Community Gallery website - malicious code?

I agree with @Butternut.
I’ve had avsast on a my Mac for over a year and I do web research as part of my job all day long. I don’t get this alert all over the place, rarely does anything.
@thang indicated a .js file is causing this but what one? What product put this file on the site?

I’ve gone through quiet a number of the sites on the gallery and no others get an alert. [quote=“lynnnight, post:1, topic:4389, full:true”]
My Avast software found malicious code when I clicked on the link of the Accurate Building Inspections website in the Community Gallery. I’m not that savvy with virus software so not sure why this happened but thought I’d report it since I’ve not seen it before. http://rapidweavercommunity.com/gallery/accurate-building-inspections Maybe someone can tell me why the site/code was flagged?

The message:
Infection detected!


The requested URL contains malicious code that can damage your computer. If you want to access the URL anyway, turn off the Avast web shield and try it again.
Infection type: URL:Mal
[/quote]

Given that Avast is warning you about a .ico file (which is the favicon for any site), and the Javascript it’s flagging is either built by Stacks, or a minimised piece of Javascript that we know not to be malicious, I’d suggest this is a pretty silly false positive. If you feel you need this level of protection, I’m not going to dissuade you from using it. But all modern browsers have built-in (and ever-updating) blacklists of sites that may cause malware problems, and in my experience I’ve never needed Avast or any other piece of anti-virus.

—N

The trouble, though, @Nikf, is not with the RW community, or even Mac users, but the large numbers of Windows users who may feel they need such software and may not visit innocent sites as a result. If my site were receiving a false positive, I’d make very strong representations to Avast.

Perhaps we should run Avast, just to discover what misinformation they are disseminating.

We’ll take a look, but honestly - if they’re flagging perfectly innocuous Javascript as “potentially” dangerous, I’m surprised anyone can actually browse the web with any such software enabled :wink:

—N

[
There are two products mentioned in this post. The one first brought up by @lynnnight is Avast.
https://www.avast.com/en-us/mac
old PCMag review:

Avast is a mainstream Windows Antivirus and anti-malware developer that gets 4.5 stars from PC-Mag and according to their website has 230 Million users. They offer a free MAC version mainly for anti-malware, I have been using this product for over a year. Never have had it go off with a warning before. It has caught windows virus on files given to me (Windows users) on email attachments and flash drives on a few times. Only to find out later that the Windows user had let their Antivirus subscription expire. Since I often exchange files with Windows user (even though the virus would not cause harm to a Mac, I don’t want to spread them to other users.

I no longer have a Windows machine but they offer a free trial of their windows product if someone would like to download and see if the alert goes off.

The second product was Avira. Never heard of that one looks more to be an on-line scam that tries to scare people into buying their product. That’s the one people are saying goes off on Javascript at realmac.com etc.

I have hit a lot of Rapidweaver sites (my own, Gallery, sample sites) with Avast running and never had the alert on any other site.

Avira is a well known Anti Virus program. As there are very few viruses about, all of the Anti Virus companies make Anti Spyware software which is usually bundled in with the main protection product.

However, all security software can get it wrong from time to time, so it would be a good thing for someone from Realmac to send a message to any security companies that flag up RW sites, to explain that what is being flagged up as a threat, is not a threat. Such a message coming from Realmac should have more influence.

Looking at this further… stacks js file and the code flagged is something to do with italic header styles… Weird.

Can anyone who has the avast detection please test this site i uploaded this week: http://www.thesamueljames.com

Cheers for your ears.

I had no problem with your site, @bitbumpy. The http://www.buildingreport.net/ site mentioned above remains the only one that has ever triggered a warning from Avast on my computer.

1 Like

Any ideas on this @nikf…? My client is starting to ask questions…

I have published to a different server to see if any problems there http://www.grumbles.com.au/sandbox/abi
The site appears but the warning still shows. (Site at http://www.buildingreport.net does not show at all)

Cheers for your ears…

There’s nothing we can do about the code from a Stacks page… especially as there’s nothing wrong with the code. This is a false positive on the part of whichever service you’re seeing the error with. If the code were malicious, Google would flag it as such and the safe browsing list would show an error. A little client education might be necessary…

—Nik

1 Like

Thanks. Its not the client that needs the educating… its his potential clients that can’t get through to the site because of some dodgy, free service…
It’s just weird that it only happens on this site.

Perhaps @isaiah has some input…??

Cheers anyway.

OK, here’s my 2¢:

What causes this:
A malware detection agent thinks your site contains malware. In my opinion, it doesn’t seem it. So my opinion is this is a bug in the malware detection software. Malware detection uses MD5 checksums to find malware – checksums have collisions (the same math-result comes from two different inputs) – that happened here. It’s a false positive.

Whose bug is this:
If it is indeed a false positive, and it sure seems like it is, then it is 100% the malware detection software’s bug.

Could you be wrong:
Yes. There is a very small chance that this really is some type of malware that’s really trying hard to look like the nice foundation JS also on the page. That seems very remote. I’m almost 100% certain this is just a false positive.

What can change the report?
You should definitely send an email to to the malware detection software company. They’re often very proactive and fast about fixing these things (lest they be held liable for defamation).

Can we work around it?
In the meantime is there something we can do to work around this bug?

  • you could try to excise out this bit of Javascript from the page (delete the stack). It’s coming from one of the stacks on the page – I’m guessing a foundation stack – but I’m not 100% sure. It’s definitely not code from Stacks itself – it’s from some content that’s on the page. It might take some trial and error to find the right bit.

  • when you do find the bit of JS you could ask very very very nicely for the developer to make an innocuous change to their JS. This will likely make the code different enough to avoid the checksum collision. i’ve had to do this myself when Blocks was detected as a virus many years ago. but be sure to ask nicely – this developer is literally making changes to avoid someone else bug – no developer likes doing that. :wink:

  • you might be able to fool the software by hand-editing the JS file too. though possible, i’d probably recommend against it as it’s more likely just to break things.

Isaiah

2 Likes

Thanks for your informative and thoughtful response @isaiah. I found it very interesting.

Ok! :+1:t2:

I hate the Internet.

Cheers for your ears.