Hello,
www.taxwaresystems.com is my company’s website and you seem to be blacklisting it for no reason which is hurting my business. Virustotal.com Summary
Our site shows up here with no viruses so I do not know why you are blacklisting it. Please remove it from your blacklist.
Thank You
Norton alerts on 3 threats in the following locations:
hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinFIDUC/WinFiduc.exe
hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinPtnr/WinPtnr.exe
hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinPtnr/WinFiduc.exe
JQuery to be retired: http://retire.insecurity.today/#!/scan/77ddb55eb009ab4a2d26ef2e1e858582612c0dd6a9ebc50a4331e2d516586fcb
Check the webserver headers: https://securityheaders.io/?q=https%3A%2F%2Fwww.taxwaresystems.com%2FLogin.aspx%3FReturnUrl%3D%252f
GUIDE FOR ABOVE: https://scotthelme.co.uk/hardening-your-http-response-headers/#server
VirusTotal does not scan websites
Norton alerts on 3 threats in the following locations:hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinFIDUC/WinFiduc.exe
hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinPtnr/WinPtnr.exe
hxxp://www.taxwaresystems.com/ftp/Updates/2015/WinPtnr/WinFiduc.exe
https://virustotal.com/en/url/850d5227e24b820e83b0bf42c8510a19d81a220a93bec1ed77809f7140ed4daa/analysis/1462903637/
https://virustotal.com/en/file/08ccb46ab81f05af83c3744782dd507980f073056fe18a9f8a36704098ab4c23/analysis/1461273504/
https://virustotal.com/en/url/d88ba285fa52b970fac930084cc344f474df83ed5835f9f874accbef27a87419/analysis/1462903660/
https://virustotal.com/en/file/f04071e243b1d9e9028cbabfaebf603a57ced073ca3e3f8b4ac5f3d56fc419b5/analysis/1462903664/
https://virustotal.com/en/url/1e799cc44f85f1ce71ce6161bee66e7370b7240f88434f978f81aac9a7ac75c5/analysis/1462903681/
https://virustotal.com/en/file/c9cec5779d0907c75a5b893c551abb91d57d4cc51c3e8635ed6d4bb9297b768e/analysis/1462903685/
The files that are being marked as viruses are false positives. Is there a way to remedy this?
Contact the av vendors that are flagging the files.
Have already submited a FP case with F-Secure
So all those using Bitdefender engine should then remove detection if/when confirmed FP
Meaning all vendors that give these detection names use Bitdefender engine
Gen:Trojan.Heur.@J0au8@clad
Gen:Trojan.Heur.PT.@J0abOFRkgd
Gen:Trojan.Heur.@J0au4w5SSl
Alright thanks. We are in the middle of doing this with the biggest AV providers but we update our program often. Is this the sort of thing that we have to do for every update?
Is this the sort of thing that we have to do for every update?Check your file(s) at virustotal.com / metadefender.com
What Do I Do If an Engine Detects My Safe File as a Threat?
https://www.opswat.com/blog/what-do-i-do-if-engine-detects-my-safe-file-threat
Howdy Matt from Taxware,
Hope your present heuristical detection issues may disappear as FP. Take the following info into consideration, please.
Especially for the website analysis part, for which I present relevant knowledge paired to experience.
It would be helpful and save you a lot of trouble if the file(s) come digitally signed as they are not now,
this is especially so with encrypted and compressed data and
this is not helpful: detects
Detects VirtualBox using ACPI tricks
process: {u'process_name': u'winfiduc.exe', u'process_id': 1592}
signs: [{u'type': u'api', u'value': {u'category': u'registry', u'status': True, u'return': u'0x00000000', u'timestamp': u'2016-04-13 01:06:02,246', u'thread_id': u'452', u'repeated': 0, u'api': u'RegOpenKeyExA', u'arguments': [{u'name': u'Handle', u'value': u'0x00000084'}, {u'name': u'Registry', u'value': u'0x80000002'}, {u'name': u'SubKey', u'value': u'HARDWARE\\ACPI\\DSDT\\VBOX__'}], u'id': 12295}}]
Detects the presence of Wine emulator
process: None
signs: [{u'type': u'registry', u'value': u'HKEY_CURRENT_USER\\Software\\Wine'}]
: http://www.isthisfilesafe.com/sha1/96B3153463BCCDB7F436C0EE504BDC6671044F2F_details.aspx
Just see the threat results and what they kick up here: https://www.google.nl/search?q=309A5C9D4D102964EAC1C1EA2338774A&oq=309A5C9D4D102964EAC1C1EA2338774A&aqs=chrome..69i57&sourceid=chrome&ie=UTF-8
There is quite some detection for it: https://www.virustotal.com/en/file/8978906210d352b4b9b4a4d94c565dc5da2d4d3e94f161a2f5baa5929b03b777/analysis/
Also the checking for the most updated version came flagged by some AV: Only 1 of the AV scans reported anything malicious in it, 360 Security, which has apparently had many false positives before. However, this <MACHINE_DNS_SERVER>:53 thing appears in many malicious scans on VirusTotal.
