matt8
May 1, 2026, 6:33am
1
Issue abstract:
Website: https://moldaw.org/
I have already submitted two false positive form submissions, one a week ago and the other a little more than 48 hours ago. And the issue remains.
I need help to escalate this to get this resolved. We have countless visitors to our website that are being blocked.
bjm
May 1, 2026, 10:09am
3
matt8:
My website has a false positive block when using Norton products. This likely stems from an infection that we had several months ago, but that was resolved quickly, and the website is clean now.https://moldaw.org/
Hello @matt8 https://moldaw.org/
0cf50325e534/2026-05-01T10:06:20.530Z
e0dbfd3468ca/2026-05-01T10:24:18.286Z
0cf50325e534/2026-05-01T10:06:20.530Z
e0dbfd3468ca/2026-05-01T10:24:18.286Z
=============================================
fwiw ~ as per ChatGPT
The Safe Web portal shows the domain as Safe , which reflects its overall reputation.
However, during live testing, Norton 360 (Safe Web engine) and Web Shield reported HTML:Script-inf [Susp] , which is a heuristic detection triggered by page content during real-time scanning.
This type of detection usually points to a script (either on the site or loaded from a third-party source) that matches suspicious patterns—such as obfuscation or unusual behavior—but it is not a confirmed malware classification.
It may be worth reviewing:
recently added JavaScript
third-party scripts (ads, analytics, widgets)
any obfuscated or dynamically loaded code
as these are common causes of this type of heuristic alert.
If needed, the site can be submitted to Norton for re-evaluation after review, especially if you believe this is a false positive.
Norton Safe Web portal → Safe
Norton 360 Safe Web engine → HTML:Script-inf [Susp]
Norton Private Browser Web Shield → HTML:Script-inf [Susp] (Content scanning)
While the Safe Web portal reports the domain as Safe, repeated testing shows that both Norton 360 (Safe Web engine) and Web Shield consistently detect HTML:Script-inf [Susp] during real-time scanning.
This indicates that a script loaded by the page is consistently triggering heuristic detection. Although this is not a confirmed malware classification, the repeatability suggests it is not a transient or one-off event and may warrant review of site or third-party scripts.
While the Safe Web portal reports the domain as Safe, live testing shows consistent detection of HTML:Script-inf [Susp] by Norton 360 and Web Shield during content scanning.
Since this detection is repeatable and content-based, it suggests there may still be a script (possibly first- or third-party) that matches suspicious patterns, even if the site’s overall reputation has not been downgraded.
The Safe Web portal reflects site reputation, while Norton products can block based on real-time content analysis.
If users are being blocked with detections such as HTML:Script-inf [Susp], that indicates something in the page content is triggering heuristic detection.
At that point, the site owner would need to review site or third-party scripts, or work directly with Norton Support for a detailed assessment.
The detection appears to be associated with a minified JavaScript file from a WordPress plugin (Gravity Forms). These types of scripts can sometimes trigger heuristic detections like HTML:Script-inf [Susp], especially during content scanning, even when they are legitimate.
WordPress plugin minified JS + heuristic detection = common trigger scenario
The favicon (.png) reference in the screenshot is likely just part of the page resources being loaded. The detection itself is more consistent with script content (e.g., JavaScript files), which aligns with the HTML:Script-inf [Susp] classification.
============================================
Norton 360 Safe Web engine and Norton Private Browser Web Shield appear aligned in real-time detection, and recent updates have improved consistency with the Safe Web portal and extension through shared reputation data. However, real-time content and heuristic-based detections can still differ from portal classifications.
AI sourced content may make mistakes
bjm
May 1, 2026, 11:42am
4
Submission Portal: Norton Submission Portal . This system is used for tracking false positive reports.Site Ownership: Ensure you have officially “claimed” your website within the Safe Web portal . Verified owners generally have access to a dashboard where they can see the status of their site and any pending disputes without relying solely on email notifications.48 hours: Community suggests waiting 48 business hours. If the status of your site has not changed on the Safe Web public lookup after this time, it likely means the dispute is still in the queue or was not processed.Norton Support: If you haven’t received an email or a status change after 48 hours, contact official Norton Support directly. Explicitly tell the agent: “I have already submitted a site dispute via the Safe Web portal more than 48 hours ago and have received no email notification or status update.” This often prompts support to escalate the ticket manually.
bjm
May 1, 2026, 11:50am
5
https://sitecheck.sucuri.net
=============================================
https://www.virustotal.com/
============================================
https://www.abuseipdb.com/moldaw.org to IP address 141.193.213.11.
