Im tried to download from mediafire.com
and avast suddenly pop up saying the url is infected with URL-MAL

the address hxxp://www.mediafire.com/?ul3qbc3kxb72b0c

Avast Pop Up
hxxp://205.196.122.12/n5xaakcla6tg/ul3qbc3kxb720c/Claymore CHAPTER 107 EN.zip
URL:Mal
Action:Blocked

but the strange thing is after i refresh in my browser
the link worked fine, no avast pop up anymore
so false positive?

thanks

edit1: i just notice that after refresh it uses different server to dl
so hxxp://205.196.122.12 is still detected as URL:MAL
received 0/6 in virustotal
http://www.virustotal.com/url-scan/report.html?id=32020e1344d9e58224b4f1cb9a5c2ab7-1287325273

The link hxxp://205.196.122.12 is not listed at hpHost, and it is dead http://downforeveryoneorjustme.com/http://205.196.122.12 …so why the alarm ?

Scanned the file from mediafire and it looks clean (had to split it in two zip.files to scan)
http://virscan.org/report/cf8b2f531105c6452cd4c37c3063ad22.html
http://virscan.org/report/173148199e2ef942b9eb546db23ca6f2.html

dont know if its dead or not (since avast block it before i can download) but strangely mediafire still use that server for hosting a file, today while i download different file from mediafire. i got the same pop up URL-MAL
but with different ip

205.196.122.19
205.196.122.20

i try a traceroute and the result is

205.196.122.20 is from United States(US) in region North America

TraceRoute to 205.196.122.20 [domain.not.configured]
Hop (ms) (ms) (ms) IP Address Host name
1 15 30 32 72.249.0.65 -
2 6 10 12 206.123.64.81 -
3 6 17 29 8.9.232.73 xe-5-3-0.edge3.dallas1.level3.net
4 14 28 26 4.69.145.114 ae-71-70.ebr1.dallas1.level3.net
5 13 17 20 4.69.137.137 ae-1-13.bar1.houston1.level3.net
6 16 29 40 4.78.14.34 linkright-l.bar1.houston1.level3.net
7 12 13 13 205.196.122.20 domain.not.configured

Trace complete

ip whois show its owned by Linkright LLC,

can any of the dev tell me why it listed as malicious url?

Edit1: disabling avast shield, and the link works as i can download it, hxxp://www.mediafire.com/?4290jz76bc686r8 and it will show the download link is in hxxp://205.196.122.19/ybs8xjjsnusg/4290jz76bc686r8/59.cbr
extracted the cbr (cbr is rar) and scan it with avast, reveal no virus whatsoever prolly since it was only a jpg.

http://downforeveryoneorjustme.com/http://205.196.122.19 result say its down, perhaps there’s some protection that render it inaccessible to some ppl/country.

so i do say its definitely false positive, hope it get removed by avast, cause surfing the net while my av is disabled is not a good thing

Hello,
It’s false positive. It will be fixed in next VPS.
Best regards
Jan Sirmer

i have the same problem with mediafire too…

well its good that it will be resolved in the next update… more power avast!

at last

big thank you

avast still detect 205.196.122.20 as url malicious

Hello,
It will be fixed in next VPS.
Little mistake has happend.
Sorry

I think someone un-fixed it, I’m getting the same false positive, from hxxp://205.196.122.24/zbbgjguaueyg/evzh0fcmizcb6do/NetHackPortable_3.4.3_Development_Test_2.paf.exe , the original url is hxxp://www.mediafire.com/?evzh0fcmizcb6do.

By the way, just in case someone gets funny ideas because of the name, it’s a portableapps.com-compliant copy of NetHack.

Update: I fed the actual download url (the 205.196.122.24/*) to virustotal, reports clean site, and I also fed it the actual “installer” as well (results here), the only scanner that had an issue was TrendMicro, probably because it’s using NSIS’s UPX/LZMA compression.

Update: modified urls per following post by technician DavidR. Personally, I don’t feel them necessary, as they have already been verified clean, but, meh, you’re the boss.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites/files, thanks.

Done.

Thank you.

No, thank YOU for YOUR assistance in this matter, it seems the latest updates within a few hours after your post un-blacklisted the url’s.

No problem, but the Virus labs team are the ones that did the prompt response, I’m just an avast user like yourself.