MAL URL K9filter.exe

Hi all,

Over the last two days this has shown up with the MAL:URL red warning box.

ht tp://sp.cwfservice.net/1/N/K99AZE3E25/K9-00006/0/GET/HTTP/bluecoat.com/80/?cb

It looks to be related to the K9 web content controls service which I do have running on my machine, one thing I found is if I disable my LAN port and the re-enable it it will always cause the warning to reappear once connected to the Internet, it’ll flash the warning up maybe upto 3 times.

I have a feeling this is a false positive but if anyone can check to be sure.

Also worth noting the Windows version is quite a clean install without alot installed on it.

If anyone can check this that would be appreciated.

Thanks

Mike

Content filtering (probably of pr0n nature) → see: http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability
(link article author = Collin David Anderson)
I get this returned from a file viewer →

Content returned by request for: htxp://sp.cwfservice.net/1/N/K99AZE3E25/K9-00006/0/GET/HTTP/bluecoat.com/80/?cb

Consider: http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Fsp.cwfservice.net%2F1%2FN%2FK99AZE3E25%2FK9-00006%2F0%2FGET%2FHTTP%2Fbluecoat.com%2F80%2F%3Fcb&btnvURL=Dissect&selUAStr=1&selServer=1&ref=&cbxSource=on&cbxBlacklist=on
1: < Result>
2: < Code> 04008000< /Code>
3: < DomC> 26< /DomC>
4: < /Result> 

Trying to get a GET address avast NetworkShield blocks an Object as URL: Mal
Bluecoat malnet alert… read: http://www.bluecoat.com/security/dashboard (infolink from BlueCoat Systems)

polonus

Thanks Polonus,

I have read through that info.

Bluecoat is related to pr0n filtering I believe its part of the K9 free service which is on my PC.

Its all gone over my head somewhat, I have been to K9’s site and it seems they suggest excluding K9filter.exe in Avast, but I’m not sure if that’s the best thing to do.

I’ll run some full scans to see if anything is found, but if nothing is what would you suggest I do?

Hi tonco,

Aas both K9 and avast network filter block access then this is fully OK, you did not encounter anything from
Server IP: 8.21.4.203
8.28.16.201
8.28.16.203
199.19.249.201
199.19.249.203
103.246.38.201
103.246.38.203
8.21.4.201
IP does not appear to have a PTR record
201.dc5.es.bluecoat.com → 11004 [11004] Valid name, no data record (check DNS setup)
Read here from bluecoat’s knowledge base: https://kb.bluecoat.com/index?page=content&id=KB3071&actp=LIST
Did a look-up here: http://www.magic-net.info/dns-and-ip-tools.dnslookup?ptr=8.28.16.201&do=PTR+record+lookup

polonus

Thanks again,

Am I right in thinking those IP addresses you listed are all ones used by K9/Bluecoat services and therefore ok?

Also would you say excluding K9 in Avast is the right thing to do, as this warning will probably continue to show up.

Thanks

Tonco

I see nothing wrong with excluding these services. Network shield was only acting on something that K9 filter wanted to protect you from. I myself sometimes will get an avast alert when some code (without payload) is being scanned by some third party scanner (jsunpack/fileviewer etc.) and avast has detected enough of the code (without payload) to alert and block. This sometimes also happens on blog sites where malware researches give parts of live malcode in an analysis. That is OK and I am accustoms to that behavior of the avast shields and consider it as proof the shields are functioning as should be. A malcode filter extension would do the same for an XSS pattern found up in a search query as it could be used maliciously. Do you grasp, what I try and intend to explain to you?

polonus

Yup I think I have a better understanding of it now.

I really appreciate the help you have given me on this.

Thanks again Polonus

Tonco

All of the above do not help me. I have the same problem since a few days, likely after the last update of Avast’s AV engine.

The root of the given URL (entered with wildcards as “http://sp.cwfservice.net/*”) and Blue Coat’s K9 filter application (entered relative as “k9filter.exe” and absolute as “C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe”) are white-listed in the “Exclude” section of the Web Shields.

This white-listing should solve the problem but it does not, avast continue to pop up a URL:MAL warning every time me or my wife log in on our local account of the same PC (Win XP HE SP3). Likely as said by tonco, it occurs when the network connection is established. Spuriously this warning also occurs in the middle of a session, I presume when the ADSL router revives the idle Internet link.

Formally I should not worry since a site is blocked for my safety, but since it is part of an exclude list avast should not pop up this warning at all, unless there is another problem of which I’m not aware.

Help appreciated.

Dutch

This being triggered from that url request: === Triggered rule ===
alert(url_content:“%3C”; url_content:“%2F”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&key=ABQIAAAADQJp_C6OaW6hvHOMrOnyTRSJ36dQUZSEtUNltVpyNDSTnR8ihRSMP6upCTiKY-Eecqqq5JsdgenlYg&q=<Result>+<Code>04008000<%2FCode>+<DomC>26<%2FDomC>+<%2FResult>