Old Reports: The most recent abuse report for this IP address is from 1 week ago . It is possible that this IP is no longer involved in abusive activities.
bjm
May 1, 2026, 12:41pm
6
https://moldaw.org/
a0fb249647a9/2026-05-01T12:40:12.338Z
25b191bc8735/2026-05-01T12:40:13.465Z
4ad46df45211/2026-05-01T12:40:13.510Z
bd068f960b82/2026-05-01T12:40:13.554Z
88642d185208/2026-05-01T12:40:13.599Z
39d816492af0/2026-05-01T12:40:13.645Z
c9e11f07ee13/2026-05-01T12:40:13.689Z
0f8ae02b72ee/2026-05-01T12:40:13.739Z
ea6ee771ca41/2026-05-01T12:40:13.794Z
2f21195dfa50/2026-05-01T12:40:13.952Z
=============================================
fwiw ~ as per ChatGPT
AI sourced content may make mistakes
bjm
May 1, 2026, 12:56pm
7
https://moldaw.org/
b9fb050fcaf0/2026-05-01T12:55:20.195Z
=============================================
fwiw ~ as per ChatGPT
Detection appears related to script content loaded from site plugins (e.g., Gravity Forms / security plugins), which may trigger heuristic detection during content scanning.
AI sourced content may make mistakes
matt8
May 1, 2026, 7:28pm
8
@bjm
Here is the exact same website on our dev server:https://moldaw-website-dev.on-forge.com/
Interestingly, this instance of the website does not get blocked by Norton.
And the same path that gets the warning here:https://safeweb.norton.com/report/show?url=https:%2F%2Fmoldaw.org%2Fwp-content%2Fthemes%2Fmoldaw%2Fjs%2Fdist%2Fapp.js
Does not get the warning on the dev instance:https://safeweb.norton.com/report?url=https:%2F%2Fmoldaw-website-dev.on-forge.com%2Fwp-content%2Fthemes%2Fmoldaw%2Fjs%2Fdist%2Fapp.js
The only difference between these two sites is the hosting environment. The one that is problematic is hosted through WP Engine. The dev site is hosted through DigitalOcean.
Other than that, everything is the same between the two.
If the issue was heuristic-driven, wouldn’t we expect to see Norton software flag both versions?
bjm
May 1, 2026, 7:55pm
9
Hello @matt8
Differences in hosting environments can affect how scripts are delivered and executed (e.g., caching, compression, optimization layers), which can influence real-time heuristic detection even when the underlying code is the same.
AI sourced content may make mistakes
============================================
https://moldaw-website-dev.on-forge.com/
e46eb1703424/2026-05-01T20:09:31.587Z
e46eb1703424/2026-05-01T20:09:31.587Z
5b4129bcc1b7/2026-05-01T20:09:35.134Z
5c4fb865d17f/2026-05-01T20:09:35.310Z
da3484f199ce/2026-05-01T20:09:35.365Z
=============================================
The Safe Web portal reports the domain as Safe, but Norton 360 is blocking a specific resource URL during page load (URL:Blacklist). So the site itself isn’t fully blocked, but certain content on it is being flagged.
I tested the dev site directly, and while it loads, Norton 360 does generate a “Threat Secured” alert during page load. So it’s not a full block, but there is still a content-level detection occurring.
The Safe Web report evaluates each URL independently, so the production script may show a warning while the same path on a dev domain does not. However, when tested with Norton 360, both environments trigger detections during page load, indicating the issue is related to runtime behavior rather than just URL reputation.
AI sourced content may make mistakes
bjm
May 1, 2026, 8:32pm
10
https://moldaw.org/wp-content/themes/moldaw/js/dist/app.js
https://moldaw-website-dev.on-forge.com/wp-content/themes/moldaw/js/dist/app.js
I’ll need an HTML page address that loads and executes the script in context vs raw script.
bjm
May 2, 2026, 7:04pm
11
https://moldaw.org
https://moldaw.org
f9c0635e8496/2026-05-02T19:07:01.283Z
e888ed9622b2/2026-05-02T19:07:02.131Z
=============================================
https://moldaw-website-dev.on-forge.com/
https://moldaw-website-dev.on-forge.com/
8a97c098c033/2026-05-02T19:02:39.055Z
1e40d13fb2b6/2026-05-02T19:02:42.476Z
210420f10826/2026-05-02T19:02:42.511Z
cb93ad4c0ca0/2026-05-02T19:02:42.529Z
34edec7bdb18/2026-05-02T19:02:42.564Z
=============================================
https://moldaw.org/wp-content/uploads/2026/02/JD-lcs-footer-scaled.png
d02acda22907/2026-05-02T19:23:49.698Z
as always–your mileage may vary
matt8
May 4, 2026, 5:30pm
12
@bjm Norton responded to my escalation support case and confirmed that they reviewed it and removed the false positive block. Everything is all set now. Thanks for your help!
bjm
May 4, 2026, 5:35pm
13
Hello @matt8 https://moldaw.org
.
https://moldaw-website-dev.on-forge.com/
