Over zealous website Blocking re "MacOS:KeRanger-C [Trj]"

Hi, apologies if this is not incorrect place for this type of post.
I was wondering if anyone knows why any reference to keRanger online is causing the whole page to be blocked by avast. I originally had the problem at bleepingcomputer but all subsequent searches had the same result with the page being blocked with message MacOS:KeRanger-C [Trj] threat was blocked. Thinking it would be just that site I whitelisted it but then realised every attempt to read about keRanger had same result.

basic info: win 10 x64
chrome browser
avast free
example url: [excluding www.] bleepingcomputer.com/news/security/information-about-the-keranger-os-x-ransomware-and-how-to-remove-it-/

Anyway just thought I would see if anyone else noticed this, first time avast has given me any kind of frustrations but its easily forgiveable.

Peace out

-edit- forgot to even snigger at the fact it’s a mac threat :wink:

Because the malicious code is posted / displayed in that forum post and avast see it

@ chris.hughes683
Can you break the link so it isn’t active and avoid accidental exposure to a suspect page. Place a - directly in front of your link -http, etc and or change http://www to hXXp://wXw

Pondus is correct in a way, that code examples of the malware often get picked up as the real thing as there is no delimiting. So not really overzealous as it is hard to determine intent, an example or the real thing.

Generally it is best you use images for code examples, which in this case they have used images up to a point. But there is a download link to the KeRanger Removal Tool Download, a zip file and that too may be scanned. There is also a list of targeted file types and some Tor server locations and these could also trigger an alert (though, I would have thought that would give a different malware name).

Sorry I just quickly changed the link before reading your advice fully. And thank you for the replies. I was just taken back by having never had the webshield pick anything up before then 4-5 times in quick succession. I did check the integrity of the site cause you never know what sneaky server penetrating malware injecting meanies are up to. I really appreciate you breaking it down for me and it makes perfect sense now with my further searches did include snippets, primarily the cert that was used in keRanger. Now I’m wondering why this hasn’t happened to me before. I’ve been doing lots of reading recently about the various disk locking malware.

Thanks again, Peace.

You’re welcome.

It isn’t to common an occurrence getting an alert like this, especially from a site seeking to help users remove malware as they usually take precautions and post code examples as images rather than text.