Hi, my Free Avast Antivirus has recently started to block some subdomains of our Salesforce.com production org as a URL:Phishing. Next URLs are being blocked:

[ol]- https://salesoptimizer--c.na84.content.force.com // Content subdomain

• https://salesoptimizer--c.na84.visual.force.com // Visualforce pages subdomain
• https://salesoptimizersupport.force.com // Salesforce Site.com configured in our production org[/ol]

At the same time, the main https://salesoptimizer.my.salesforce.com site URL does not have this problem.

I tried to scan the https://salesoptimizer--c.na84.visual.force.com URL using the virustotal.com - no viruses detected:
https://www.virustotal.com/gui/url/29c4e27ebb953c1af69bad4583452f69fdd4110093d650b775b414817a93ba83/detection

What should I do? I wouldn’t like to keep the URL exception for this site (what if a real virus/phishing will hide there once).

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

Thanks for guiding me on this! Done.

You’re welcome.

Has been given the clean bill of health here: https://checkphish.ai/insights/url/1594728051165/8450c7d0a1781248ec8ca843a75aaf64ce455850a5691301a0bb25a2d9821e55#
Redirecting to -https://salesoptimizersupport.force.com/login
With blockers ReferenceError: loader is not defined
/jslibrary/LoginHint208.js:23

CSP Evaluated CSP as seen by a browser supporting CSP Version 3

checkupgrade-insecure-requests

errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to ‘none’?

On source: Javascript 11 (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes

INLINE: if (self == top) {document.documentElement.style.visibility = ‘visible’;} else {
249 bytes

INLINE: var SFDCSessionVars={“server”:"https://login.salesforce.com/login/sessionser
588 bytes

-salesoptimizersupport.force.com/jslibrary/​SfdcSessionBase208.js
-salesoptimizersupport.force.com/jslibrary/​LoginHint208.js
INLINE: LoginHint.hideLoginForm();
26 bytes

INLINE: LoginHint.getSavedIdentities(false);
36 bytes

-salesoptimizersupport.force.com/jslibrary/​baselogin.js
-salesoptimizersupport.force.com/marketing/survey/survey1/​1384
-salesoptimizersupport.force.com/marketing/survey/survey4/​1384
INLINE: function handleLogin(){document.login.un.value=document.login.username.value;doc
262 bytes

ONCLICK: /* a#edit.fr small.onclick = */ LoginHint.showEdit();
53 bytes

ONCLICK: /* button#hint_save_edit.button primary fiftyfifty right.onclick = */ LoginHint.
95 bytes

ONCLICK: /* button#hint_back_edit.button secondary fiftyfifty.onclick = */ LoginHint.show
90 bytes

ONCLICK: /* a#clear_link.clearlink.onclick = */ LoginHint.clearExistingIdentity();
73 bytes

ONCLICK: /* button#mydomainContinue.button primary fiftyfifty right.onclick = */ DomainSw
104 bytes

ONCLICK: /* button#hint_back_domain.button secondary fiftyfifty.onclick = */ DomainSwitch
140 bytes

ONCLICK: /* a#use_new_identity.onclick = */ LoginHint.useNewIdentity();
62 bytes

CSS 5 (external 1, inline 4)
salesoptimizersupport.force.com/css/​sfdc_210.css
INJECTED

INLINE: html{visibility: hidden;}a{color:#0070d2;}body{background-color:#FFFFFF;}#conten
459 bytes INJECTED

INLINE: html { visibility: hidden; }
30 bytes INJECTED

INLINE: @media print {#ghostery-purple-box {display:none !important}}
61 bytes INJECTED

INLINE: :root #content > #center > .dose > .dosesingle, :root #content > #right > .dose
170 bytes INJECTED

Wait for a final verdict from an avast team member, as they are the only ones to come and unblock,
for now I do not see that particcular page being blocked by avast’s. Also Zen Mate blocks zero.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

Redirecting to the login site is insecure as it may produce access to internal files,
like for instance baselogin.js, survey4 etc., both with code meant for internal use only.

/* * This code is for Internal Salesforce use only, and subject to change without notice. * Customers shouldn't reference this file in any web pages. */

Also with links to -: htxps://jeddrexler.com/ This is known as excessive info proliferation and one should hide it from accidental access.

polonus

Hi polonus,

Thank you for looking into it and providing recommendations on fixing some parts. Unfortunately I am not the owner of those sites (even the support site), and most of the site HTML is rendered by Salesforce internally - so I can not adjust anything there. In any case, thank you for the feedback on this.

I have just received a response from Avast support, they marked it as safe, and it is not detected by Avast any more.

Thanks for your help!

Best regards,
Andrew