Broadband Tech > Security > Security > Avira warning on webpage - F/P or not?

Avira warning on webpage - F/P or not?

see link below on comments from people on that site as far back as 2004 when they got pop up etc...
start reading with the post...

On Sat, 24 Jul 2004 20:57:14 GMT, "Ved Llun"
>Hmm, got a pop-up after viewing the site, which I promptly added to my "boc
k
>always" list. Not nice.
50megs.com: Ads: (global: /ad/) iframe:

http://www.itags.org/mail-spam/322613/
--
Gladiator Security Forum
http://www.gladiator-antivirus.com/

reply to Doctor Four
50megs.com is a free hosting site. I find it more than likely that your alert was triggered by a malformed ad in their rotation. It's definitely one of the more popular attack vectors these days.
--
[Beeth] Progress (n.): The process through which the Internet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals.

reply to Doctor Four
Using »www.unmaskparasites.com/

The report says:
»www.UnmaskParasites.com/security···m/tinLC/

quote:

---

This page seems to be
8 suspicious inline scripts found.

---

reply to Doctor Olds
Good thing I didn't allow any scripts on that site.

reply to Doctor Four
i went to the webpage but i didn't see anything, there, that looked suspicious..

"linkscanner" said the webpage was clean..

i think it is a false-positive, but i don't know, for sure.. when "antivir" flagged whatever it was that it was flagging, i quarantined it and submitted it to avira, as a "possible false-positive".. i will see what what they say about it..

reply to Doctor Four
doctor olds, i don't know how good, or bad, "linkscanner" is at flagging webpages that contain malicious content, but the last time that i used it, to test a webpage ("caravancamping.cz" ), it seemed to do good, flagging a malicious "iframe", there..

the reason that i tried checking out "caravancamping.cz" was because someone questioned if "caravancamping.cz" really was malicious, even though avira's "antivir", and "avast", and "mcafee", all were flagging it..

regarding the "bobcathoh.50megs.com/tinLC/" webpage, "avira" said that the quarantined file that i submitted was a "false-positive".. (i quarantined the "file", whatever it was that avira was flagging at the "bobcathoh.50megs.com/tinLC/" webpage, and submitted it to "avira", as a possible false-positive)..

p.s. i am not an "expert" and i don't know anything about analyzing the content of webpages.. i think it is possible that there is some malicious content at the "bobcathoh.50megs.com/tinLC/" webpage, through the URL's that are being used for ads, there..

redwolfe_98, FWIW out of curiosity, I just scanned "caravancamping.cz" at "Linkscanner" and it came back with:
"Congratulations! LinkScanner Online did not find any exploits."

UnmaskParasites said:
"2 suspicious inline scripts found.
Moreover, Google currently lists this page as suspicious*"
»www.unmaskparasites.com/security···mping.cz

Google says:

quote:

---

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 13 pages we tested on the site over the past 90 days, 5 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-02-07, and the last time suspicious content was found on this site was on 2010-02-07.

Malicious software includes 31 scripting exploit(s), 4 trojan(s), 3 backdoor(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 12 domain(s), including eksalon.ru/, mefa.ws/, apomith.com/.

5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including bedioger.com/, tobeyew.com/, hindger.com/.

---

reply to redwolfe_98
Was that an Avira webscanner detection or Guard detection? I went there yesterday after reading this thread. I went on both XP, with Avira personal version 8, and on Win 7 with Avira Suite 10 build 20 beta version. Avira free doesn't have a webscanner and I don't have the webscanner installed for the Suite ver 10 beta I am testing. I poked around that site and got no alerts but I use the Proxomitron and see no ads.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

mele, when i went to the "bobcathoh.50megs.com/tinLC/" webpage, just now, it was flagged by both antivir's "webguard" and by its "avguard".. here is what the logs show:

this is from the webguard log:

2/8/2010,19:20:28 [DETERMINE] Malware found.
URL: bobcathoh.50megs.com/tinLC/
Contains recognition pattern of the HTML/Rce.Gen HTML script virus

this is from antivir's "avguard"-log:

2/8/2010,19:24:34 [WARNING] Contains recognition pattern of the HTML/Rce.Gen HTML script virus!
C:\Documents and Settings\redwolfe_98\Local Settings\Application Data\Mozilla\Firefox\Profiles\20be3f05.default\Cache\BBAD82F7d01

reply to Doctor Four
Well I think the page is safe.. and in this case it is a false positive

HTML/Rce.Gen is a catch all Heuristics nomenclature that serves it purpose to give the user a heads up..but most of the time it has generated false positives..Avira has modified it many times in the past because of this..but it is better to be safe that sorry.

