Hello,
I have been visiting a website weekly for years with no problems. Beginning last week I started getting an intrusion warning which says "Malicious Toolkit Website 14" whenever I visit the site and the page won't load. I know for certain that the site is clean, my machine is clean and all software is up to date. The funny thing is, if I open NIS>Advanced>Network Protection and disable "Intrusion Prevention" for just long enough to load the page in question, the site will load and display just fine until I restart the browser. The site in question is theburningplatform.com
The problem affects Firefox and IE both. I'm running Win7Home. Any ideas? The following is a cut and paste from the NIS Security History window that pops up when I click view details on the attack warning.
Thanks!
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
8/3/2013 2:16:37 PM,High,An intrusion attempt bywas blocked.,Blocked,No Action Required,Web Attack: Malicious Toolkit Website 14,No Action Required,No Action Required,(173.236.137.36, 80)", 50761)",173.236.137.36 (173.236.137.36),"TCP, www-http"
Network traffic from matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
[edit: Please do not link to potentially malicious websites per the Participation Guidelines and Terms of Service.]
Hello,
I have been visiting a website weekly for years with no problems. Beginning last week I started getting an intrusion warning which says "Malicious Toolkit Website 14" whenever I visit the site and the page won't load. I know for certain that the site is clean, my machine is clean and all software is up to date. The funny thing is, if I open NIS>Advanced>Network Protection and disable "Intrusion Prevention" for just long enough to load the page in question, the site will load and display just fine until I restart the browser. The site in question is theburningplatform.com
The problem affects Firefox and IE both. I'm running Win7Home. Any ideas? The following is a cut and paste from the NIS Security History window that pops up when I click view details on the attack warning.
Thanks!
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
8/3/2013 2:16:37 PM,High,An intrusion attempt bywas blocked.,Blocked,No Action Required,Web Attack: Malicious Toolkit Website 14,No Action Required,No Action Required,(173.236.137.36, 80)", 50761)",173.236.137.36 (173.236.137.36),"TCP, www-http"
Network traffic from matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
[edit: Please do not link to potentially malicious websites per the Participation Guidelines and Terms of Service.]
Hi IndenturedServa
I just tried the web site on IE9 using the Norton tool bar search box and although the website has the Norton safe web icon I got what you are getting, website blocked. Can you contact the website trough email or the phone or text to let them know they are infected?
ATB
intesec
The site in question is clean. I personally know the people who own it. The site has been checked and re-checked six ways from Sunday. I've been disabling the Network Intrusion portion of NIS for a week just long enough to get the page loaded then I re-enable the intrusion protection. After that, every page on the site loads just fine. We are certain this is a false positive but I have no idea how to fix it.
I still don't uderstand how disabling a portion of NIS designed to protect my computer from other devices on my home network, (not the web) allows the site to load without further problems.
Hi IndenturedServa
If you could let Norton know about the problem file or files and where to find them, they can assess it for being a false positive, please use the link below.
https://submit.symantec.com/false_positive
ATB
intesec
I'm sorry to say, but the site does appear to be infected with malware. Please see the results below;
http://sitecheck.sucuri.net/results/www.theburningplatform.com
Thanks intesec. I just submitted a report. I'm not sure what files are involved........simply visiting the url triggers the warning.
IndenturedServa wrote:
The site in question is clean.
Wrong - the site is not clean..
The site is hosting malware. I, too, have checked it with Securi and it was found to be infected. In situations like this, where a security program is alerting to threats, it always amazes me that a user will state "I know for certain that the site is clean" (without actually checking the site) and then proceed to disable the security software. It sort of defeats the purpose of using a security program in the first place.
IndenturedServa wrote:
The site in question is clean.
No, it's not; check Securi. I just ran the URL through there and got a malware flag.
IndenturedServa wrote:
I still don't uderstand how disabling a portion of NIS designed to protect my computer from other devices on my home network, (not the web) allows the site to load without further problems.
IPS scans internet traffic, as well as local network traffic. It uses attack signatures to identify patterns in the traffic that match known attacks. Because IPS is looking for vulnerabiltiy exploits, rather than specific malware, false positives are rare. An IPS block is triggered by the traffic that is detected, not the website's reputation. Turning off IPS allows the website to load because you have disabled the component that can recognize the packets associated with this particular toolkit attack.