Again my main point here is that dignitally signing would prevent many a FP to appear.
Where the website is concerned you have avulnerable jQuery library detected:
-http://www.taxwaresystems.com
Detected libraries:
jquery - 1.11.0 : (active1) -http://www.taxwaresystems.com/wpscripts/jquery.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected
Errors and warnings here:
405 - HTTP verb used to access this page is not allowed.
The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
Clickjacking Warning: Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.
In wpscripts/jquery.event.move.js there is a code error: error: undefined variable jQuery
error: undefined variable jQuery.event
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var jQuery.event = 1;
error: line:1: …^
Always remember thatjQuery is a sink, your SRI A-Status saved you there! → https://sritest.io/#report/45f0cb81-3fb4-4d57-8a0b-4c25c3807b30 8) but set up your event-driven responses on page elements correctly!
polonus (volunteer website security analyst and website error-hunter)
Thanks a bunch. This is very useful. We had looked at code signing before but wasn’t sure if this would be something that helps or not. We will also be taking a look at our programs and website to try and correct these issues. Everyone here has been so helpful.
Seems you have the right spirit to mitigate these hick-ups and vulnerabilities.
So it also would be helpful if an Avast team member came to report here as well,
I will just PM him. Always better to hear the final word from them.
As we here are volunteers with expertise here,
but they are the only ones that do the real unblocking of sites and clearing of misdetections.
polonus
Hi,
I want to give you a second chance, so I am adding the file to our cleanset and removing the block on your domain.
However, take notes what others said earlier, or your files and domain will be blocked in no time, especially:
This is the reply from F-Secure
=========================================================
Thank you for your submission.
I work with Matt. Thank you for the help and advise. We are working to implement it.
Polonus, in your reply #9 it appears you give information or results in code blocks from one of our application files. The part that mentioned detecting VirtualBox and WINE Emulator. What did you run or use to see those results? I would like to be able to duplicate it as we test to see if we can remove what may have caused them.
HonzaZ, thank you for replying and removing the block. Why is checking for a VM such a red flag? Just a general answer here is fine although I may also like to discuss via email or some other method to get details. I don’t think it will be a problem to change but I would like to find out a little more about it and may be let you know what is causing that. It isn’t something core to how our application needs to run or work. I believe it is something that is part of what we use to protect the application from being decompiled, etc. It seems there would be legitimate reasons to check for VM or emulator, especially for license violation (not something we try in that app) or code protection efforts.
Thank you all!
Why is checking for a VM such a red flag?http://www.symantec.com/connect/blogs/does-malware-still-detect-virtual-machines https://securityintelligence.com/virtual-machines-malware-authors-being-watched/
and i guess that is why F-Secure did not remove detection
Why is checking for a VM such a red flag?It is used by the vast majority of the worse type of malware (cryptolock et al) to ensure that they are not being run on a honey pot system
Hence anything checking for a VM is immediately suspect
Hi Scott B,
I stick to “third party cold reconnaissance scanning” as the most optimal and most secure way of getting reliable information.
What I mentioned there can be found here as a normal malware analysis scan that everone could run online: https://malwr.com/analysis/MGFlZjdiYjhiYTc0NDkwZGI5MDk0ZmFkNjA0MDlmODU/
Knowing what to look for and combining results is all there is too it.
Often with protection measures they come wrongly combined and are not always compatible and/but sometimes rendering less security.
Just imagine a couple of bloodhounds in front of the porch to secure the premishes starting to fight amongst each other rather than securing the place. Also using tools that cybercriminals and blackhats use can be detrimental.
Avast Team Member, HonzaZ may fill you in with some more info on the remainder of your questions.
We already would have a lot less to worry when everybody fully updated and patched, retired vulnerable or left code and zipfile that for later reference, would refrain from inline scripting, keep all data neatly centralised and follwed rules of best practices.
Alas as a proctor at a Higher Educational Institute for IT Studies I see in the curriculum that security is not a first priority - you have to master javascript yourself online in your first year, second year to work through jQuery, not discriminating between vulnerable and non-vulnerable etc. Security header implementation minimal, end2end encryption coming in slowly but not always securely configurated,
sri hashed not always optimal etc. etc.
It is our mision here to make website coding somewhat more secure and educating towards that end and comment on Avast detections and missed detections to further better Avast detection. Good Avast is so generous to offer us all a platform here.
polonus (volunteer website security analyst and website error-hunter)