My website was blocked wrongly

Hey guys,

First and foremost, I run a start up advertising company and I know false positives must happen all the time with companies like ours.

Second: Advertisers all over the world use my technology to plugin to their website and make money with their web traffic. It would seem that one of my publishers, so the people who use my technology, got reported by Avast. Avast saw my script code in their webpage, and reported it as a virus/malware. Now, all of our scripts are being targeted across the planet even though our company has done absolutely nothing wrong!

I filled out the contact.php form and got an email back that was extremely cryptic and didn’t hold a lot of information. When I responded, it’s been several days and I’ve still received no response. I have hundreds of people trying to contact me every single day asking why our tools and technology are arbitrarily and wrongly being blocked by Avast, but it would seem that there is just no response. I called into the call center and I was told very condescendingly I would have to use email support, and that there was no one I can talk to regarding this issue. Meanwhile, email support is ignoring me.

I’m not so upset at this false positive, I’m more upset at how Avast handled it. They were so quick to dismiss my issue and blame me for what someone else’s website did. It was very poorly handled, in my opinion, and I don’t know where to turn except here at this point.

Hello,

Thank you for contacting AVAST Software company with your concerns.

Detection is correct in our opinion – Clickjacking FB scams, so called “offers”.

If you need further assistance, don’t hesitate to contact me again.

Miroslav Jenšík
Technical Support Engineer
AVAST Software a.s.

Ticket Details


Ticket ID: RYF-933-51722
Department: Viruses and Malware
Type: Issue
Status: On Hold
Priority: Normal

Support Center: https://support.avast.com/index.php?

Don’t hesitate to contact you again? I did. 3 times. No response, still.

Here is my ticket ID. We are a virtual currency platform that small-content web owners use to monetize for things they otherwise wouldn’t be able to monetize for. I need help resolving this, as it is very frustrating to be blocked by Avast.

Thank you.

John

How can we comment when we do not have the url that is flagged by avast!. Give it broken like with hxtp or wxw.

polonus

hi polonus, it was in my signature.

Sorry for any inconvenience.

WOT: https://www.mywot.com/en/scorecard/cpagrip.com

suspicious. http://quttera.com/detailed_report/cpagrip.com

Urlvoid http://www.urlvoid.com/scan/cpagrip.com/

hey guys, we’ve been accused of malware on our site. this is simply not the case and no response from avast. Suspicious? according to who?

Hey,

I have no idea how those companies get their reputation metrics together, but our website is not suspicious nor are we responsible for malware or viruses as Avast alleges. They are telling people that our site and our site’s tools are malware. This is factually incorrect. In addition, they are actually taking issues with the websites using our advertising, not our site. There is a huge difference here. What’s suspicious? I’ll clear anything up if you have anything tangible.

Can this forum help? I assure you, we’ve spread absolutely NO malware and this is a compeltely bogus accusation.

It’s borderline crazy. You’re posting a bunch of websites I’ve never heard of that have bad reviews of an entire company, spreading accusations and lies based on nothing. Let’s get our stories straight here, please - those websites don’t really measure anything except for how much your competition have reported you to their engines for bad SEO and press.

Suspicious? according to who?
according to quttera ...click the link above and see

quttera, the website you said makes us suspicious – doesn’t even report us as suspicious! Actually, our report on that site is quite good!

Also according to quttera, we have 1 potentially suspicious file on our site. it doesn’t say which one, or anything about it, or any detailed information at all. Actually, we’re not even blacklisted from them. What’s suspicious here? Sorry, I’m still trying to figure it out.

to reitterate, quttera, the website you said makes us suspicious – doesn’t even report us as suspicious! Actually, our report on that site is quite good!

dont shoot the messenger, i only give you the info i find online

VirusTotal
https://www.virustotal.com/en/url/704dc144cf64d34f6a90c0702624262ba71acc624d0883bdb9137901c50e6b87/analysis/1392320683/

I’m not shooting the messenger, I’m shooting the messengers interpretation of the message. You said it makes us suspicious, I’m saying it really doesn’t. It’s a quite clean report.

Additionally, how can I work to get this resolved outside of you posting links and telling me we’re suspicious, and then when I click to read the website, the report is mostly clean outside of a few false positive reports?

I'm not shooting the messenger, I'm shooting the messengers interpretation of the message. You said it makes us suspicious, I'm saying it really doesn't. It's a quite clean report.
in the middel of the screen here it say [b]Potentially Suspicious files: 1[/b] http://quttera.com/detailed_report/cpagrip.com

i dont work for avast, report it to avast lab here http://www.avast.com/contact-form.php

I did report it to avast. It’s been two weeks and no one has responded. The call center says I have to use the contact form, and no one from the contact form is responding.

The reality is that by rolling out new domains it would be extremely simple for me to circumvent Avast. I am choosing to try and work it out with you guys and clarify any misunderstandings, but it seems impossible to get anyone to comment on it from the company.

Do companies usually just send strongly worded legal letters? Is avast just arbitrarily bullying smaller organizations? What’s the deal here?

i have PMd one in avast … maybe you have a reply here tomorrow

Thank you Pondus, I appreciate the effort you’ve made to help me get a comment on this and work towards solving whatever issues might be the case.

There is a redirect here: https://www.mywot.com/en/scorecard/lokhlp.com?utm_source=addon&utm_content=warn-viewsc
spam and scam & Co. → lokhlp dot com,108.162.196.194,fred.ns.cloudflare dot com,Multiple IPs,
See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fcpagrip.com%2F&useragent=Fetch+useragent&accept_encoding=
and http://jsunpack.jeek.org/?report=7107824adf62f6d9e499fef3e8bc705183c6399c
Read here: https://www.facebook.com/CloudFlare/posts/10200359693128793
I did not expect that it refers to code in your site .cloudflare
Could this be the risk flagged?
Hope you get an answer on your FP report…
0-0-0-iFrame see: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Flokhlp.com&useragent=Fetch+useragent&accept_encoding=
and look under Source, please!

polonus

Hi,

There appears to be some inaccurate information given in the links mentioned. Sorry for the misassumptions.

It is natural for sites of this nature to be blacklisted by the WOT community. Not many like advertisements.

Read above. Also: If you check directly from c-sirt.org, it returns false for the url.

This returns the same results as from WOT.

John is right. This is not malicious. The “suspicious” code has been a known method for years that effectively redirects the user to another page after a certain interval via html instead of relying on JavaScript.

As a reminder, please do not fully rely on automated scanning…

Polonus, the site may be using iframes, but this one would be fully visible. Margin width/height is not the same as “regular” width/height. The body and iframe element are center of attention to the user.

As for the original post, you were given the answer of:

Detection is correct in our opinion -- Clickjacking FB scams, so called "offers".

Please read this: https://www.owasp.org/index.php/Clickjacking

If these methods of advertising are indeed used, then there is a very low chance that it will be unblocked. If not, reply here and say why you think the findings were false.

Regards,
~!Donovan

Looks like Avast unblocked us, thanks guys we got it all sorted out. No official comment from them, but my users have returned to the site and things seem to be functioning correctly. Thank you Donovan for a rational, well-reasoned response to some of the excessively harsh responses posted.

Cheers!