Issues with zedo.com

Viruses and worms
1

Avast Endpoint Protection 8.x with SOA current version.

We are getting a lot of Web Shield hits on URLs containing “zedo.com” these days. My impression is that zedo.com is a legitimate, if annoying, purveyor of web advertising. Have they suddenly been hacked or is this a false positive?

Thanks for any help.

2

IP history https://www.virustotal.com/en/ip-address/64.41.197.44/information/

multiple domains on same IP and many are blacklisted http://www.urlvoid.com/ip/64.41.197.44

[b]IP ADDRESS: 64.41.197.44[/b]

We have found in our database of already analyzed websites that there are 7 websites hosted in the same web server with IP address 64.41.197.44 and IP hostname g.zedo.com. Remember that it is not good to have too many websites located in the same web server because if a website gets infected by malware, it can easily affect the online reputation of the IP address and also of all the other websites.

so seems like a IP block

if you think it is wrong, report it here https://support.avast.com/ > avast virus lab

3

Thank you.

I don’t have any way of knowing if it’s a false positive.

I would suggest that, perhaps, causing avast! to pop up a “blocked” message every time one of the many IP addresses that feed information to a particular web PAGE is considered hazardous may not be the right thing to do.

This will inevitably cause users to freak out when visiting legitimate websites.

If I click the “more information” link on the “blocked” message popup, all I get is an Avast web page that contains the exact same content as the popup window, plus a lot of advertising for Avast products. This is not helpful.

Why can’t Avast instead provide some useful additional details on the “more information” web page? Some actual more information? Such as “This happened because some IP address that is feeding this web page was blocked, and that may or may not have anything to do with the actual content being displayed on the page. Proceed with caution, especially if you want to click on any links displayed on the page.”

In fact, Avast does a pretty good job of completely blocking really bad URLs, so if the user clicked on one of the links fed from the blocked IP address, and that link was actually bad, instead of just associated with a blocked IP address, the result would be a complete block of the chosen URL. In that case, why frighten users unnecessarily about the source of the text of these link expressions?

Just my two cents…