×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
chiron494
Former Member
Message 1 of 13

False Positive

Jump to solution

Hello, Mcafee is falsely detecting a legitimate antimalware product as dangerous. It can be found here:

http://www.crystalsecurity.uk.to/download.html

Can Mcafee please remove this detection?

Thanks.

1 Solution

Accepted Solutions
Peacekeeper
Message 12 of 13

Re: False Positive

Jump to solution

Good so all Ok now if so mark as answered please

View solution in original post

12 Replies
chiron494
Former Member
Message 2 of 13

Re: False Positive

Jump to solution

Also, I would like to point out that the site is currently being blocked. This is a false positive as well.

Can you please look into that as well?

Thanks.

Hayton
Reliable Contributor
Reliable Contributor
Message 3 of 13

Re: False Positive

Jump to solution

According to the discussion on WildersSecurity the download is or has been blocked by a number of AV vendors. When I attempted to download the zip file using Chrome it flashed up a warning saying "This file appears to be malicious". That warning was nothing to do with SiteAdvisor, which isn't currently operational in my main Chrome browser. I was intending to upload the file to VirusTotal to get a picture of how many vendors detect the file as suspicious, but until that warning is withdrawn by Google I am reluctant to proceed further. I was unable to test the file against Microsoft's SmartScreen Filter because, as you note, the site is indeed blocked by Site Advisor as a high-risk site and the blocking page in IE did not give me an option to proceed to the site.

Phishing and malware detection - Google Chrome Help.png

If you want the file to be checked by McAfee and (if found to be free of malware) classified as safe, then you need to submit to the McAfee Labs. The page at

http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspx

http://www.mcafee.com/us/mcafee-labs/resources/how-to-submit-sample.aspxtells you how to do that, although those instructions were written for users who discover a suspect file on their system.

As for the site itself, SiteAdvisor is blocking it because Trusted Source has flagged it as malicious -

http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=www.crystalsecurity.uk.to

The problem appears to be that this site is a subdomain of "uk.to" and other subdomains are also flagged as High Risk. This could be a case of assumed or actual cross-contamination, but seems more likely to be because the entire "uk.to" domain has that rating. Your site inherits the rating of the domain. In WOT the domain "uk.to" has an Amber (Unstisfactory) rating although your subdomain's rating is Good. Google Safe Browsing says the domain (meaning some or all of the subdomains) has hosted malware recently - 26 Trojans and 16 exploits - and your site appears to have hosted 2 exploits. The results are none too clear, as you can see for yourself. This is something you will have to take up with Google. See

http://www.google.com/safebrowsing/diagnostic?site=uk.to,

http://www.google.com/safebrowsing/diagnostic?site=crystalsecurity.uk.to

For what it's worth Sucuri says your site is currently clean, although blacklisted by SiteAdvisor -

http://sitecheck.sucuri.net/scanner/?scan=www.crystalsecurity.uk.to

IPVoid says your IP address is Clean (http://www.ipvoid.com/scan/31.170.163.239/)

See also http://www.urlvoid.com/scan/crystalsecurity.uk.to

AVG gives a lot more useful detail. It says that the main domain (uk.to) is currently safe but ...

No current active threats appear on this domain. However, during the last 30 days potentially active threats did appear on a subdomain.

http://www.avgthreatlabs.com/sitereports/domain/crystalsecurity.uk.to/#analytics

AVG Threat Labs - Safety Ratings - Web Site Reports.png

And yes, I see that you've already approached AVG to ask them to rate your site as safe. Well, your site may be okay but you're mixed in with a lot of other sites which aren't. So there's your problem in a nutshell. You've gone for free hosting with freedns, aka afraid.org ("a really cool service"?) and acquired a subdomain from Chris at uk.to - well, that's your choice. I hope you did your homework on both of those outfits first - I suppose you know that ".to" is Tonga, and that that top-level domain does not support DNSSEC?

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in CERT records in the DNS.

This is one of those issues that will have to be investigated and decided by the SiteAdvisor and/or TrustedSource team. You'll need to contact one or both of them : details of how to do so are in a couple of documents in the SiteAdvisor section (where this will shortly be moved). See

https://community.mcafee.com/message/68874#68874 and

https://community.mcafee.com/message/66185#66185

Hayton
Reliable Contributor
Reliable Contributor
Message 4 of 13

Re: False Positive

Jump to solution

This thread has been moved to SiteAdvisor, because the SiteAdvisor team monitor posts in this section.