Recently...
MVPS HOSTS file are claimed to be infected with HTML/Rce.Gen

»www.bleepingcomputer.com/forums/···086.html

Avira says that HTML/Rce.Gen is classified as the following.....

Description:
One major goal of malware authors is to execute code on the victims computer. This Remote Code Execution can be achieved by using security holes in the web browser. The AHeAD HTML Heuristics detects the attempt to execute code and alerts it as HTML/Rce.Gen.

Whenever I go to the Wall Street Journal website (using links given at bigcharts.com), my antivirus gives me two warnings of a threat named HTML/Rce.Gen.

What could that be?

»boards.fool.com/Message.asp?mid=···rt=whole

back in 2008, Avira Antivir Personal 8.1.0.367 had change log where they..

Changelog:
Fixed: False positives
HEUR/Malware
HEUR/HTML.Malware
HTML/Spoofing.Gen
HTML/ADODB.Exploit.Gen
HTML/Zones.Gen
HTML/Rce.Gen
HTML/Silly.Gen
HTML/Infected.WebPage.Gen

same here..

Posted on Sunday, November 22 2009 @ 23:33:58 CET by Thomas De Maesschalck

There was an engine update today.

The version number of the new engine is AV8/9 8.02.01.70 / AV7 7.09.01.70.

The following changes have been done:
- Fixed: False positives
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
HTML/Crypted.Gen
HTML/Spoofing.Gen
HTML/Downloader.Gen
HTML/Rce.Gen
HTML/Feebs.Gen

--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to redwolfe_98
What browser are you using? I went there again just now on Opera 1010 with Proxo filtering and I clicked on a bunch of stuff. Avira guard did not peep (this is Guard for beta 10 but the virus definitions are the same for all versions of Avira).

One thing I clicked on there was the certificate of membership and Proxo showed a javascript prompt. Either Proxo or Opera blocked it because there was no place to enter my name.

Edit: Maybe I am not getting an alert because I don't have all extended threat categories checked in Avira config?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to Doctor Four
Tettnang, 8 June, 2006 – Avira has equipped its current June release of central AntiVir products with new, optimised heuristics: AHeAD (Advanced Heuristic Analysis and Detection). Decisive for this innovation was the ever increasing speed with which viruses and malware can spread, change and adapt. Statistical recognition processes of virus signatures are often no longer sufficient to ensure the security of a system. Avira has therefore added the newest heuristic virus recognition processes to its AntiVir product range.

The new AntiVir heuristics AHeAD from Avira recognises unknown malware proactively, in other words before a special virus signature is created against the parasite and a virus protection update then sent. To achieve this, Avira uses new, innovative structure analyses: On the basis of the composition of a file, the sequence of significant code sequences or based on particular behaviour patterns, the heuristics can determine with a very high probability whether it is dealing with a harmful or virulent file. If the alarm is raised, the virus protection software offers the choice of taking the potentially virally infected file into quarantine or deleting it from the computer.

But if that’s not enough: The AntiVir heuristics AHeAD also has the ability to proactively check manipulated HTML files for gateways. This process effectively prevents hackers from possibly making use of exploits in browsers.

“The first tests carried out from independent test institutes dealing with real operations have shown that with the new heuristics increased the proactive detection rate of our virus software,” says Gernot Hacker, security expert and acting managing director of Avira. “Proactive security is no longer a catchword with the new AntiVir heuristics, but a reality.”

This is also backed up, for example, by the excellent test results of AV-Comparatives.org, published on 1st June: AntiVir has proved to have the best proactive recognition rate at the rapid virus scan speed of 7.57 MB/second.

»www.avira.com/en/security_news/a···ion.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

reply to Mele20
mele, i have my heuristics set to "high".. maybe that is the difference?

or it could be that your "proxomitron" was blocking out whatever it was that antivir was flagging?

i am using the "firefox" browser with the "adblock plus" and "noscript" addons..

reply to redwolfe_98

I set Avira 10 beta temporarily to High Heuristics on Win 7 and went there again and clicked on a number of things there. Maybe I missed clicking on whatever causes Avira's alert but even on High Heuristics I got no Guard alert. It could be though because of Proxo blocking or sanitizing some script there.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson