(Solved) Is this false positive? or not

Avast Free Antivirus / Premium Security
1

Hi, Of late, i am asking questions on security aspects. I am enclosing the scan result of avast smart scan, which gives this result.i want to know, whether it is a false alarm or false positive. Would any expert , give advice. I am also enclosing the lines of text in my hns scan log.

2

Hi, In continuation, i enclose the relevant portion of the scan, from hns scan log

3

https://forum.avast.com/index.php?topic=210078.msg1427508#msg1427508

4

Hi, did you check the txt file I enclose. I have checked with all other scans with no vulnerability existed results. So, i ask . As the product belongs to avast, i could get the confirmation only with avast

5

Hello jraju,

to confirm this, type following to command line:

nslookup vk.com
nslookup yandex.ru

in output of these commands you will see
Name:
Addresses: <some_addresses>
if addresses of both commands are the same, then your DNS is hijacked. As HonzaZ says in the other topic, this may be caused by many reasons.

This could be caused by many reasons - your ISP might redirect you, your device (either end-device, such as laptop, PC, mobile; or router) might be infected, your DNS server might be infected, etc.

Libor

6

Hi, nsloop command on elevated status, gives the following address
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup vk.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: vk.com
Address:

C:\Windows\system32>nslookup yandex.ru
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: yandex.ru
Address:
The addresses are the same and secured address of the ISP. I just deleted for the sake of security. But how these are said to be dns hijacked. I also tried google.com, which fetches the actual pages of google.com. Please say something more on this. how to overcome ?
I want response like this, which is giving the idea of existing problem.
I just changed to google dns. Even though dns hijack problem goes, there is unknown access of some foreign sites server accessing the google dns.The site is sometime shown in third party.
pl expecing answers to this
If suppose, a domain and sub domain is having the same ISP, then, why we should not assume such a thing here?
But i do not know, how the Ip of the ISP is shown as addresses, is not known.I checked the addresses shown in the command prompt, nslook up and then searched it for whose ip.com. Mere pasting the ip at address bar, does not fetch any result

7

Hi, Previously experts and some times staff or the moderators would visit this fourm posts and give the reply, as they know the intricacies involved in a query or bug. Oflate, i have not seen such replies . Also, the support ticket format could not be used to submit

8

You have had a reply from an Avast Team member in this topic.

Hopefully libor_b will be able to get back to the topic.

I just wonder if it might have gotten more of a response in the viruses and worms sub-forums.

9

Hi, Thanks for the information. Hope that Libor would come to my rescue. I think that avast has included so many sites in its hns scan and only two are said to be domains hijacked. I still expect a kind of solution to the problem.
The avast gives solution to switch to google dns to get remedy from dns hijak problem. But choosing dns as google has also posed to me a strange problem of unknown dns servers accessing my router or my network. so, i changed back to dhcp server, that is my ISP’s server resulting in poping of hns dns hijack alert after each scan.
If some domains and sub domains have the exact ip address, ( is it possible ), then the same ip of nslookup command would have shown the same addresses. I do not know more about this. I hope Libor would tell me about this. But how the addresses are shown as My Isp"s server for the foreign domains still not understood by me.
i also wish to point out that those ip servers belong to the ISP, but those were not configured dns automatically obtained in the router.

10

Hi, I am enclosing herewith the unknown server not configured in the router. Would libor listen to me

11

Be patient, it’s weekend… :wink:

12

Hello jraju,

if the IP addresses are the same, then our scan indeed reports DNS hijacked domains. It doesn’t matter which two domains conflict. It also often happens that these domains are redirected by ISP’s (as is probably your case) and then you can safely ignore this issue. But our scanner is not lying to you and your DNS is hijacked (by your ISP), so this is not false positive, but probably harmless DNS hijack.

Libor

13

Hi, Libor,

                if i switch to googld dns server, then what is the role of unknown server. i could understand my isp server, as provider of internet, and google dns as configured could access. But why the third dns server accessing my router, which i have not configured in my router .
                   Could you explain that behaviour . It is a server from malaysia. how to find the role of that server. Is that the server may have been allowed by google dns for some internet activity. The irony of the problem is that query to google dns public has so far not replied .

Users are concerned about the security tips . Hope that i receive reply for this also

                 Anyhow, as it is not false positive, i changed to open dns in router .anyhow, please explain if i select the public dns and it allows some third party dns servers access at times .
14

Hi, libor, I was expecting your reply.
But is that possible that those domains ip if shown as non authorittative answer, then could it not be false positive.

15

so this is not false positive, but probably harmless DNS hijack.
Fine. I confirmed with the ISP, that those are blocked sites. I am using avast for more than 10 years.
Now, how to make avast not displaying these red letter words, on scan by avast. I mean, how i could handle this false positive sites, not to be scanned by avast so that i did not get this alert for these two sites alone.
The scan is included in the smart scan. How to configure. please. I will try in the mean while from your tutorial. can i expect a reply from libor or some experts

16

Avast GUI → Settings → Smart-Scan → Disable HNS/WiFi Scan there

17

Hi, To make it clear, i want the scan. But how to exclude those sites from the scan. If avast finds some other sites, other than these two , i will check and include those in exception if found in avast smart scan and will give avast solution in case it is not false positive. I tried simply , by giving exceptions on scan but still getting those alerts of dns hijack and those hijacked two domains. I want the scan to be there. Once it is known that it is false positive then i want to configure in such a way that they scan, but exclude those sites. Otherwise, it will prompt at all the times. I hope you understand this.
Is there any specific way of making exclusion of https sites.

18

If you scan several times a day then i guess it is a problem …

If you scan once a month it is not a problem

19

Hi, Pondus,
I usually scan once a week. But can i include the sites in exceptions in scan, so that i do not get that red alert? IMay https site be included in exception in a scan?

20

In short, there are no exclusions for this type of scan. Either you run it or you don’t. That’s it.