Possible false positive on zscaler

Hi,

Possible false positive on zscaler : hxxp://research.zscaler.com/

See picture for detection.

Hello nmb,

Here is the VT result for the index.html: http://www.virustotal.com/file-scan/report.html?id=1e195754b2ad171dc70cf3bb98143452327c784d1501f2a56cbc5ea6d1ca539a-1303112833

URLVoid and IPvoid reports that the corresponding IP and web address is Clean.

You can also send the FP report to avast! from here: http://www.avast.com/contact-form.php?loadStyles

Hi Murali,

How are you doing?

Again, please disable the URL link and according to robtex.com here’s the information that i got :

research.zscaler.com research.zscaler.com has one IP number (74.125.113.121) , via cname to ghs.google.com , but the reverse is vw-in-f121.1e100.net. Japanesewriters.com, cambodiaadoptionconnection.com, asp-pro.com, flowbridge.com, mail.axpr.net and at least 200 other hosts point to the same IP. Ccscourts.org and dippinflavors.com use this as a mail server under another name. zscaler.com Zscaler.com is a domain controlled by six name servers at dnsmadeeasy.com. Some of them are on the same IP network. The primary name server is ns10.dnsmadeeasy.com. Incoming mail for zscaler.com is handled by seven mail servers at got.net. Some of them are on the same IP network. zscaler.com has one IP number (72.249.144.174). More information research.zscaler.com is hosted on a server in United States. It is not listed in any blacklists.Search for zscaler.com.

And according to URL void, the weblink is clean source : hxxp://www.urlvoid.com/

Also from VirusTotal also clean as we may see at : hxxp://www.virustotal.com/url-scan/report.html?id=e3b7722f08c896f54ef986c91dc4098f-1287710458

But according to Anubis Web Scanner, the link is look suspicious : hxxp://anubis.iseclab.org/?action=result&task_id=11f4cf119964563b4e142f2fb2a45fb66&format=html

cheers,

Hi Yanto, I’m fine, thank you. How are you?

It is most probably a FP. Because, zscaler might have posted their analysis of scripts etc on their website, which is triggering avast :slight_smile:

Hi Murali,

I think so, similar to yodaosan analysis and asked you to submit to AVAST Software.
Because some web site which contains suspicious script which’s in passive mode, but avast always detect it as harmful and suspicious website.

cheers,

I got the same results:

Anubis:
http://anubis.iseclab.org/?action=result&task_id=10231f0337a5ac0e429f0cb66511bc084&call=first
http://anubis.iseclab.org/?action=result&task_id=10231f0337a5ac0e429f0cb66511bc084&format=html

Unmask Parasites:
http://www.unmaskparasites.com/security-report/

@Yanto

Yes, I have reported to avast by contact form.

Not a detection on the page as being infected as such, but a detection on the code that they have posted in plain text…

Page.gif, is what it looks like on the page, and script is how it exists in the source…

As usual…pics are better…

EDIT: This “script” is what the JS:ScriptDC-inf alert is on…there may be more, depending on how they have escaped the code…and avast detection…

Sucuri also say infected - Details: http://sucuri.net/malware/entry/MW:IFRAME:HD5

Thanks Scott, for confirming this:

Avast also detects this link:

Again, because it is posted as plain text on the webpage.

Any of you guys have a solution for lad like me who reads such posts online?

Hi murali,

The problems stem from this external reference: (even though it is a norton secured site)
http://www.google.com/safebrowsing/diagnostic?site=ribbs.usps.gov
found suspicious here: http://www.urlvoid.com/scan/ribbs.usps.gov (on 2 accounts)

polonus