blacklisted by antivirus?

We thought we had a virus, because out users kept having problems getting onto the site and their virus software kept blocking our site.

We had a sull scan done of the server and a further 4 independent scans with various antivirus packages, and none of them turned up anything. We also had a full malware scan at our end which came up clean. It appears that for some reason Avaste antivirus has decided to blacklist our site, as it has with many others such as banks and organisations.

Anyone else had tyhis problem and know what to do about it?

 

Nathan

Quote · 18 Feb 2012

I narrowed it down a little, this is what's driving Avast nuts:

 

http://yoursite.com/m/aqb_broadcaster/action_check_message/

 

Not that this is a solution, but removing that modules should fix your problem in the short term. It will be up to the mod author to figure out and fix whatever behavior is triggering Avast.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 18 Feb 2012

thanks mscott,

 

I think menay people will have this module. I will contact anton and let him know. Perhaps an update is required. I will also try swithching the message off tomorrow and seeing it is still happens.

 

Thanks again for your great help.

Nathan

Quote · 18 Feb 2012

I am using avast and always get a warning about your site and never visited it :(

it shows some URL:Mal infection on what ever address you visit. sometimes even robots.txt.

if it helps :) 

so much to do....
Quote · 19 Feb 2012

We've tried to find the problem but faced another problem - we can't reproduce the original problem. :)

With a latest Avast we are unable to reproduce the problem neither on our test Dolphin instances nor on the site of Nathan.

Here are some screens (all images are clickable):

Avast and databases version:

Avast activity monitor:

Firebug Console monitor:

I.e. our Avast for some reason doesn't blocks anything, It has no any problems with m/aqb_broadcaster/action_check_message/ URL and with Nathan's site. Although we have set Avast's level of panic to highest possible level.

 

P.S. Nathan, should I cutoff your site's address from screens or that is not a secret?

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 20 Feb 2012

Soooo, anyone has an idea how we can reproduce the problem? Or what makes your Avasts different from the latest and configured by default Avast (the only setting that was changed is Sensitivity of a Web Shield from Normal to High) ?

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 20 Feb 2012

I have the same version but still i get this warning.

http://screenshotuploader.com/s/01/qeAfhN8q4

so much to do....
Quote · 20 Feb 2012

 

I have the same version but still i get this warning.

http://screenshotuploader.com/s/01/qeAfhN8q4

 Could you please show us screenshot of warning itself? And any info regarding that warning if Avast is able to show any details regarding it.

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 20 Feb 2012

no problem anton... fine to show the adress.... This is strange how it can not be re-produced.

Quote · 20 Feb 2012

Anton,

 

I'm at work but I'll be home in 3 hours and I can post some screen shots for you.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 20 Feb 2012

here is a screenshot of the warning i get when try to visit

http://screenshotuploader.com/s/01/vew1umTET

and this is what i get about robots.txt file

http://screenshotuploader.com/s/01/F3wXzNQlm

 

Please try to remove the robots.txt file from the server. Its just a try will not harm

so much to do....
Quote · 20 Feb 2012

We did some research by googling the phrase "avast infection mal", and we think that the problem purely in Avast itself. There are a lot of people who reported the same problem even when they were 100% sure that URLs it blocked were clean. There are even a few funny cases when Avast was blocking itself from downloading it's own updates. ))
Here is a possible explanation: http://forum.avast.com/index.php?topic=93599.msg745237#msg745237

Taking into account that robots.txt is just a text file and m/aqb_broadcaster/action_check_message/ outputs JSON object, which is just a text too, we believe that Avast is blocking these URLs not because of content, but because of some other parameters (IP? URL path? Moon phase?).
So we recommend to contact Avast's support and ask them why some Avast instances are blocking some of these URLs. We don't see any other possible way of solving that problem, because we just do not see any logic in Avast's behavior.

