Why are Yandex blacklisted sites missed by a lot of URL scanners?

Example: http://maldb.com/parkthermal.com/#blacklists & http://evuln.com/tools/malware-scanner/parkthermal.com/
See: https://www.virustotal.com/nl/url/0a2e1b4c4e762312b19f941a5143850f1713755f245b615e506c0ce2782e8cb1/analysis/

Missed here: http://soswebscan.jobandproject.com/beta_scan.php
and here: http://app.webinspector.com/public/reports/19436454
Not given here: http://scanurl.net/?u=+http%3A%2F%2Fparkthermal.com&uesb=Check+This+URL#results

Sucuri also mention all Yandex blacklisting! http://sitecheck.sucuri.net/results/parkthermal.com/
malware on same IP: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=216.145.96.%
and according to this scan the malware still flagged as maldb and evuln is DEAD.
Check: http://jsunpack.jeek.org/?report=ccb83a18d1f239c635d375b48135ed68b3c6c99f

So question is is Yandex blacklisting running after the facts?

External links are blocked like: htxp://info.flagcounter.com/j3am
or not found: htxp://www.wpi.edu/academics/research/chte/

polonus

DrWeb does not have it on their blocklist, Google Safebrowsing does not block nor does the avast! shield protection!

Another one also flagged by Bitdefender’s TrafficLight → http://evuln.com/tools/malware-scanner/oduvanchiki.by/
http://yandex.ru/infected?l10n=en&url=http://oduvanchiki.by/
Site also likely compromised: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Foduvanchiki.by%2F
See: http://jsunpack.jeek.org/?report=c7ef0faebe1319c8f2618103562584c90a85d500
oduvanchiki dot by/rhinoslider-1.05.min.js benign
[nothing detected] (script) oduvanchiki dot by/rhinoslider-1.05.min.js
status: (referer=oduvanchiki dot by/)saved 17603 bytes db251574c212874297c802743de9e1d651301128
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function $.extend
error: undefined variable $
suspicious:
Javascript check:
Suspicious

ps:" : “http:”) + “//mc.yandex.ru/metrika/watch.js”; if (w.opera == “[object opera]”) { d.addeventlistener(“domcontentloaded”, f); } else { f(); } })(document, … (N.B. urlopen error no host given - note by me, polonus)

polonus

IP for oduvanchiki.by (178.159.242.67) is on 6 blacklists http://whatismyipaddress.com/blacklist-check

and this URL use same IP http://urlquery.net/report.php?id=4065835

Hi Pondus,

That is very strange then, Pondus, because avast! will let me go to the site without any alert - not the slightest bleep there, not a moo, see: http://urlquery.net/report.php?id=8802188
Maybe that site was being excluded from the IP ban. But I see no avast! IP ban or whatsoever.
The site I gave is the only one alive, the remainder is either dead or closed: http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=178.159.242.67
So avast does not alert on that IP either ::slight_smile:
Can you copy me, Pondus, for that situation?

polonus

Hello guys,

looking for me like yandex’s results outdated and both sites are clean. If site is clean when Yandex checks it again, it will be removed from the blacklist. Some info about yandex antivirus technology can be found here: http://company.yandex.com/technologies/antivirus_technology.xml

Hi Andrey.pro,

Still keep considering their findings, just like DrWeb’s url check reports and what is on their malsite list.
We need some good scanners from within the Russian theater.
Moreover I have found that DrWeb’s detection often is complementary to avast!'s and v.v.
So I value a lot what these coders from St.Petersburg do,

polonus

Hi polonus,

Dr.web has a good detection rate and technical support service, also they can decrypt encrypted files by ransomware for their users (using bruteforce, of course ;D).

Except Dr. Web url scanner I know only 2 Russian scanners:
http://2ip.ru/site-virus-scaner/ (site in Russian)
http://www.antivirus-alarm.ru/ (site in Russian)

This http://2ip.ru/site-virus-scaner/ has some extras additional to other scanners.
It checks for detected viruses.
It checks the Google Safebrowsing blacklist
It checks Yandex blacklist
It checks CMS used but in quite a different way as Sucuri for instance.
It reports on hosting site.
About the site.
DNS-settings.
Site on the same IP.
All domains of a single owner.
There is an IP Spam database.

polonus