My client’s site was infected back at the beginning of December. I cleaned it up right away, and now have it cleared. Everywhere pretty much is reporting it as cleaned, except for Avast and one site that does not disclose why they say the site is infected (so could be getting their info from Avast). I cannot find anywhere to submit a url for re-scanning. Any help would be greatly appreciated.
Edit: here is the virustotal.com scan for the site:
-Michael
Submit a ticket:
https://support.avast.com/
VirusTotal doesn’t scan websites, it only checks blacklists.
http://www.urlvoid.com/scan/bariawilliamson.com/
http://zulu.zscaler.com/submission/show/49cf73742b4f77c67c064d32ba305f65-1422039148
http://urlquery.net/report.php?id=1422039359679
http://urlquery.net/report.php?id=1422039371986
http://quttera.com/detailed_report/bariawilliamson.com
Everywhere pretty much is reporting it as cleaned, except for AvastURL:mal means URL or IP is blacklisted for whatever reason, and there can be many, it does not have to be infected
IP history https://www.virustotal.com/en/ip-address/64.64.2.36/information/
several domains on same IP and many are blacklisted
I understand that, and what I am saying is that I have had the domain removed from almost all of the blacklists. I also understand that there are other domains on that IP with the same issue but I am not as concerned about them right now. If you look under the “Latest detected files that were downloaded from this IP address” section of that link you posted, you can see that the last time anything was actually detected on the server was 12/9/2014. I just need Avast, and any other services that are using stale data, to recognize that now.
@Eddy - thank you for the url for support. However, I am not an Avast client (I run Linux), so I am not sure that is the correct place. There needs to be another option on there, eg. Paid, Free, Trial, and Businesses we are saying are infected but aren’t. If it asks me for a license key I won’t be able to provide one.
Update: I submitted it as a Sales question, so I did not need to provide a key. I know it’s the wrong department, but so are all of the others since that is not what that form is intended for.
-Michael
https://www.avast.com/contact-form.php?subject=VIRUS-FILE
Change to “report false virus alert on a website”
Oh, perfect, thank you.
-Michael
However site is benign from the malware point of view (still avast! WebShield blocks as URL-Mal for the browser executable)
there are still some recommendations to be followed up either by the webmaster or the hosting party.
I report them here, all data received via third party cold reconnaissance scanning.
See: http://www.dnsinspect.com/bariawilliamson.com/1422055522
WARNING: Name servers software versions are exposed:
64.64.2.36: “9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2”
64.64.2.37: “9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2”
Exposing name server’s versions may be risky,
when a new vulnerability is found your name servers may be automatically exploited by script kiddies until you patch the system.
Security header status: https://www.uploady.com/#!/download/b~Ex118WJ6y/wAf5ATdXswfEX4F_
Take these issues up with the server hoster of the website.
You could also mail virus@avast.com and link to this thread, so an avast team member could find reasons to unblock.
I am not an avast team member, just a support forum enthusiast with relevant knowledge and experience on website security,
Stay safe and secure both online and online,
polonus (volunteer website security analyst and website error hunter)
Hi,
It was indeed blocked because of infection with Torrent Locker (more info at http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf).
I am now unblocking the URL.
Regarding contacting us (viruslab), at support.avast.com, do not choose “submit a ticket” but select “avast viruslab” instead. This is the best way.
Sending emails is usually faster, but does not warrant a response from us, as most of the emails are treated automatically. There is also much bigger chance of discarding the email as spam.
Same issue with a different client (mjilonline.org). The above instructions no longer apply, since in the past year the form has changed and there is no longer a dropdown. I again sent it to sales with a request for them to forward it to the correct team.
I cannot be the only person who needs to file these requests… isn’t there some way that you guys can keep an online form available that is relatively easy to find for these kinds of requests? Honestly, in this day and age I would think this kind of thing could even be automated, where all we are requesting is a re-scanning of the url, and if nothing is detected the listing is expired. If it gets re-listed within x amount of time, then flag it for manual inspection. Wouldn’t that be easier?
-Michael
avast is (currently) not blocking that domain.
I can open it without any problem.
Eddy, thanks. I noticed after I posted this that none of the other blacklists are showing anything either, so now I am guessing it was something within the content of the hacked site, and not the domain itself, that was triggering the block. I appreciate you checking for me.
On that note, is there a web interface to check a link against Avast’s blocklist?
-Michael
On that note, is there a web interface to check a link against Avast's blocklist?No, there is no such thing. Only avast staff can check if avast is blocking a domain and/or IP and for what reason. You can however check things using the online scanners I have listed at my website (http://www.ache.nl)
A thing to keep in mind is that lately a huge amount of websites are infected because they are using a old JQUERY library.
You can use http://retire.insecurity.today/# to check if a website is vulnerable.