We thought we had a virus, because out users kept having problems getting onto the site and their virus software kept blocking our site.
We had a sull scan done of the server and a further 4 independent scans with various antivirus packages, and none of them turned up anything. We also had a full malware scan at our end which came up clean. It appears that for some reason Avaste antivirus has decided to blacklist our site, as it has with many others such as banks and organisations.
Anyone else had tyhis problem and know what to do about it?
Nathan
|
I narrowed it down a little, this is what's driving Avast nuts:
http://yoursite.com/m/aqb_broadcaster/action_check_message/
Not that this is a solution, but removing that modules should fix your problem in the short term. It will be up to the mod author to figure out and fix whatever behavior is triggering Avast.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
thanks mscott,
I think menay people will have this module. I will contact anton and let him know. Perhaps an update is required. I will also try swithching the message off tomorrow and seeing it is still happens.
Thanks again for your great help.
Nathan
|
I am using avast and always get a warning about your site and never visited it :(
it shows some URL:Mal infection on what ever address you visit. sometimes even robots.txt.
if it helps :)
so much to do.... |
We've tried to find the problem but faced another problem - we can't reproduce the original problem. :)
With a latest Avast we are unable to reproduce the problem neither on our test Dolphin instances nor on the site of Nathan.
Here are some screens (all images are clickable):
Avast and databases version:
Avast activity monitor:
Firebug Console monitor:
I.e. our Avast for some reason doesn't blocks anything, It has no any problems with m/aqb_broadcaster/action_check_message/ URL and with Nathan's site. Although we have set Avast's level of panic to highest possible level.
P.S. Nathan, should I cutoff your site's address from screens or that is not a secret?
Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
Soooo, anyone has an idea how we can reproduce the problem? Or what makes your Avasts different from the latest and configured by default Avast (the only setting that was changed is Sensitivity of a Web Shield from Normal to High) ? Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
I have the same version but still i get this warning.
http://screenshotuploader.com/s/01/qeAfhN8q4
so much to do.... |
I have the same version but still i get this warning.
http://screenshotuploader.com/s/01/qeAfhN8q4
Could you please show us screenshot of warning itself? And any info regarding that warning if Avast is able to show any details regarding it.
Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
no problem anton... fine to show the adress.... This is strange how it can not be re-produced. |
Anton,
I'm at work but I'll be home in 3 hours and I can post some screen shots for you.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
here is a screenshot of the warning i get when try to visit
http://screenshotuploader.com/s/01/vew1umTET
and this is what i get about robots.txt file
http://screenshotuploader.com/s/01/F3wXzNQlm
Please try to remove the robots.txt file from the server. Its just a try will not harm
so much to do.... |
We did some research by googling the phrase "avast infection mal", and we think that the problem purely in Avast itself. There are a lot of people who reported the same problem even when they were 100% sure that URLs it blocked were clean. There are even a few funny cases when Avast was blocking itself from downloading it's own updates. )) Here is a possible explanation: http://forum.avast.com/index.php?topic=93599.msg745237#msg745237
Taking into account that robots.txt is just a text file and m/aqb_broadcaster/action_check_message/ outputs JSON object, which is just a text too, we believe that Avast is blocking these URLs not because of content, but because of some other parameters (IP? URL path? Moon phase?). So we recommend to contact Avast's support and ask them why some Avast instances are blocking some of these URLs. We don't see any other possible way of solving that problem, because we just do not see any logic in Avast's behavior. Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
Thanks anton, we will gather what information we can and contact Avaste. if anyone has any other informationor ideas please let us know,
Thanks,
Nathan
|
Anton,
The specific shield that is being triggered is the "network shield".. is it possible that Avast thinks the messenger is trying to access other computers on the network? Also was the computer you were trying to replicate the problem on networked?
Anywho, here's my screen shots as promised..
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Anton,
The specific shield that is being triggered is the "network shield".. is it possible that Avast thinks the messenger is trying to access other computers on the network? Also was the computer you were trying to replicate the problem on networked?
Anywho, here's my screen shots as promised..
Ok, thanks for the screens.
Well, broadcaster simply makes an AJAX request to /m/aqb_broadcaster/action_check_message/ to check for a new message. I have no idea what can be treated as harmful here.
Could you please try to access
http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/
directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?
And yes, my PC with Avast is in the network behind router. It is very strange that my Avast still keeps silence on any of URLs of globaldancenetwork.com:
http://globaldancenetwork.com/
http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/
http://globaldancenetwork.com/faq.php
none of these is triggering my Avast. The only explanation I have is that Avast has some standalone module which remembers sites which were ever noticed as malicious and during any further attempts to access such sites it warns about that even if malicious code was removed already. Nathan, was your site ever been infected?
Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
it doesn't matter what page i visit i just can visit this domain or even try accessing through its ip but got same result. This is really a mystery. The one thing that is common in every alert is robots.txt. Avast don't like this file i guess :) so much to do.... |
hey i have one question. Do you have flashcoms chat in your website? so much to do.... |
Yes, when I access it directly Avast blocks it. It really is very odd.
I think you might be on to something about Avast storing the site in it's database due to past infections.. look at this:
http://forum.avast.com/index.php?topic=90964.0
Could you please try to access
http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/
directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
A shot in the dark but, I would ask your users what url they are typing in and see if it has something to do with www vs non www and see if theres a pattern.
I see you are using a 302 redirect for www to non-www, this could be throwing a false positive as I have seen this in the past. Look to make sure you have this setup correctly and use a 301 redirect if you are not now.
Not sure if this is contributing to the issue, but if not setup properly in .htaccess or other, it could trown a false-positive, false cloak, redirect errors, loop. Which I guess could cause an anti-virus to store the site as suspicious |
also antvirus nod32 blocking your site I am attaching an image if you can help ..
Templates and Modules for Dolphin 7.3 http://www.boonex.com/market/posts/Giovanni_m |
Yes, when I access it directly Avast blocks it. It really is very odd.
I think you might be on to something about Avast storing the site in it's database due to past infections.. look at this:
http://forum.avast.com/index.php?topic=90964.0
Could you please try to access
http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/
directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?
Ok, looks like it doesn't likes domain name itself and not content. As a last verification could you please access an URL http://dolphin70.aqbsoft.com/m/aqb_broadcaster/action_check_message/ and tell us Avast's reaction? If Avast will be silent then that would mean that it has nothing to do with Broadcaster and it blocks URLs of globaldancenetwork.com.
Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV |
@AntonLV i can visit your site. No problem at all.
Also for his site. It doesn't even let the browser connect. just type and get the error. Avast is adding it in some kind of blacklist i think.
so much to do.... |