I have three computers at home...two identical Pavilion dm4 laptops and an older PC. I'm running the latest version of NIS on all three machines (license covers 3 computers) conected to the same network but only one of the machines is experiencing this problem. I used three computers at work last night to access the site and received no warnings and experienced no problems. Work computers are on a corporate network spanning three continents with a dedicated IT dept.
The machine at home experiencing the problem runs like a top. This is the machine I momentarily disable the Intrusion Prevention on to load the site in question. There is no evidence of infection on it despite running multiple scans with the installed NIS v24.0.4.40 . Interestingly, Norton Safe Web reports the site as clean.
About half of the regular visitors (running Norton) to the site in question inexplicably stopped receiving Malicious Toolkit warnings when visiting the site yesterday afternoon. Makes no sense at all.
What is it that makes Securi the be all and end all in determining if a site is infected? There are two dozen other sites that claim to check URL's for malicious content and the dozen or so that I have tried report the site as clean including Norton Safe Web.
I appreciate your responses and I'm not trying to argue that anyone is wrong here but something just does not add up.
IndenturedServa wrote:
About half of the regular visitors (running Norton) to the site in question inexplicably stopped receiving Malicious Toolkit warnings when visiting the site yesterday afternoon. Makes no sense at all.
If others were getting the warning from Norton, and then suddenly stopped receiving the problem, it shows that it was not just your machine.
The reason for the stopping of the messages could be either an update from Norton for a false positive on that site, or the site was infected and has been fixed now.
IndenturedServa wrote:
What is it that makes Securi the be all and end all in determining if a site is infected? There are two dozen other sites that claim to check URL's for malicious content and the dozen or so that I have tried report the site as clean including Norton Safe Web.
Securi scans the site in real time and reports any issues that it finds, such as JavaScript that is known to be malicious. Norton Safe Web bases its ratings on periodic testing of websites. You are comparing apples and oranges - Safe Web and Securi provide different data in different ways and the findings of each need to be interpreted differently.
There are many explanations why a malicious exploit might no longer appear on a site - including the fact that some exploits, in order to avoid detection, will not launch more than once to the same site visitor, or may only attack randomly.
I submitted the url to false positive as suggested and was basically told that my NIS is operating as expected for the activity detected there. Whatever activity they detected must have been fairly benign as they included instructions on how to set up an exclusion to stop the alert/blocking activity. I doubt they would have suggested that if the activity was malicious. The message from Symantec seemed ambiguos about it.
Anyway, before I could set up the exclusion, NIS quit blocking the site and issuing alerts on it's own. Sucuri is still reporting malware. I've run full scans with NIS and Power Eraser and continue to come up clean. The site owner hired a professional firm to test and monitor the site for a period of time and has been assured that there is no threat to visitors. I find it odd that my other two computers never alerted me to any issues or blocked the site.
I appreciate the comments and assistance.
IndenturedServa wrote:
I submitted the url to false positive as suggested and was basically told that my NIS is operating as expected for the activity detected there. Whatever activity they detected must have been fairly benign as they included instructions on how to set up an exclusion to stop the alert/blocking activity. I doubt they would have suggested that if the activity was malicious. The message from Symantec seemed ambiguos about it.
Anyway, before I could set up the exclusion, NIS quit blocking the site and issuing alerts on it's own. Sucuri is still reporting malware. I've run full scans with NIS and Power Eraser and continue to come up clean. The site owner hired a professional firm to test and monitor the site for a period of time and has been assured that there is no threat to visitors. I find it odd that my other two computers never alerted me to any issues or blocked the site.
I appreciate the comments and assistance.
Norton may have stopped reporting an issue due to an update to the definitions. The other systems may not have detected the issue due to the timing of the LiveUpdates on each machine. They will not necessarily all run at the same time.
The issue could have been a change to some part of the web page or server software that security software had not seen before, or it may have exibited some suspicious activity that triggered alerts. After further testing, the activity has been determined to be benign.