resolving to these googlebot spoofed results: {“responseData”: {“results”:[{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability",“url”:“http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability”,“visibleUrl”:“b.averysmallbird.com”,“cacheUrl”:“http://www.google.com/search?q\u003dcache:s1RCElpWZF0J:b.averysmallbird.com”,“title”:"BlueCoat and Syria: Indicators and Culpability. a very small bird”,“titleNoFormatting”:“BlueCoat and Syria: Indicators and Culpability. a very small bird”,“content”:“Oct 11, 2011 \u003cb\u003e…\u003c/b\u003e \u0026lt;\u003cb\u003eCode\u003c/b\u003e\u0026gt;\u003cb\u003e04008000\u003c/b\u003e\u0026lt;/\u003cb\u003eCode\u003c/b\u003e\u0026gt;. \u0026lt;\u003cb\u003eDomC\u003c/b\u003e\u0026gt;\u003cb\u003e26\u003c/b\u003e\u0026lt;/\u003cb\u003eDomC\u003c/b\u003e\u0026gt;. \u0026lt;/\u003cb\u003eResult\u003c/b\u003e\u0026gt;. According to a posting made on BlueCoat\u0026#39;s forums, the above line seems to \u003cb\u003e…\u003c/b\u003e”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://forum.avast.com/index.php?topic\u003d112159.0",“url”:“http://forum.avast.com/index.php%3Ftopic%3D112159.0”,“visibleUrl”:“forum.avast.com”,“cacheUrl”:“”,“title”:"MAL URL K9filter.exe”,“titleNoFormatting”:“MAL URL K9filter.exe”,“content”:“7 hours ago \u003cb\u003e…\u003c/b\u003e 2: \u0026lt; \u003cb\u003eCode\u003c/b\u003e\u0026gt; \u003cb\u003e04008000\u003c/b\u003e\u0026lt; /\u003cb\u003eCode\u003c/b\u003e\u0026gt; 3: \u0026lt; \u003cb\u003eDomC\u003c/b\u003e\u0026gt; \u003cb\u003e26\u003c/b\u003e\u0026lt; /\u003cb\u003eDomC\u003c/b\u003e\u0026gt; 4: \u0026lt; /\u003cb\u003eResult\u003c/b\u003e\u0026gt; Trying to get a GET address avast NetworkShield blocks an Object as \u003cb\u003e…\u003c/b\u003e”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://www.jennic.com/download_file.php?supportFile\u003dJN-AN-1003-Boot-Loader-Operation-1v7.pdf",“url”:“http://www.jennic.com/download_file.php%3FsupportFile%3DJN-AN-1003-Boot-Loader-Operation-1v7.pdf”,“visibleUrl”:“www.jennic.com”,“cacheUrl”:“”,“title”:"JN-AN-1003 JN514x/JN5139 Boot Loader Operation - Jennic”,“titleNoFormatting”:“JN-AN-1003 JN514x/JN5139 Boot Loader Operation - Jennic”,“content”:“JN-AN-1003 (v1v7) \u003cb\u003e26\u003c/b\u003e-Apr-2012 \u003cb\u003e…\u003c/b\u003e ROM \u003cb\u003ecode\u003c/b\u003e usage area. (4 Kbytes). MAC address \u003cb\u003e…\u003c/b\u003e \u003cb\u003e0x04008000\u003c/b\u003e \u003cb\u003e…\u003c/b\u003e reasonably be expected to \u003cb\u003eresult\u003c/b\u003e in personal injury, death, severe property damage or environmental damage. \u003cb\u003e…\u003c/b\u003e www.nxp.\u003cb\u003ecom\u003c/b\u003e/ jennic.”,“fileFormat”:“PDF/Adobe Acrobat”},{“GsearchResultClass”:“GwebSearch”,“unescapedUrl”:“http://www.jennic.com/download_file.php?supportFile\u003dJN-DS-JN5142-J01-1v1.pdf",“url”:“http://www.jennic.com/download_file.php%3FsupportFile%3DJN-DS-JN5142-J01-1v1.pdf”,“visibleUrl”:“www.jennic.com”,“cacheUrl”:“”,“title”:"JN-DS-JN5142-J01-1v1.pdf3rd Oct - Jennic”,“titleNoFormatting”:“JN-DS-JN5142-J01-1v1.pdf3rd Oct - Jennic”,“content”:“\u003cb\u003ecode\u003c/b\u003e memory, data memory, peripheral devices and I/O ports are organised within the same \u003cb\u003e…\u003c/b\u003e herein and worst case may \u003cb\u003eresult\u003c/b\u003e in device not functioning in \u003cb\u003e…\u003c/b\u003e”,“fileFormat”:“PDF/Adobe Acrobat”}],“cursor”:{“resultCount”:“18”,“pages”:[{“start”:“0”,“label”:1},{“start”:“4”,“label”:2},{“start”:“8”,“label”:3},{“start”:“12”,“label”:4},{“start”:“16”,“label”:5}],“estimatedResultCount”:“18”,“currentPageIndex”:0,“moreResultsUrl”:“http://www.google.com/search?oe\u003dutf8\u0026ie\u003dutf8\u0026source\u003duds\u0026start\u003d0\u0026hl\u003den\u0026q\u003d<Result>+<Code>04008000</Code>+<DomC>26</DomC>+</Result>",“searchResultTime”:"0.32”}}, “responseDetails”: null, “responseStatus”: 200}

polonus

I got this problem too. Avast Network Shield block K9filter.exe from accessing http://sp.cwfservice.net/1/N/K945CAB38D/K9-0006/0/GET/HTTP/bluecoat.com/80/?cb=140/

So, it slow down my internet connection and even disable http connection. How to ignored it and why avast suddenly block it?

I get no avast alert getting to that link, only I see 00001000 there…
received data:
HTTP/1.1 200 Ok
Cache-control: max-age=3600
Content-type: text/html
Date: Wed, 02 Jan 2013 21:46:17 GMT
Connection: close
Last-Modified: Wed, 02 Jan 2013 21:46:17 GMT
Content-length: 61

and through GET
HTTP/1.1 402 Payment Required
Cache-control: max-age=3600
Content-type: text/html
Date: Wed, 02 Jan 2013 21:46:58 GMT
Connection: close
Last-Modified: Wed, 02 Jan 2013 21:46:58 GMT
Content-length: 44

00001000

polonus

im having this issue too, nothing worked for me

Very strange, but avast always block it. Here i attach the screenshot.