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 20 Feb 2012

Thanks anton, we will gather what information we can and contact Avaste. if anyone has any other informationor ideas please let us know,

Thanks,

Nathan 

Quote · 20 Feb 2012

Anton,

 

The specific shield that is being triggered is the "network shield".. is it possible that Avast thinks the messenger is trying to access other computers on the network? Also was the computer you were trying to replicate the problem on networked?

 

Anywho, here's my screen shots as promised..

gdn.jpg · 211.1K · 225 views
gdn2.jpg · 164.5K · 268 views
gdn3.jpg · 108.6K · 308 views
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 20 Feb 2012

 

Anton,

 

The specific shield that is being triggered is the "network shield".. is it possible that Avast thinks the messenger is trying to access other computers on the network? Also was the computer you were trying to replicate the problem on networked?

 

Anywho, here's my screen shots as promised..

 Ok, thanks for the screens.

Well, broadcaster simply makes an AJAX request to /m/aqb_broadcaster/action_check_message/ to check for a new message. I have no idea what can be treated as harmful here.

Could you please try to access

http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/

directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?

 

And yes, my PC with Avast is in the network behind router. It is very strange that my Avast still keeps silence on any of URLs of globaldancenetwork.com:

http://globaldancenetwork.com/

http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/

http://globaldancenetwork.com/faq.php

none of these is triggering my Avast. The only explanation I have is that Avast has some standalone module which remembers sites which were ever noticed as malicious and during any further attempts to access such sites it warns about that even if malicious code was removed already. Nathan, was your site ever been infected?

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 20 Feb 2012

it doesn't matter what page i visit i just can visit this domain or even try accessing through its ip but got same result.  This is really a mystery. The one thing that is common in every alert is robots.txt. Avast don't like this file i guess :)

so much to do....
Quote · 20 Feb 2012

hey i have one question. Do you have flashcoms chat in your website?

so much to do....
Quote · 20 Feb 2012

Yes, when I access it directly Avast blocks it. It really is very odd.

 

I think you might be on to something about Avast storing the site in it's database due to past infections.. look at this:

http://forum.avast.com/index.php?topic=90964.0

 

 

 Could you please try to access

http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/

directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?

 

 

 

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 20 Feb 2012
  A shot in the dark  but, I would ask your users what url they are typing in and see if it has something to do with www vs non www and see if theres a pattern.

I see you are using a 302 redirect for www to non-www, this could be throwing a false positive as I have seen this in the past. Look to make sure you have this setup correctly and use a 301 redirect if you are not now.

Not sure if this is contributing to the issue, but if not setup properly in .htaccess or other, it could trown a false-positive, false cloak, redirect errors, loop. Which I guess could cause an anti-virus to store the site as suspicious
Quote · 20 Feb 2012

also antvirus nod32 blocking your site I am attaching an image if you can help ..


nod32.jpg · 49.1K · 239 views
Templates and Modules for Dolphin 7.3 http://www.boonex.com/market/posts/Giovanni_m
Quote · 20 Feb 2012

 

Yes, when I access it directly Avast blocks it. It really is very odd.

 

I think you might be on to something about Avast storing the site in it's database due to past infections.. look at this:

http://forum.avast.com/index.php?topic=90964.0

 

 

 Could you please try to access

http://globaldancenetwork.com/m/aqb_broadcaster/action_check_message/

directly? Will Avast panic in that case too or it gets into panic only during an AJAX request to that URL?

 

 

 

Ok, looks like it doesn't likes domain name itself and not content. As a last verification could you please access an URL http://dolphin70.aqbsoft.com/m/aqb_broadcaster/action_check_message/ and tell us Avast's reaction? If Avast will be silent then that would mean that it has nothing to do with Broadcaster and it blocks URLs of globaldancenetwork.com.

Best Regards AntonLV - http://www.boonex.com/market/posts/AntonLV
Quote · 21 Feb 2012

@AntonLV i can visit your site. No problem at all.

Also for his site. It doesn't even let the browser connect. just type and get the error. Avast is adding it in some kind of blacklist i think.

so much to do....
Quote · 21 Feb 2012
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.