Further to what I wrote above, there was an interesting question about afraid.org last year on webhostingtalk.com -

http://www.webhostingtalk.com/showthread.php?t=1017861

But it seems that your web hosting may be with someone else. I have locations for your server of US, France, and (if I remember right) Germany. Your Name Servers are still ns1..ns4.afraid.org, so the connection still holds. See http://www.webhostingtalk.com/showthread.php?t=1127276

According to utrace your ISP is "Aurimas Rapalis trading as "II Hosting Media". His contact details show him in Lithuania, from where he operates as a small-scale ISP. The site hostprince.com (with which he was involved) is currently flagged by SiteAdvisor for "Spam URLs". (See

http://www.webhostingtalk.com/archive/index.php/t-599085.html for his links with hostprince).

Aurimas Rapalis trading as II Hosting Media ISP, IP Address Usage in World.png

http://www.whoisthisip.com/isp-Aurimas+Rapalis+trading+as+II+Hosting+Media.php

There are 4096 allocated IPs shown in that table, and according to SiteVet 12 of them are currently blacklisted. The IPs include sites involved with spam, phishing, 'badware' and malicious URLs. This could be one of the reasons why TrustedSource is flagging your site.

Message was edited by: Hayton on 24/09/12 07:01:49 IST
chiron494
Former Member
Message 5 of 13

Re: False Positive

Jump to solution

I happen to know for a fact that this software is clean. I have been reporting it to multiple antivirus vendors on VirusTotal through my article here:

http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-ven...

By the way, the site is not mine. Neither is the product.

Many have already removed their detection. The problem with the software is that it's a relatively new antimalware vendor, and is thus mainly unrecognized. The problem being that an antivirus tends to do things which can easily be viewed as very suspicious. That's all that the false positives are about.

That's why I reported it here as well. It was only when I posted the link to the site in my first post, and then tried to visit it, that I noticed that it's blacklisted by McAfee. Thus, my second post was merely an afterthought.

Trust me, the software is not malicious.

Please let me know if you have any further questions.

Thanks.

Hayton
Reliable Contributor
Reliable Contributor
Message 6 of 13

Re: False Positive

Jump to solution

The software may be completely okay and the download risk-free, but if it's being flagged as suspect you'll need to submit it to McAfee Labs so they can give it the all-clear. Same goes for the site : submit a request for re-rating and they'll re-test the site. And it's not just McAfee which is bad-rating the site and/or the download. The one to watch is Microsoft's Smart Filter system, because anyone using IE will see any warning. I don't know if SmartFilter blocks it because in IE I can't get to the site to do the download - SiteAdvisor blocks access.

The problem is, as I said, that the domain seems to have other subdomains which are Red-rated. If they're on the same server then the site's IP address will come up on a list of bad addresses. It's probably something the site owner can't do much about. It's up to the ISP and domain hosting service to weed out any sites engaged in malicious activity.  Perhaps the hosting provider is a bit slow in following up complaints, although other reports I've seen suggest they used to be pretty quick to remove malware sites.

chiron494
Former Member
Message 7 of 13

Re: False Positive

Jump to solution

Actually, the newest version they have released is no longer detected by any vendors.

By the way, doesn't the fact I posted this question here mean that McAfee will look into whether the site should still be blacklisted? Isn't this where I should post problems such as that?

Peacekeeper
Message 8 of 13

Re: False Positive

Jump to solution

https://community.mcafee.com/message/66185#66185

contact siteadvisor and ask for a review

Hayton
Reliable Contributor
Reliable Contributor
Message 9 of 13

Re: False Positive

Jump to solution


chiron494 wrote:

Actually, the newest version they have released is no longer detected by any vendors.

By the way, doesn't the fact I posted this question here mean that McAfee will look into whether the site should still be blacklisted? Isn't this where I should post problems such as that?

I'd still like to see what the Labs have to say about the version that was being detected.

No, posting here doesn't mean anyone from McAfee will see your post. In SiteAdvisor you stand a better chance of getting noticed because the SA team do monitor posts - in the SiteAdvisor section only. This forum was supposed (when it started) to be a peer-to-peer discussion area with a little light-touch moderation. If you want to contact SiteAdvisor or another part of McAfee this isn't really the place to do it.

chiron494
Former Member
Message 10 of 13

Re: False Positive

Jump to solution

Thank you.

I have reported it to them. Let's see what they say.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community