :
http://www.web-malware-removal.com/website-malware-virus-scanner/

vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable :
https://www.ssllabs.com/ssltest/analyze.html?d=lovetoner.com

Blacklisted :
http://multirbl.valli.org/lookup/184.154.178.189.html

If you believe the block should be lifted, submit a ticket to avast :
https://support.avast.com

I have just now unblocked lovetoner.com ;).