Simple Machines Community Forum

SMF Support => SMF 2.0.x Support => Topic started by: MensaMod on January 04, 2018, 11:19:06 PM

Title: Norton claiming SMF allows "drive-by downloads"
Post by: MensaMod on January 04, 2018, 11:19:06 PM
This may be an FYI or it may be an issue.  A user just pinged me that her new level of Norton (22.11.2.7) doesn't want to let her logon to our SMF because it thinks we allow drive-by downloads (link to their error page (https://safeweb.norton.com/report/show?url=http%3A%2F%2Fagm2m.org%2Findex.php&product=NIS&version=22.11.2.7&lang=0901&source=toolbar)).  She's on Win10 (current) and using Chrome.  She can get in no problems with the Edge browser.  I'm seeing no complaints from McAfee.

We're still on SMF 2.0.12, PHP 5.3 (just getting ready to go 2.0.15 and PHP 5.6, but not quite there yet).  Our only mods are and we don't tinker with the code.

She's got her work-around and we're posting the warning on our landing page, but is there anything we can/should do about this?

Thanks.
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: SaltedWeb on January 04, 2018, 11:26:45 PM
So is this just affecting one member with that program? If so I would guess the New Nortons might be having a firewall blocking it seems your site may be on some list they have.  I had that happen once bought a used domain and was listed .
I have some pretty tight security on my PC but still can see it, so would guess its on a list Norton buys or manages.? Can't see SMF doing if they can work around it then means their IP is not blocked just Nortons is? Unless I read this wrong.
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: HDB on January 05, 2018, 12:23:37 AM
I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: shawnb61 on January 05, 2018, 12:43:14 AM
Just for some clarity here...  Maybe I'm missing something... 

Norton is not highlighting a problem with the SMF software, or the SMF site. 

Norton thinks there is a problem with your forum's site, agm2m.org.  For some reason, it thinks you allow sneaky/malicious downloads from your site. 

If you disagree, you need to follow the links provided & deal with Norton directly to get them to stop saying there is an issue with your site. 
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: SaltedWeb on January 05, 2018, 01:15:58 AM
I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org

Thats interesting good tool as well.
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: Aleksi "Lex" Kilpinen on January 05, 2018, 01:27:41 AM
It could be some problem you used to have and don't have anymore, or it could be you were reported as unsafe by someone,
or sometimes those scans and blacklists just make mistakes. We've all seen those at one point or another, where an internet security software goes haywire. ;)

This would be the best course of action, after making sure your site really doesn't have any extra code, or malicious ads.

If you disagree, you need to follow the links provided & deal with Norton directly to get them to stop saying there is an issue with your site. 
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: SaltedWeb on January 05, 2018, 11:22:24 AM
I have seen mass mailers trigger these list long ago when that was a norm to communicate I had a site black listed because
even though people sign up for newsletters the can simply report as spam and enough people do it as a opposed to just changing their settings and you have this, its not as common as it used to be for that kinda stuff, now days the content often can trigger reports.
Things are becoming more complicated as power users of large corporate social media are dictating what is hate speech, harmful or dangerous. Long running groups, YouTube, and many others are shut down due to small word usage. Seems if any group is running a socially or politically opposed group meaning they have other sides against what they are representing it can get reported and then is held to what ever standard that company decides..  I could go on as its something I have studied extensively over the years and seen many groups appearing "normal" have issues. Without knowing what Norton is using to trigger this and that it is not on other lists make one think it was more specific possibly in your case.
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: Sir Osis of Liver on January 05, 2018, 11:39:58 AM
When Norton Utilities first came out (for DOS), it was the berries, then Peter Norton got rich selling it to Symantec, and Norton products have been crap ever since. :P
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: shawnb61 on January 05, 2018, 12:13:45 PM
The OP needs to know what to do next.  What he needs to do is follow the links to reach out to Norton to get his site cleared.  Drilling down on the links provided above, Norton thinks that:
Quote
This signature detects a request to specific domains which characteristically has been known to host malicious exploits and executable files.
So Norton believes there are links of some form on your site to malicious sites.  You need to get to the bottom of that, and either fix those links, or otherwise somehow get Norton to remove you from their list. 
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: MensaMod on January 05, 2018, 01:05:31 PM
Thanks, folks.  I've made a note of that tool and will follow the appeal process.  (I didn't really think that SMF's code was at fault, and we use it for messaging between friends so I doubt we've got nasty links in there.)

Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: Steve on January 05, 2018, 08:13:28 PM
Marking solved then. If you have any other questions regarding this topic, by all means, mark this unsolved and let us know. :)
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: snadge on January 06, 2018, 05:24:54 PM
I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org

Thats interesting good tool as well.

maybe - but also false positives happen on it - flagged mine as

Site Potentially Harmful. Immediate Action is Required.

why?  because it has no ratings at all on McAfee Site Advisor

and its the same for this guys site:

https://safeweb.norton.com/report/show?url=agm2m.org

(https://i.imgur.com/c9E4Rpd.jpg)
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: SaltedWeb on January 06, 2018, 05:38:09 PM
That may be true, but If Norton is the ones screening this false positive or not it would be a Norton or reporting issue, not a SMF issue.
This was posted in SMF support and has zero to do with SMF.
If anyone gets blacklisted they have to take it up with the reporting services and was noted some reports can show a domain blacklisted and some not. But the content is what triggers the response to be listed and has zero to do with SMF.
If this was triggered by Norton or anyone else contacting them first should be the first action. Still not sure why this is in 2.0 smf support, as some may think SMF has something to do with the Norton triggering the list and it simply can't .
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: MensaMod on January 10, 2018, 04:36:50 PM
Triggered by Norton because who knows why.  I followed their instructions, put their 129-byte crypto file in my Web root, told them I'd done that and 2 days later they said they're happy.  I agree, it's not an SMF issue.
Title: Re: Norton claiming SMF allows "drive-by downloads"
Post by: SaltedWeb on January 10, 2018, 06:01:58 PM
Glad you got it fixed, perhaps though your experience may help others in the future that might run into this.