Readers advsing AV blocking my website

Hi

A lot of my readers are advising that AVAST is blocking my website at www.cytguides.com/IQuitMyJobSale

I have checked my site numerous times with urlsquery http://urlquery.net/report.php?id=183808
and also zulu.zscaler.com - http://zulu.zscaler.com/submission/show/5faf42730321874b63ea39d2067dbadd-1347892066

I check the results and can’t understand why it is suspicious

Anybody help out?

This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.cytguides.com/IQuitMyJobSale

and on the urlquery link there is detection from Suricata /w Emerging Threats filter

URLVoid
http://www.urlvoid.com/scan/cytguides.com/ BrowserDefender say - Threat found Browser exploit
https://www.virustotal.com/url/a641874859b4204a33b17cb8579de779703fe34861626de6adec682a1b1ffb68/analysis/1347893439/

I can’t see anything obvious.

There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (Network Shield), etc. A link to this topic also wouldn’t hurt.

Thanks

Scumware was reporting an old virus from February 2012 which had been cleaned. Have written to them. Also written to AV.

Thanks for your help

Steve

Unmaskparasites alerts on this script:

Https: is encrypted and cannot be scanned, therefore suspicious?

@ Kwartet!
When giving script examples it is best to use an image as the last thing we would want is avast at some point alerting on a script example. Whilst you have used the XX to break links, that may not stop avast considering such script as an insert/exploit, etc.

Whilst there is no alert at this time, it is just safe practice when posting script examples.

DavidR, you are an annoyance.

If avast considered my posting deserving an alert, it would have done so before it would be published. no? And it would have stopped it. Long live avast!

@Kwartet

as david say, this have happened quite a few times that users have posted copy and paste of script here …and later when surfing the forum avast give alarm
so to avoid that …take a screenshot of the script …

Thanks Pondus,

Do you mean avast does not clean this forum from [links to] malicious scripts? Rhetorical question: what would you do, if you were a respected antivirus company?

Best regards,

PS. Sorry Steven Aitchison, it’s getting quite tangential to your question.

yes it have happend that the mods must remove script posted by users because it is detected …and they often have to edit clickable infected links here

but why post it like that when we know how to avoid it ::slight_smile:

It isn’t about the links as I mentioned in my post (you modified them); it is about the posting of the complete script including tags which at some point could be considered suspect causing avast to alert in the forums.

This is the way script could be presented (take an image from the webpage that has the code and take out identifiable data), see attached.
I have a malicious script detection in Google Chrome that certainly would alert to looking up part of the code with Google, even the %3E%3C/script%3 bit will be enough to get an XSS alert (there is no payload so that is nonsense, but you better have it alerted in case code is nalicious. Users put all code onto pastebin, and going there I would have the browser additionally sandboxed and have script blockers active, so nothing could escape the VM.)
See: -http://packetstorm.wowhacker.com/papers/attack/understanding-xss.txt (flagged by WOT)
Once bitten by malcode, the security aware becomes twice shy. Breaking possible suspiicious links is one, rendering scripts harmless is another rule.
So have the code in Malzilla (the malware browser for the security savvy) and then capture and image (use for instance capture in Click & Clean),
also see the site you gave flagged here: http://urlquery.net/report.php?id=183808

polonus