Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
Hi Codydog,
We are looking into this.
Thanks,
Shane.
A few times this week, NIS blocked articles at Bloomberg.
Risk name; HTTP Fake Scan webpage
attacker url ; trusted-scanner.com/2009//1/en/freescan.php?id=77075611&user=756
destination address trusted-scanner.com(84.16.252.138,80)
traffic description TCP, Port 51684
Is this a false positive?
Thanks
Codydog,
Thanks for your post. We attempted to reproduce this and were unable to. If you have some specific links that this occurs on please PM me. Also, if you can note what ads may be on the page, that could help.
This is most likely a malicious advertisement on their site, otherwise known as a ‘malvertisement.’ I am working on a new blog post that will go into this topic in more depth. A malvertisement is a local ad on the site or a Google advertisement that then redirects to a malicious application or misleading application such as a fake AV scanner or fake codec. Malvertisements are also very hard to track down since it could be one ad out of 10,000 that rotate through on the site. Here is a quick analysis of your trigger.
- This is not a false positive. The signature that triggered did so because something was going to that URL that you listed as the attacker URL which is known to host fake av scanner software
- If you use Firefox and noscript, you can see Bloomberg.com has Google ads and links to other third party sites which is content that they don’t control.
- Google ads have previously been used to redirect to malicious sites or sites containing misleading applications.
- DSL Reports has a couple of posts where folks have similarly seen malvertisement on Bloomberg’s site.
Thanks,
Shane and John: Thanks for stopping by.
This week, I was one of the users hit by the "HTTP Fake Scan webpage" warning on a good page. (My affected page is at a legitimate help forum at VirtualDr.) In my case, it was/is apparently related to an interaction between Ad Muncher and NIS 2009. Shane mentioned the other day that a fix for this issue is on it's way by Thursday or so. (Hopefully the fix is still on schedule. )
My question is, were there changes made to the IDS part of NIS within the last week or so that caused more of these "HTTP Fake Scan webpage" hits? I know that in my case, the page at VirtualDr had no issues until the last few days.
**EDIT**
I just updated my NIS 2009 and sometime within the last hour, the Ad Muncher / Intrusion Detection fix was made available as part of that update. I'm happy to report that it's fixed! NIS works fine at both my troublesome VirtualDr page and the page at Wilders! Thanks Norton team!
Codydog wrote:A few times this week, NIS blocked articles at Bloomberg.
[ ... ]
Is this a false positive?
Thanks
It might speed up help if you could give a few URLs that lead to this reaction?