Network Shield keeps blocking a good website.

Hi,
I have a toolbar on my computer for Firefox which AVAST says is bad.
I have had to disable the Network Shield as I’m getting continuous alerts.
This toolbar is from Nectar.com and is a legit toolbar it is used as a search engine and with it you collect points. These points are credited to your account with them and you use them to buy things in shops etc.

How can I stop the alerts for this toolbar and where do I report it as a false positive? It’s not like a virsu where it is blocked in the Vault and you can report it from there.

Thanks

If you can post a screenshot of (only) the avast alert window or post the full text from the alert window, change any URL from http to hXXp to prevent accidental exposure to a suspect site.

The toolbar in itself may be legit, that doesn’t meant that any sites it may be linked to aren’t infected/malicious, that is why we need more info.

Hi and thanks for the reply.

Here is the link from the log file. I have cleaned it up a bit as there is personal information in it like account number etc …

24.10.2012 16:21:06 Network Shield: blocked access to malicious site hXXp://toolbarservice.freecause.com/2.6/?action=rewards_xul&toolid=61465&userid=XXXXXXXXX&username=XXXXXXXXXXX&time=1351088466&hash=4078b38746862f336ed994c8050ce67e&username=XXXXXXXXXXX&session_key=jkhl2345kj2345kj23jsdfgk45&session_id=1 [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4316 ) ]

Virustotal link scanner says it’s also clean as well. This has worked to day up until the latest update of AVAST

Avast isn’t the only one thinking this site is at least suspect WOT has it as poor reputation, image1.

However, I didn’t get an alert on the main domain, but visiting the toolbarservice sub domain results in two alerts by avast (image2&3), on image2 there is a redirection to hXXp://toolbarservice.freecause.com/2.6/.

This scan has two detections, http://www.urlvoid.com/scan/toolbarservice.freecause.com/, the one from WOT plus this one, http://www.avgthreatlabs.com/sitereports/domain/toolbarservice.freecause.com/

Nothing found here though, sitecheck.sucuri.net/results/toolbarservice.freecause.com/.

You can ask for it to be analysed/reviewed:

  • There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open (image4), click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn’t hurt.

I have contacted both Nectar and Avast about this. So for now thanks for the help. I’ll post back what is said by both when they reply.
Thanks once again.

Thanks, i have the same problem with avast blocking freecause, also have the nectar toolbar.

Yep, same with me, with the Nectar freecause toolbar. Opening ‘More Details…’ on the alert opens up in Chrome for some reason and as I have the Toolbar operational there I had a similar warning. I’ve had to disable the toolbar on Firefox and Chrome for now.

It was OK earlier today. I shut the computer down and now back to find this a while ago. Pleased someone else found it and not just me :slight_smile:

I’ve just looked on Nectar on Facebook and someone there has the problem. The person tried to remove the toolbar and reinstall it but now it doesn’t appear in the Extensions.

This was the malware found there (now being closed since 2012-04-10 21:53:53) known as “unknown_html_RFI_php”
htxp://toolbarservice.freecause.com/2.6/?action=version_xml&toolid=100783&userid=&username=&key=&mode=1&v=Bucksbee%20Loyalty%20Plugin%20%2D%20InstallMonetizer%201%2E650
See: http://www.threatexpert.com/report.aspx?md5=08ca3457be9e45259c0767322ecdf8b4
site has conditional redirects (vulnerable to PHP/5.3.15-1~dotdeb.0 bugs)

polonus

Same problem here with the Nectar Toolbar. It only started this afternoon and that was before I updated to the latest Avast free. After updating, I still have the same problem. I will report it as a false positive.

You’re welcome, hopefully now any issues have been removed/resolved at the site avast can review the block.

I seem to have started something here, haven’t I?

Anyway, can somebody tell me how to stop the alerts from popping up for this problem. I don’t want to turn the Network Shield off so I’ve turned off the sound as I’m fed-up of hearing (ahhhhhhh dare I write it ? I can’t stand even writing it ahhhhhhhh)
“DING DING DING Threat has been detected”

Thank you.

The Network Shield has no user configurable settings, so no excluded URLs option. I certainly wouldn’t disable the network shield for any short term gain as it provides a valuable level of protection. It is now up to avast to follow up on your reporting it.

You can try to pause or stop the toolbar as a temporary measure or add the toolbarservice.freecause.com/ or 174.37.58.233 IP address to your firewall to block access to it, but avast may still get in there before the firewall.

@ drac3, rob24, Mender,

Please see http://forum.avast.com/index.php?topic=107658.msg854389;topicseen See reply # 3 & 4 there. You can get the help you need if you start your own topic. We do not mind the extra work.


Thousands of web sites get infected every minute of every day.

Turning off the Network Shield is a definite No-No !


HI,
Thanks for the replies. I had never any intention of turning off the Network Shield.
I have, this morning, received this reply from Nectar about this problem which I’ve pasted below.
Now I’m going to reply to them saying that also AVG has found viruses in two subdomain pages. I’ll keep you posted.
Ah PS I also left a message about this on Facebook Nectar page as well!!! There are people reporting the problem there as well (as already posted in this thread)

Thank you for contacting FreeCause Support.

Freecause Toolbars are simple plug-ins that provide ready access to the features and functions you use online every day. They are free of spyware, adware, and malware.

Despite the fact that our software is safe, some security software will flag Freecause software as untrusted software. We were able to identify the problem and our team is contacting Avast.

We suggest adding freecause.com as trusted site for your antivirus software at this time.

We will inform you when the problem is resolved.

Best Regards,
FreeCause Support

Just a quick update.

Anybody noticed that there are NO “DING DING DING Warning Threat Has Been Detected” ?

I guess somebody must have fixed it. (I just turned on the sound) ;D

The site has a long ongoing history of launching malware from 2011-11-02 15:09:2 to 012-10-19 21:57:26
unknown_html_RFI_php malware and unknown_html_google_malware has been present there, longest time of malware activity 510 hours,
latest malware activity episodes 1 to 0.1 hrs. Website must be vulnerable to remote file injection attacks and needs hardening against this.
At the moment I get a Unable to properly scan your site. Site returning error (40x): HTTP/1.1 400 Bad Request
Your configuaration is lax adn there are issues…
Search for STOR, APPEND give in & ggf. to check on the IPs 174.37.58.238 174.37.58.237 DNS type A…

polonus

I’m not getting an alert on the toolbarservice.freecause.com sub-domain and it still redirects to the toolbarservice.freecause.com/2.6/ directory, but I get a blank page and no page source. So perhaps they have taken down this /2.6/ directory data, but avast is no longer alerting on the sub-domain as before.

I have re-enabled the Toolbar on Firefox and Chrome and there is no longer any Malware detection warnings. So not sure what has happened but I’m glad it has!