(Solved) Is this false positive? or not

Asyn · 2017-10-25T05:59:52.000Z

→ https://forum.avast.com/index.php?topic=210078.msg1427508#msg1427508

jraju · 2017-10-25T06:03:40.000Z

Hi, did you check the txt file I enclose. I have checked with all other scans with no vulnerability existed results. So, i ask . As the product belongs to avast, i could get the confirmation only with avast

libor_b · 2017-10-25T11:08:30.000Z

Hello jraju,

to confirm this, type following to command line:

nslookup vk.com
nslookup yandex.ru

in output of these commands you will see
Name:
Addresses: <some_addresses>
if addresses of both commands are the same, then your DNS is hijacked. As HonzaZ says in the other topic, this may be caused by many reasons.

This could be caused by many reasons - your ISP might redirect you, your device (either end-device, such as laptop, PC, mobile; or router) might be infected, your DNS server might be infected, etc.

Libor

jraju · 2017-10-26T05:39:02.000Z

Hi, nsloop command on elevated status, gives the following address
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>nslookup vk.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: vk.com
Address:

C:\Windows\system32>nslookup yandex.ru
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: yandex.ru
Address:
The addresses are the same and secured address of the ISP. I just deleted for the sake of security. But how these are said to be dns hijacked. I also tried google.com, which fetches the actual pages of google.com. Please say something more on this. how to overcome ?
I want response like this, which is giving the idea of existing problem.
I just changed to google dns. Even though dns hijack problem goes, there is unknown access of some foreign sites server accessing the google dns.The site is sometime shown in third party.
pl expecing answers to this
If suppose, a domain and sub domain is having the same ISP, then, why we should not assume such a thing here?
But i do not know, how the Ip of the ISP is shown as addresses, is not known.I checked the addresses shown in the command prompt, nslook up and then searched it for whose ip.com. Mere pasting the ip at address bar, does not fetch any result

jraju · 2017-10-27T10:50:06.000Z

Hi, Previously experts and some times staff or the moderators would visit this fourm posts and give the reply, as they know the intricacies involved in a query or bug. Oflate, i have not seen such replies . Also, the support ticket format could not be used to submit

DavidR · 2017-10-27T12:37:51.000Z

You have had a reply from an Avast Team member in this topic.

Hopefully libor_b will be able to get back to the topic.

I just wonder if it might have gotten more of a response in the viruses and worms sub-forums.

jraju · 2017-10-28T07:12:15.000Z

Hi, Thanks for the information. Hope that Libor would come to my rescue. I think that avast has included so many sites in its hns scan and only two are said to be domains hijacked. I still expect a kind of solution to the problem.
The avast gives solution to switch to google dns to get remedy from dns hijak problem. But choosing dns as google has also posed to me a strange problem of unknown dns servers accessing my router or my network. so, i changed back to dhcp server, that is my ISP’s server resulting in poping of hns dns hijack alert after each scan.
If some domains and sub domains have the exact ip address, ( is it possible ), then the same ip of nslookup command would have shown the same addresses. I do not know more about this. I hope Libor would tell me about this. But how the addresses are shown as My Isp"s server for the foreign domains still not understood by me.
i also wish to point out that those ip servers belong to the ISP, but those were not configured dns automatically obtained in the router.

jraju · 2017-10-28T07:34:26.000Z

Hi, I am enclosing herewith the unknown server not configured in the router. Would libor listen to me

Asyn · 2017-10-28T08:23:02.000Z

jraju post:10:

Would libor listen to me

Be patient, it’s weekend…

libor_b · 2017-10-30T13:09:31.000Z

Hello jraju,

if the IP addresses are the same, then our scan indeed reports DNS hijacked domains. It doesn’t matter which two domains conflict. It also often happens that these domains are redirected by ISP’s (as is probably your case) and then you can safely ignore this issue. But our scanner is not lying to you and your DNS is hijacked (by your ISP), so this is not false positive, but probably harmless DNS hijack.

Libor

jraju · 2017-10-30T13:41:38.000Z

Hi, Libor,

                if i switch to googld dns server, then what is the role of unknown server. i could understand my isp server, as provider of internet, and google dns as configured could access. But why the third dns server accessing my router, which i have not configured in my router .
                   Could you explain that behaviour . It is a server from malaysia. how to find the role of that server. Is that the server may have been allowed by google dns for some internet activity. The irony of the problem is that query to google dns public has so far not replied .

Users are concerned about the security tips . Hope that i receive reply for this also

                 Anyhow, as it is not false positive, i changed to open dns in router .anyhow, please explain if i select the public dns and it allows some third party dns servers access at times .

jraju · 2017-11-03T01:02:42.000Z

Hi, libor, I was expecting your reply.
But is that possible that those domains ip if shown as non authorittative answer, then could it not be false positive.

jraju · 2017-11-04T08:28:39.000Z

so this is not false positive, but probably harmless DNS hijack.
Fine. I confirmed with the ISP, that those are blocked sites. I am using avast for more than 10 years.
Now, how to make avast not displaying these red letter words, on scan by avast. I mean, how i could handle this false positive sites, not to be scanned by avast so that i did not get this alert for these two sites alone.
The scan is included in the smart scan. How to configure. please. I will try in the mean while from your tutorial. can i expect a reply from libor or some experts

Asyn · 2017-11-04T08:51:09.000Z

jraju post:15:

The scan is included in the smart scan. How to configure. please.

Avast GUI → Settings → Smart-Scan → Disable HNS/WiFi Scan there

jraju · 2017-11-04T12:06:57.000Z

Hi, To make it clear, i want the scan. But how to exclude those sites from the scan. If avast finds some other sites, other than these two , i will check and include those in exception if found in avast smart scan and will give avast solution in case it is not false positive. I tried simply , by giving exceptions on scan but still getting those alerts of dns hijack and those hijacked two domains. I want the scan to be there. Once it is known that it is false positive then i want to configure in such a way that they scan, but exclude those sites. Otherwise, it will prompt at all the times. I hope you understand this.
Is there any specific way of making exclusion of https sites.

Pondus · 2017-11-04T12:11:49.000Z

If you scan several times a day then i guess it is a problem …

If you scan once a month it is not a problem

jraju · 2017-11-04T14:08:36.000Z

Hi, Pondus,
I usually scan once a week. But can i include the sites in exceptions in scan, so that i do not get that red alert? IMay https site be included in exception in a scan?

Asyn · 2017-11-04T15:03:22.000Z

jraju post:17:

Hi, To make it clear, i want the scan. But how to exclude those sites from the scan.

In short, there are no exclusions for this type of scan. Either you run it or you don’t. That’s it.

jraju · 2017-11-04T15:21:03.000Z

Hi, Asyn believe it not. I just added the url in general settings in the excllusion lilsts. now those sites are not red alerted . I think it is working. But let us see in the next week, whether it is alerting again.
By running smart scan once in a week, i am having a feeling that i am protected by avast in all the threats from all sides. If it shows any dns hijack, i will probe and then apply the solutions by avast.
It is not that much safe nowadays that router is the main attack , and i bookmark for alerts on router checks and am receiving daily about 10 new type of alerts and solutions.
I have changed the admin pw, but avast prompts weak password. Probing it further, i saw a user pw column. So, i changed the pw for user also.
Thanks for all the suggestions in this regard from experts and staff. If i do not know about nslookup, it may not be possible to find the exact cause of the alert.Once again thanks all

Asyn · 2017-11-04T15:36:58.000Z

You’re welcome.

Announcements