Trojan warning -- false positive?

Starting with the update I got this morning, I’m getting a Trojan warning on the Delphiforums chat board when I try to respond to a note using a WYSIWYG editor. I’m 99.9% sure this is a false positive as I’ve been on this board for 17 years with no hint of any malicious activity.

I would also like to know how to shut off the automatic blocking of this site since I run a forum on there and really need to be able to post notes.

Thanks.

Edit to add that the infection shown is JS:ScriptIP-inf [Trj]

Hi blackcat77, welcome to the forum :slight_smile:

Do you have the specific alert for the site?

There are exclusions for the webshield, however I think it would be a good idea for someone to check the detection beforehand…just in case :wink:

You can find the link that avast! alerts on, in the webshield report file. Or you could post an image of the alert.

If posting the link, please could you disable the link, change http to hXXp, to prevent others potentially becoming infected :slight_smile:

99.9% sure this is a false positive as I've been on this board for 17 years with no hint of any malicious activity
so it is absolutely bulletproof........and therefor no way it can be hacked.....;D......never say never.... ;)

The infection is JS:ScriptIP-inf[Trj]

The problem is that I don’t get the warning from just visiting the site, I get the warning when I try to respond to a note using a WYSIWYG editor which is exclusive to people who pay for extra features on the site, and of course that makes it hard to check for everyone else.

Here is the (modified) link to one of the posts that the program trips on, but the error appears when I try to reply to any message:

hxxp://forums.delphiforums.com/1stamendment/messages?msg=74259.1&mode=advanced&u=5529

Thanks for the welcome and of course I’m not saying that it’s IMPOSSIBLE for the site to be hacked but I have a good degree of confidence. There have been many posts since I was on last night and nobody has mentioned any issues.

Well, from what you say, this looks to be something that would be hard to pin down considering you need to be a paid user…this may be one for the developers…

I can’t see what is causing the alert myself, or even trigger the alert (understandably, considering the circumstances…)

If you still want the exclusion, you can add it to the list in the ‘Expert settings’ of the web shield section

The link you posted, is that the link that appear on the avast popup saying where it found the JS:script ?

can you post a screen shot of it. there is a pin in the top right corner, click it and you pin it to the screen

Here is the popup:

Something not entirely unrelated, why are you using firefox 3.6 beta 5, the latest firefox version is 3.6.6 and isn’t a beta build, this has closed some security vulnerabilities (it could prevent exploits infecting your system). So I would suggest that you get the latest version of firefox.

It is 3.6.6 – it’s just in the old folder

I also can’t get the exclusion to work. I’ve typed in everything that shows in the popup and it still blocks the page.

Other forum members are reporting that their virus scanners aren’t detecting any problems.

Ok I’m BRANDNEW here and came to ask about this same problem and the same forums I am also a co/mod at Delphi forums and the same thing is happening to me and another member emailed me to my home email because she also could not post to the board, this problem is only happening when we want to post or reply back to someone, we can browse and read the board all we want, we just can not post. The warning pops up and then it terminates the connection. I asked the other member what virus program she was running and she emailed back that she is also running AVAST.

I almost want to say that it might be a false notification but dang, if it’s not I don’t want to open myself up to it. No one else has emailed me but they for sure can not post a message about it on the board and no one that is running avast can post to the techs at Delphi because of it either. I did get to their help section and post directly to tech but who knows when/if they will ever get back. They are mostly volunteers with a few real paid employees. They usually help pretty fast if you can post to the members forum.
was anybody able to get there and post or see what was going on?

Thanks for posting, Jockey – I was starting to think that it was just me… ???

No it is not just you Cat, I am going to ask our other mod to post and see if any other AVAST users on our forum are having this problem and they will email her back at least we will have a confirmation of sorts.

I’m a delphi member as well and am having the same exact problem as blackcat.

Exactly what are you entering into the exclusion list?

You could have some problems as the path would change with posting in different threads etc.

So if you are going to put an exclusion, it would be best to minimise the range that it covers…

Can you see what is common in the links that cause an alert. Whilst you could just add the whole site, it is better for a more specific (as is reasonably possible) exclusion.

Entering [nobbc]http://forums.delphiforums.com/*[/nobbc] could do it, although, that is quite a wide spectrum to exclude, if you see what I mean.

I am leaning towards the possiblilty that this is probably a false detection…

It would be a good idea to send an email to virus(@)avast.com with the subject false positive, and the information in the email.

I just not more than an hour ago sent a report to AVAST like you asked, we’ll see. I am also leaning towards a false positive but don’t want to jump there quite yet.

Since Brushjockey sent in a report, I will wait to see the response that message gets.

Also, another poster on delphi has emailed me and said he is having the problem as well on delphi, when replying to posts, and he is an avast user as well.

I don’t speak geek so I can only say the problem is there and delphi members who use other virus programs are not having this problem. Which has all been stated by others here but I’m simply reinterating.

I have been having the same problem (same JS script) all day at a different site: www.national.review

The problem has been fixed I think, I don’t know by who. Try updating your AVAST now and let it install and see if you can post to Delphi , the other site nationa news I don’t know about. It might not hurt to try though. I was successful just a few minutes ago. Good luck everyone! :slight_smile: