Security threat on Askwoody

Topic

New Reply

Just thought to report this to be on the safe side, hopefully I’m on the proper forum for this.

Today I began receiving threat warnings from Kaspersky Internet Security when visiting askwoody. This did not happen before and everything was fine yesterday. It appears the warning is sent every time I access askwoody.com by typing the URL directly or through a link, but not when I browse through the site’s pages. As far as I can tell, an object embedded somewhere on the site is triggering the following warning from KIS:

Event: Access denied
User: ****
User type: Active user
Application name: firefox.exe
Application path: C:\Program Files (x86)\Mozilla Firefox
Component: Web Anti-Virus
Result description: Blocked
Type: Threat of data loss
Name: https://app.box.com/public/static/hzuah4febg4wivrem6a788p4148v0lnm.jpg
Precision: Exactly
Threat level: High
Object type: Web page
Object name: hzuah4febg4wivrem6a788p4148v0lnm.jpg
Object path: https://app.box.com/public/static
Reason: Cloud Protection

Is it just me? Or a “false positive” from KIS?

BTW, I’m on Windows 10 20H2 Home updated with December patches, running Firefox 95.0.2 (latest version) and KIS version 21.3.10.391 (g) with latest antivirus definitions.

Reply | Quote

Replies

Berserker79 wrote:

Is it just me? Or a “false positive” from KIS?

I use Kaspersky 21.3.10.391 (G) and Chrome and never got any warnings.
No warnings using Firefox 91.4.1esr.

The alert is for E Pericoloso Sporgersi’s avatar jpg.

Just visited one of his posts at:

https://www.askwoody.com/forums/topic/avast-free-tries-to-increase-foothold/

No alert.

1 user thanked author for this post.

Berserker79

Reply | Quote

Thanks Alex, that’s helpful to know. I’m no longer receiving that warning from KIS at the moment, but I’ve got a feeling it might be a false positive from KIS and nothing to worry about. After reading your reply I ran an online scan in VirusTotal of the “suspicious” URL flagged by KIS and the report came back with a “1 [out of 93] security vendor flagged this URL as malicious” and that one vendor is Kaspersky.

According to the info in the VirusTotal report, Kaspersky flags the URL as “Phishing“, but the other 92 security vendors report it “Clean“. The details in the report state the following:

Categories
Forcepoint ThreatSeeker personal network storage and backup
Sophos personal network storage
BitDefender business

The report details contain some additional data that maybe can be useful if anyone needs to look further into this.

EDIT: I do receive the warning again after the link to the post with E Pericoloso Sporgersi’s avatar jpg was included in your post above. Odd, but no reason to worry. Thanks again for your reply.

Reply | Quote

Susan here:  I edited the title because it was causing the forum format to break.  I’ve scanned the site and don’t see anything?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

Susan here: I edited the title because it was causing the forum format to break. I’ve scanned the site and don’t see anything?

Thanks for taking the time to check this out Susan. The URL which seems to be the cause of the problem according to Kaspersky is this one: https://app.box.c*m/public/static/hzuah4febg4wivrem6a788p4148v0lnm.jpg (I put an asterisk in there myself just to be on the safe side)

According to Alex above “The alert is for E Pericoloso Sporgersi’s avatar jpg.“: maybe he can share additional input on how he came to that conclusion.

Also, maybe you can run a scan of that URL on VirusTotal and see if the details of the report there make any sense to you.

Reply | Quote

Berserker79 wrote:

According to Alex above “The alert is for E Pericoloso Sporgersi’s avatar jpg.“: maybe he can share additional input on how he came to that conclusion.

Clarification : it is not the jpg file that has been flagged its the app.box.com.. URL/site that has been flagged by your KIS (but not on my KAV)
Kaspersky is not on the list of A/Vs checked by virustotal.

Reply | Quote

[Bob99]

Kaspersky is not on the list of A/Vs checked by virustotal.

Then why is it listed at the top of the list in the following URL?:

https://www.virustotal.com/gui/url/004b379e21019f1dadfd8b10869953b42f93ff536dff29994e8f35c58f1b41cc/detection

Granted, the name does say Kaspersky, but does not elaborate as to which product/engine is used in the detection scheme.

Additional info that I found while digging to see just how far this “detection” goes. As @Alex5723 points out just above, the detection is positive for the SITE, but only to the https://app.box.com/public/static level and no higher. In other words, going to just the app.box.com/public site results in no positive results, and there are no positive results for the plain site of app.box.com. It’s only when you go to that particular sub-directory of /static, or beyond that sub-directory to the exact .jpg file mentioned in other quotes above that Kaspersky gives the positive result in the list.

Since there’s a positive result just for a plain sub-directory on the app.box.com site, it would be nice to know exactly what Kaspersky doesn’t like about that individual sub-directory!

Could there have been some phishing material in the not too distant past that Kaspersky traced back to that particular sub-directory, but that isn’t there now, that caused them to flag the entire sub-directory as malicious?

@Berserker79 –

Since @Alex5723 uses Chrome and has reportedly not experienced issues as you have using FF, try loading the AskWoody site in Edge or another chromium-based browser to see if it triggers the aforementioned issue with Kaspersky. BTW, I also use FF95.0.2 and have noticed that FF has blocked third party cookies from the app.box.com site and from the (possibly related) dl3.boxcloud.com site.

One final note: Per the Page Info utility built into Firefox, the allegedly “offending” image/.jpg is actually the image at the bottom of all of E Pericoloso Sporgersi’s posts, NOT the avatar image listed above the name. In other words, the image is actually the signature, not the avatar portraying a senior, distinguished individual.

• This reply was modified 3 years, 5 months ago by Bob99.

1 user thanked author for this post.

Berserker79

Reply | Quote

Bob99 wrote:

Since Alex5723 uses Chrome and has reportedly not experienced issues as you have using FF, try loading the AskWoody site in Edge or another chromium-based browser to see if it triggers the aforementioned issue with Kaspersky. BTW, I also use FF95.0.2 and have noticed that FF has blocked third party cookies from the app.box.com site and from the (possibly related) dl3.boxcloud.com site.

Thanks for your reply @Bob99 – I loaded this thread in (Chr)Edge and it triggered the same warning in KIS, except that the offending URL has changed to the following (below I replaced the “com” domain with some *** just to be on the safe side):

https://dl3.boxcloud.***/d/1/a1!CMi-sbG0z9EkLPL_5YWU5XsEDkgkeJAX8PpcdG0Le-ew7CmVxYLeNoSAWS11RvgexTo_IDefDrkUBZxhUHavSzpzgLkHLmAafRncnkSyM6AGPFo3n9B1ud_RJ6sdy9UacaohCEDEv5LrH89UlyHo9tylwPnRiOiQpO4n7fOB8nEEhrWpLrdDEhECrLE-D3SOGoy0DuTIlnPlIDKEBu6I0sWWWanWcZd-IkcBp5plR77BBTXoiBvMRPPHA21Mtr_C7pQnyxCkRKW-0PkglKoZvdtiYg7xw9cwF2kDkjvK8orH9mEi-DfbktcsiYrtAB0TetEqzXjT0FVBBepmZLIYmVPnSzTwPIIQk1es7JMF0PFlJmT3g7YLSCdJzt1Idnzq2XaKfZrgHMmoyQ5nvuqfXuyu5t0carBF8jLUqeClb2Mg6Dii8I9eQk7C9SAmNaguZxb6QlgP6ykr7su8hUMDUPQ-AG_q1e7yePEV0GQSsk03GW-kaT9SmbSul8-Uw3WOTq7Pnlfo97snXWCAGPLUuhUksHwmZQpRP9yrd4fXeEfWvd5UuQGCl_a0ZVRf8u3coxWPJdf3dDVjE0oxh3QZ1I1mh_xkDaYrLLjYuqJICGageh738iRAaQeitreX02-ztLQPRanq7nEZyTtSCd8YRa0u6XxuRb0P_K_rEeWqwl3b1pgugHYSQQBT0eZ47CgOg79PQ-rpi2oe0Xx6X1zjWSh4qp72Cv7xe6Q5r9cLJN_1MM40vdAwvgFg6xwgPqZU-69FWiHvb04c2fnVi98XZetY7TiIsSVHilX_CcX_4YeR7RpifJwLMDwAMoVYJU4mJ3ITLXQMXGRJlK4RnZBkLRs70DsYBliAPmFoLXelp6heDcZ1b11rhqRTAiilSNt7_N8nSu_8GVtDCOj0PJcEFTWVnk0GkFlveq87s3nhlf3UlYb4CaO-bzNwwEUyd0prhTTlU-mvNKlewDAXcSOK6DpbdlFipUlItdkl6Xq7WT9GgcJC_5ouY5NP0ByKEb8ORaqptkuu6L_IZ87q5tHXzVzteh1ybpDzi8oGErZJ9k5gXPYDWlywCIA6B-E4YEWXAgH8V8lUQ9XsYRabGwasnVcPt2S1yVBJWzg3hftmf9X7Y9U_Dzo8HxvcLfouuaVS8jB5GkDt3biMCm-w_ZlbcK0cFX1Dq01HeioR4Vxg86M_YgfFU9-0MXE0w5gaZkrqXcXO4jyfHgDRfFyWyhcL7xtfwpS_VltvI_dCttu8hHGrlXKjuDsTbTzqPHDhbA7olN-Bld_1kZegV3UP1zp34oi0uOOTAUMbVaJUmPo1Bzf1nnEZPT8VOZyVWNyw4fhUCtTRow_wCWuASBMeXxYK4lj4U4jyITVl9VrgxzJTxoFuiw5yBIe2nAZiX8_dHv9pn5xyBKFzZWtVoh5dpQ../download

Interestingly, when submitted to VirusTotal the above URL is reported to be “clean” by all security vendors, Kaspersky included, but the URL pointing to the jpg file is still flagged as “phishing” by Kaspersky when scanned on VirusTotal.

I don’t have another Chromium-based browser installed on my system atm, but I can install one if you think it might be helpful to check this out in a further browser. I’ve got a feeling this issue is related to KIS rather than to the browser I’m using, but it’s odd that Alex using a different Kaspersky product has no problem.

Reply | Quote

Bob99 wrote:

Then why is it listed at the top of the list in the following URL?:

My bad. I missed that

Reply | Quote