I'm wondering if there's any way to determine why AVG has flagged our website, hyphenet.com for having active exploits?
I've already sdbmitted the URL for being improperly flagged, but I have yet to hear a response, although I see on the AVG threat labs, it was updated to say that exploits were recently found within the last few days. It keeps saying our site is a ransomware site when it is NOT.
Now, I have ran our website through other online scanners: virustotal.com, sucuri's sitecheck, and webpawet -- AVG is the ONLY thing detecting a threat.
If a threat is legitimately being detected, I want to know where it is being found so it can be removed. We are a VAR and we often blog about the latest security threats and provide tips on how to steer clear of malware, so the last thing we want is for users to have their machines infected if our site has really been compromised, or even scared into thinking it may become infected.
Please look into this and let me know whats going on because we not only have a reputation to uphold, but we do not want to put our website visitors at risk.
I browsed the hyphenet.com website briefly but was unable to induce any detection. Have you followed BIG AL 43's advice?
If there is a particular page detected, please provide us with exact URL, but replace the http prefix with hxxp (so the link won't be clickable in the forum) to make sure nobody visits it occasionally in case it is indeed infected.
Yes, I checked out the links provided by BIG AL43:
- I already submitted a false report before posting in the forums, but never got any type of response.
- I reviewed the JS on our site, made sure the last modified dates coincided with times I've actually updated the website and even re-loaded it from backups JUST in case.
I do not have AVG installed on my machine, I use a completely different antivirus vendor -- and I've never detected anything on our website, which I visit on a daily basis.
I became aware of the infection because I stumbled across another forum where an AVG user posted that they'd received a notification warning. Now, I find it odd that AVG alerted them that our site was a ransomware site because this individual was attempting to read a blog post about the Reveton ransomware that's currently going around. See the post here: hxxp://www.hyphenet.com/blog/2012/05/31/fbi-warns-users-not-to-fall-for-reveton-ransomware-scam/
I'm not sure if that had anything to do with it, but I thought that was very odd that our site was specifically labeled as a ransomware site!
That's when I went to check avgthreatlabs.com and found that you guys were saying there were active exploits and warning users to surf with caution.
Again, I have scanned our site with numerous site scanners, reviewed code -- everything. Never saw anything indicating an infection. I just wanted to make sure that this really was a false positive on AVG's end. If it is, I would like that the AVGthreatlabs.com website be updated to reflect this.
I regret to inform you that we were unable to access the abovementioned page -> Error 354 (net::ERR_CONTENT_LENGTH_MISMATCH): The server unexpectedly closed the connection.
Based on the described behavior, it seems that the detection has been removed. Although the virus database appears to be updated on the first testing system, the LinkScanner database may have been outdated at the moment, therefore the page was detected... but that's mere speculation at the moment.
We have passed this issue to our web threats analysts to provide us with more information. We'll post more in this thread as soon as possible.
We can confirm this was a false alarm (triggered by the blog entry containing some HTML code the LinkScanner signature was designed to detect).
An AVG update removing this detection is being distributed.
I'll rename this forum thread to make the message more visible.