How to tell why web shield shows URL:Mal for particular site
There is a resource site, mbzponton.org, that “Web Shield” always blocks and reports as a low severity threat categorized as “URL:Mal” in file favicon.ico.
How do we identify what that threat actually is?
Something akin to tracking cookies or some other minor issue I’d exclude from being flagged, or could it be a possible infection vector?
I need to access this site and am loath to disable the shield for an hour or whatever but I do occasionally need data off that site.
How can we tell if web shield is raising a false positive “URL:Mal” or if the issue is severe or innocuous or not?
Thanks all.
Pondus is right, and what has been blocked is thatIP, that you may share with a domain for launching ransomeware.
There is also some FP involved, IP has been giving issues as far back as 2009: https://forums.malwarebytes.com/topic/117170-6429151221/
Steer away from that host, or make sure the pdf is above board, and then ask for a domain exclusion from an avast team member.
as the website as such seems OK.
Remember are just volunteers with relevant knowledge here, but only avast team members unblock or maintain detection.
polonus (volunteer website security analyst and website error-hunter)
This also used to be an old tactic to have the favicon.ico file redirect to a 3rd party malicious/suspicious site (commonly for a drive by attack). Or if you don’t have favicon.ico file hackers can craft a 404 file that does redirect to a malicious/suspicious site. So it certainly needs investigation.
Additionally the pdf file involved has 1 javascript block flagged - The packer is F-Prot appended.
Using this append option F-PROT Antivirus will only detect a fraction of infected files. So be careful here also.