News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Norton claiming SMF allows "drive-by downloads"

Started by MensaMod, January 04, 2018, 11:19:06 PM

Previous topic - Next topic

MensaMod

This may be an FYI or it may be an issue.  A user just pinged me that her new level of Norton (22.11.2.7) doesn't want to let her logon to our SMF because it thinks we allow drive-by downloads (link to their error page).  She's on Win10 (current) and using Chrome.  She can get in no problems with the Edge browser.  I'm seeing no complaints from McAfee.

We're still on SMF 2.0.12, PHP 5.3 (just getting ready to go 2.0.15 and PHP 5.6, but not quite there yet).  Our only mods are

  • Stop Spammer 2.3.9
  • addon_OS_Browser_httpBL 1.1
  • httpBL 2.5.1
  • Inline Hover Spoiler 1.5
and we don't tinker with the code.

She's got her work-around and we're posting the warning on our landing page, but is there anything we can/should do about this?

Thanks.

SaltedWeb

So is this just affecting one member with that program? If so I would guess the New Nortons might be having a firewall blocking it seems your site may be on some list they have.  I had that happen once bought a used domain and was listed .
I have some pretty tight security on my PC but still can see it, so would guess its on a list Norton buys or manages.? Can't see SMF doing if they can work around it then means their IP is not blocked just Nortons is? Unless I read this wrong.
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

HDB

I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org

shawnb61

#3
Just for some clarity here...  Maybe I'm missing something... 

Norton is not highlighting a problem with the SMF software, or the SMF site. 

Norton thinks there is a problem with your forum's site, agm2m.org.  For some reason, it thinks you allow sneaky/malicious downloads from your site. 

If you disagree, you need to follow the links provided & deal with Norton directly to get them to stop saying there is an issue with your site. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

SaltedWeb

Quote from: HDB on January 05, 2018, 12:23:37 AM
I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org

Thats interesting good tool as well.
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Aleksi "Lex" Kilpinen

It could be some problem you used to have and don't have anymore, or it could be you were reported as unsafe by someone,
or sometimes those scans and blacklists just make mistakes. We've all seen those at one point or another, where an internet security software goes haywire. ;)

This would be the best course of action, after making sure your site really doesn't have any extra code, or malicious ads.

Quote from: shawnb61 on January 05, 2018, 12:43:14 AM
If you disagree, you need to follow the links provided & deal with Norton directly to get them to stop saying there is an issue with your site. 
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

SaltedWeb

I have seen mass mailers trigger these list long ago when that was a norm to communicate I had a site black listed because
even though people sign up for newsletters the can simply report as spam and enough people do it as a opposed to just changing their settings and you have this, its not as common as it used to be for that kinda stuff, now days the content often can trigger reports.
Things are becoming more complicated as power users of large corporate social media are dictating what is hate speech, harmful or dangerous. Long running groups, YouTube, and many others are shut down due to small word usage. Seems if any group is running a socially or politically opposed group meaning they have other sides against what they are representing it can get reported and then is held to what ever standard that company decides..  I could go on as its something I have studied extensively over the years and seen many groups appearing "normal" have issues. Without knowing what Norton is using to trigger this and that it is not on other lists make one think it was more specific possibly in your case.
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Sir Osis of Liver

When Norton Utilities first came out (for DOS), it was the berries, then Peter Norton got rich selling it to Symantec, and Norton products have been crap ever since. :P
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

shawnb61

The OP needs to know what to do next.  What he needs to do is follow the links to reach out to Norton to get his site cleared.  Drilling down on the links provided above, Norton thinks that:
QuoteThis signature detects a request to specific domains which characteristically has been known to host malicious exploits and executable files.
So Norton believes there are links of some form on your site to malicious sites.  You need to get to the bottom of that, and either fix those links, or otherwise somehow get Norton to remove you from their list. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

MensaMod

Thanks, folks.  I've made a note of that tool and will follow the appeal process.  (I didn't really think that SMF's code was at fault, and we use it for messaging between friends so I doubt we've got nasty links in there.)


Steve

Marking solved then. If you have any other questions regarding this topic, by all means, mark this unsolved and let us know. :)
DO NOT pm me for support!

snadge

Quote from: SaltedWeb on January 05, 2018, 01:15:58 AM
Quote from: HDB on January 05, 2018, 12:23:37 AM
I use Sucuri WAF on my forum. They offer a free sitecheck tool on their website and I ran your website and it shows you are blacklisted. They check your website against 10 Blacklists and in the results from Sucuri it confirms that you are blacklisted by Norton Safe Web (as you know) but you are clean for the other 9 blacklists that they checked.

https://sitecheck.sucuri.net/results/agm2m.org

Thats interesting good tool as well.

maybe - but also false positives happen on it - flagged mine as

Site Potentially Harmful. Immediate Action is Required.

why?  because it has no ratings at all on McAfee Site Advisor

and its the same for this guys site:

https://safeweb.norton.com/report/show?url=agm2m.org


SaltedWeb

That may be true, but If Norton is the ones screening this false positive or not it would be a Norton or reporting issue, not a SMF issue.
This was posted in SMF support and has zero to do with SMF.
If anyone gets blacklisted they have to take it up with the reporting services and was noted some reports can show a domain blacklisted and some not. But the content is what triggers the response to be listed and has zero to do with SMF.
If this was triggered by Norton or anyone else contacting them first should be the first action. Still not sure why this is in 2.0 smf support, as some may think SMF has something to do with the Norton triggering the list and it simply can't .
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

MensaMod

Triggered by Norton because who knows why.  I followed their instructions, put their 129-byte crypto file in my Web root, told them I'd done that and 2 days later they said they're happy.  I agree, it's not an SMF issue.

SaltedWeb

Glad you got it fixed, perhaps though your experience may help others in the future that might run into this.
Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Advertisement: