Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
denniz wrote:I'm a regular visitor of Wilders Security forums. Yesterday I noticed that NIS2009 completely blocked access to an entire forum section on Wilders Security. The section "malware problems & news" is now completely without access and I find that really anoying, because NIS2009 doesn't allow me to exclude that specific forum. It only allows me to exclude the whole threat, but that means ALL webpages aren't scanned for that specific threat anymore.
At first I posted my problem in another forum section that I have access to at Wilders Security, here:
http://www.wilderssecurity.com/showthread.php?t=221996
And one of the forum administrators there gave me a very clear and usefull answer. In short NIS2009 seems to be a bit overprotective, because it found some link in some plain text copy/pasted log that someone posted in that specific forum section.
If someone from Symantec could read my problem at the Wilders Security thread http://www.wilderssecurity.com/showthread.php?t=221996 , and perhaps post a solution here?
Message Edited by denniz on 10-05-2008 03:06 PM
Does it come up as a Phishing Web Site?
What notice do you get, e.g. from "I.E. could not display this Page"; Norton Phishing Protection has Blocked the Web Page?
It doesn't get displayed as a phishing website, IE7 just gives me a blank page with an error that the webpage couldn't be displayed. Norton only gives me a small pop-up with the message "A recent attempt to attack your computer was blocked".
The Wilders Security administrator had the following to say:
> Actually, that is quite common, though usually it occurs much more frequently on forums that do malware cleaning.
The NIS alert is a fairly weak type of URL based signature detection. These are alerted when some known bad website is contained as a URL on a webpage. It doesn't mean that the page contains malware, just that there is a link to a known bad website on the webpage noted.
Well, what types of things get posted on malware/spyware cleaning websites and forums? Answer: logs showing PC configurations and hijack-this listings from infected PCs, that's what. Contained in those logs are often the links to startup entries and browser pages contained on the infected PCs.
Even though Wilders Security stopped taking HijackThis Logs about 4 years ago, our "malware problems & news" forum section still receives posts by people asking about the infections and detections they are getting alerted to on their PCs.
What NIS is telling you is that, at that moment in time, one of the posts on the first page of the "malware problems & news" forum section contained a link in a log which pointed to some URL that Norton has flagged as a known bad website which provides a "fake scan" application.
http://www.symantec.com/avcenter/att...gs/s23005.html
Most likely, one of the posts in the malware section lists the link to one of those "Anti-Virus 200X" pages that we all know is a fake malware scanner that actually infects people's PCs. That's the problem with letting people post infection summaries... the bad links are included in those summaries.
Wilders Security maybe gets one post like this every 2-3 weeks. A large active spyware cleaning forum, the size of say Geeks To Go or CastleCops, gets several of those links in a log posted each day.
In my opinion, the jury is still out as to whether alerting on such links is a good thing or a bad thing. The Symantec page says there is no false positive associated with that detection... Well, does alerting on an anti-spyware scan log entry really make that detection a true positive? If so, people better stop posting HijackThis Logs on spyware cleaning forums which contain the URLs they are infected from, or they will all be flagged as purveyors of spyware.
> Well, it is but it isn't the end of the world either. These types of alerts were originally meant as simple warnings and the ability to ignore them was usually provided. I don't have NIS here, so, I don't know if that "Stop notifying me" button is also an ignore feature - meaning once you tell it to stop notifying you, whether it'll let you view the webpage without alerting or blocking it. If that's the case, then it's probably fine. If it will never let you see the webpage, then yes, that's definitely not a good thing since an innocent webpage would be blocked and you can't ever get to it.
These types of alerts are not uncommon though. Avast, ESET and one or two other anti-viruses with web filter/web scanners built-in have been alerting on a particular HijackThis Log thread in our "adware, spyware & hijack cleaning" section for over 4 years now... (Edit: Found a note that McAfee used to alert that page as "Exploit-MhtRedir.gen".)
This is the thread (be aware, you may get a webscanner alert if you click on this link):
http://www.wilderssecurity.com/archi...p/t-37349.html
I only have avast install here currently, so, that's the only AV I can test at the moment. It still alerts on that HijackThis Log because one of the contents of the results in the HijackThis Log. ESET may still alert on it, but, someone running it will have to confirm. A couple other "web scanner" AVs may still alert on it as well.
It's an easy click in avast! to tell it to ignore the alert and let you see the webpage. Whether the detection is a bad thing or not, as I said, is still out for judgment, as long as the users understands what that type of alert really means and doesn't just assume the forum page is trying to infect them.
I've had that thread above reported maybe 60 or 70 times over the last 4 years, but, I always refuse to remove it (the thread that is) because it serves as a good example of when a detection is not necessarily a proof that something is malicious. There are a few public threads on the forum discussing that alert, but, I don't have the links to them at present. I only bothered noting the link to the "supposedly infected" forum page not the discussion pages people have posted asking about it.
Any updates about my problem?
I have no problems at all with that site.
My problem isn't with the whole forum, but just a specific forum section.
This problem is really anoying me now!
Hi Denniz,
I have forwarded this thread over to the Intrusion Prevention team. They will look into it today.
Best,
Shane.
Thx Shane! 
I checked the problematic thread at Wilders Security just now, and it seems the Intrusion Prevention team has fixed the problem!
Noo, the problem came back!
How can this be? It's blocked again!
The following website is also blocked with the same threat error while it shouldn't be: http://www.iobit.com/
denniz wrote:Thx Shane!
I checked the problematic thread at Wilders Security just now, and it seems the Intrusion Prevention team has fixed the problem!
I would suggest disabling the feature blocking the site because even if there is malware, it will be detected and removed when exeucuted. I
I would also like the suggest that Norton rewrite the URL scanning feature, since it is fairly weak. It blocks sites with logfiles of infected processes/files/registary entries, however, it may just be a log file, and not a rouge program claiming that there is malware on your computer. Norton should leave detection and removal of malware through websites to the virus engine, not through web filtering if it is problematic, as in this case.
I have no problem with that website. You should try it again to see if it’s been fixed. Or, perhaps, you were clicking on a link on that site?
I don't have a problem with the whole site, but just with a specific section... also not so long ago the below mentioned sites worked just fine with NIS2009. It's a recent problem, so something must be wrong with the signature definitions.
Only the following section is blocked: http://www.wilderssecurity.com/forumdisplay.php?f=38 (malware problems & news subforum)
Also the http://www.iobit.com/ (Advanced WindowsCare Personal) website is blocked in the same way with the same detection.
They are both blocked the moment I click on the above mentioned links, I didn't click on any other links on those sites, only the above mentioned links. NIS2009 doesn't even give me the chance to click on any other links on those sites, because they are blocked instantly the moment I try to visit them.
To sum it up:
1 - It's not a phishing dection.
2 - It's a HTTP Fake Scan Webpage detection, detected by the Intrusion Prevention Module.
3 - IE7 just displays a "This page cannot be displayed" error.
4 - I have Advanced Heuristic Protection on Automatic mode.
5 - SONAR is activated.
6 - Browser Protection is activated.
7 - Pulse Updates + Automatic LiveUpdate is activated.
8 - Norton Firewall is enabled in Automatic mode.
9 - I don't have Norton Safe Web installed.
I'm not going to disable ANY protection in Norton that I have currently enabled, those webpages should just work without disabling stuff! 
I'm running Windows Vista Ultimate SP1 32-bit Dutch with IE7.
I have the same problem!
If you are confident that the attacking web site or part is not an intruder, you can exclude it from detecting.
When you receive the pop up of this block (you can also check this in history), you can see the name of the blocked item. Then open Norton product> In the internet pane, click Settings> under Intrusion Detection, click configure next to intrusion exclusions> find out the entry you need to unblock> click Ok.
I know about those exclusion options. The only problem is that you can’t exclude specific websites. If I remove the entry for detecting “HTTP Fake Scan Webpage”, that means ALL websites I visit aren’t monitored for that specific threat anymore. I see no reason to exclude an entire threat that effects all webpages I visit, only because 2 websites are giving me problems. Symantec should just fix the problem.
I click on those links and the pages come right up? Are you using Firefox or IE?
Using both explorer and firefox I have the same problem of Denniz. I’ve found this problem also on other site surfing the web.
Are you using the Safe Surf plugin? Remeber its beta. I use it and no problems. What happens when you click on denniz links?