2 Replies Latest reply on Jul 2, 2014 11:28 AM by Hayton

    False Positives

    malcom802

      Whenever I visit carrollprimarycare.com using internet explorer I get tons of flase positives. I work for a large company and we are getting hammered with false positves from users going to this site. Moving away from IE is not an option. Blocking access to the site is not an option.

      DAT: 7486.0000 - JS/Redirector.bz

      Some examples of what McAfee finds:

      carrollprimarycare_com[1].htm\00001e1d.js,

      occupational-medicine[1].htm\00001e57.js

        • 1. Re: False Positives
          Peter M

          Moved to Corporate User Assistance for hopefully better handling.

          • 2. Re: False Positives
            Hayton

            SiteAdvisor blocks this site with a Yellow warning page, confirmed by TrustedSource (which gives no explanation). TrustedSource shows it has been Yellow-rated for some weeks.

             

            A Sucuri scan of the site reports that it has within it code detected as SEO spam so perhaps you should pass on those findings to the website owners and ask them to check the site and make any necessary changes. Be aware that the Sucuri detection, while made only a few minutes ago, may not be the reason for SiteAdvisor blocking the site, and may indeed be a false positive (but see below)

             

            http://sitecheck.sucuri.net/results/carrollprimarycare.com

             

            carrollprimaryhealthcare Sucuri scan.PNG

             

             

            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

             

            Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEOt='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

             

             

             

            A scan of the home page only by another site check program supposedly detected a Trojan. This too may be a false positive.

            http://app.webinspector.com/public/reports/22888884

            carrollprimarycare AVG scan.PNG

             

            This VirusTotal report shows four detection engines out of 53 rate the site as malicious. One of the detections was made by C-SIRT but their threat identifier is not shown.

             

            One or more of these detections may reflect an old site infection which has been cleaned up. This site reports a Trojan detection on the site five months ago, but the detection was only noted for the IP address not the site itself - so the IP address may still be recorded in some places as having an infected website.

            carrollprimarycare Scumware listed.PNG

             

            Message was edited by: Hayton on 02/07/14 17:28:57 IST