onbox

what is this?

Recommended Posts

Judging by the fact that VirusTotal only report one company who think there's a problem there, it's presumably a 'false positive'.   See:

https://www.virustotal.com/en-gb/url/b61a23ae629f4eaa45c9f5b79db66d52ed8e09679e5eda7f3f18395b619f1582/analysis/

That being so, the standard thing to do is mention it on the False Positives part of this forum so the right people at Emsisoft can adjust their rules.   Meantime if you need access you can create a Surf Protection rule of your own that overrides the Emsisoft one.

Share this post


Link to post
Share on other sites

@GT500Ah... so checking on VirusTotal I should have done a domain search rather than a URL one?

 

> Emsisoft blocked totally the Host and the URL

That's what surf protection does.  It stops you from visiting a website if there's a reason to doubt the SITE is safe.    If SP had to have a list of every file that's known to be bad (or at some point in the past has been bad) on every bad website, SP's rules list would be vast.  And it still wouldn't protect you from servers which serve files not explicitly named in a URL, but requested via arguments etc in the righthand part of a URL (ie stuff after the sitename).  If you go ahead and choose to visit a site that might be iffy, you then have to depend on other parts of EAM to protect you from files you may actually download.

 

Share this post


Link to post
Share on other sites
19 hours ago, JeremyNicoll said:

Ah... so checking on VirusTotal I should have done a domain search rather than a URL one?

In this case I don't think VirusTotal would have shown us detecting it if you did the URL scan, but if you did a search for the domain then you'd get to see a list of scanned files at that domain (among other things):
https://www.virustotal.com/#/domain/img1.wsimg.com

 

15 hours ago, Da Phu said:

How come VT doesn't list Emsisoft blacklisted?

VirusTotal doesn't always show us detecting a malicious URL, even when it's in our database and EAM detects it. Our malware analysts have noticed this as well, however we're not sure why it happens.

  • Like 1

Share this post


Link to post
Share on other sites

I want to open this one back up. I have my site www.mcfarlandit.ca and Emsisoft is flagging it on several computers for IMG1.WSIMG.COM.

I can set it to not block it, but it might be problematic if they don't select it. It blocks all images and doesn't load anything properly. I can either whitelist the whole site or just IMG1.WSIMG.COM to allow it to work again.

 

Any updates on this ?

Share this post


Link to post
Share on other sites

WHAT is Godaddy?  Or more to the point, what part of your site's content is coming from whichever server that's being flagged?     Why are you referring to content that isn't on your own server?

If you expect anyone to solve your problem I think you'll need to explain the details a bit more.

 

Share this post


Link to post
Share on other sites

You seriously don't know what GoDaddy is? It's a website/domain provider. Google will help you with that...

Anyone using the site builders for their service, any images that are added to the site, are from img1.wsimg.com which is their image servers. The fact that it's a false positive for Emsisoft will need to be addressed, which I'll submit to them in the other forum.

Share this post


Link to post
Share on other sites

So what you're really saying is that references on your website to images hosted by Godaddy's IMG1.WSIMG.COM  are being flagged because (other?) content hosted by that server has - perhaps correctly - been flagged by someone else.    It's not a false positive, if IMG1.WSIMG.COM  really has been serving (other people's?) content that contains malware.   The solution would lie not with Emsisoft relaxing their flagging of a troublesome host, but with Goddady removing the dubious content held on their server.  Has that been done, d you know?  

 

Share this post


Link to post
Share on other sites

I wouldn't know. fairly large organisation. I'm assuming they have their own virus detection software on that server. It may have been flagged at one point and then just kept it as a malware directory. This will affect a lot of people if it's not rectified. 

Share this post


Link to post
Share on other sites

Seriously... this is one of the drawbacks of any form of shared hosting.  Apart from Godaddy's images (whatever part of your site has their images) even if you had hand-coded your site from scratch and kept all the files it needed - CSS, html, scripts, images... on your own site rather than somewhere else, on a shared hosting your site would be on the same server (and thus ip address) as many other sites.  If just one of those has been serving malicious files, it's the ip address of the server, not the name of any of the sites hosted there, that gets blocked, and everyone then has a problem.  Shared hosting is (relatively) cheap for a reason.

Share this post


Link to post
Share on other sites

> I wouldn't know.

Well, you start by complaining to Godaddy.  Tell them that flagging of (presumably, other people's content) on their server is causing you a problem.

Share this post


Link to post
Share on other sites

Also... Godaddy (like many other domain and web hosts) provide a wide range of services - someone might just register a domain with them, or also host DNS there, and/or host a site they wrote (from scratch) on either a shared or virtual (or perhaps even real) server of theirs, or host a site you didn't write from scratch (or at least with a full understanding of what comes from where) with them... and probably other options too.  There was NOTHING in the way you initially described your problem that would tell anyone else which of these was the case.  No-one else is psychic.  You ned to explain any problem you have (in future, here or anywhere else) well enough for other people to have an unambiguous grasp of what your setup is.

A common issue when writing a website is that one might wish to include, say, javascript libraries, or Google fonts or something.  The easy way is to place on one's webpages a URL that points to the current public location of those resource files on someone-else's server.  Perhaps that also means that if there's a bug in those files (eg a JS library) then when it's fixed your site will automatically see the fixed code.  But (apart from the risk that your code depends on some perhaps buggy feature in tht library) there's an extra problem - you have no control at all over what might happen to the files on those remote servers.  It's better to copy the resource files your site has been tested with, to your server and only use the local copies.   Yes, they might inn due course be out of date... but then you try a new set out and test your site with those.  And yes, if lots of sites a user visits all load a specific library from a common server, that code will be in their browser cache and not need to be refetched for any site after the first fetch, but now that most of us no longer use a dial-up connection, that hardly matters compared with the certainty you have as a site author that the code someone is running is the precise code that you offered to them. 

Share this post


Link to post
Share on other sites
1 hour ago, McFarlandIT said:

I want to open this one back up. I have my site www.mcfarlandit.ca and Emsisoft is flagging it on several computers for IMG1.WSIMG.COM.

I can set it to not block it, but it might be problematic if they don't select it. It blocks all images and doesn't load anything properly. I can either whitelist the whole site or just IMG1.WSIMG.COM to allow it to work again.

 

Any updates on this ?

If GoDaddy will remove the malicious content from the server that subdomain resolves to, then we'll be happy to delist it.

If they need URL's, then they can start with this one:

URL: https://www.virustotal.com/#/url/b8e2072a6304564aefd426a49f6726c7d940774cdae84a5dc6ab10e2e49284b9/detection
File: https://www.virustotal.com/#/file/6b244c4faed3779a12f19df55d821df2ab1070b934dc522c811dd745b299b29c/detection

They can also do a search on VirusTotal for the subdomain, and see all sorts of interesting things, although note that the above is the reason why the subdomain is blocked:
https://www.virustotal.com/#/domain/img1.wsimg.com

Share this post


Link to post
Share on other sites

 tbh, i think this is more a pitfall of convicting an entire domain/subdomain vs specific path than anything else. i've run into enough weird FPs in shared envs (multiple platforms, AWS/S3/cloudfront, backblaze b2,  numerous other providers) that i don't even bother submitting them anymore.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.