[Fixed] Sophos Anti-Virus says my site is malicious

[Clark]

I changed a bit of JavaScript code last night and this morning I had feedback from users claiming that Sophos had blocked my site, claiming it contained Troj/JSDldr-F.

URL: http://bitcoin.clarkmoody.com/

Is anyone else having the site blocked for them? Please let us know your OS version, browser version, and antivirus software.

Would any other Sophos users care to submit false positive reports? http://www.sophos.com/en-us/support/knowledgebase/17327.aspx

Edit 2:
Sophos seems to have had a problem with the way I was inlining my JavaScript into the main page (for speed). Taking the JS out into include files caused no malware triggers whatsoever.

The problem appears to be resolved. The site never contained malware, and I maintained control of my servers and source the entire time.


Edit:

Using jotti.org reveals this:

[1715552638]

1715552638

[1715552638]

1715552638

[farlack]

Erm you're probably not seeing many posts because of the fact you're saying your site might be giving trojans..

Are you using free hosting? Anti viruses flag some hosts themself, so if your host is flagged for providing a lot of sites with viruses, they flag you too. I had the same issue with mcaffee a few years ago using a free host.

[rme]

Some antivirus scan files/websites with heuristic algorithms.
Your website is a false positive 

[btbrae]

I'm in the UK and I left your page running overnight and woke up to the warning message, that your site has been responsible for distributing malicious software. I use Opera & Avast!

And yeah sorry, I usually close it down when I'm afk.

[Clark]

I'm in the UK and I left your page running overnight and woke up to the warning message, that your site has been responsible for distributing malicious software. I use Opera & Avast!

And yeah sorry, I usually close it down when I'm afk.

Yandex is partnered with Sophos (which caused the malware flag), and Opera uses the Yandex blacklist for its page screening. Go figure.

[Clark]

I just got off the phone with Sophos, and they're 'sending it to their lab' for analysis...

[ErebusBat]

I just got off the phone with Sophos, and they're 'sending it to their lab' for analysis...

Hope fully some of the techs are bitcoin fans

[Clark]

Well I took out the embedded JavaScript and re-scanned the file with that online scanner, and it passed Sophos. Hopefully they will update their Yandex blacklist so Opera users will continue to use the site.

Can any Sophos users confirm that the site passes?

[tpantlik]

https://www.virustotal.com/cs/url/f6cfaa9ebfbf8935b09e6a9a7bc37c7e853cd0a2858a424a0ea524b8d66c35a9/analysis/1365243245/

Yandex still say it is malware site.

[Herodes]

False positive, I guess they don't care much ? Perhaps somebody should sue their ass! 

[Clark]

A couple people told me over email that the site it no longer triggering alerts on Sophos. Yandex will hopefully update its blacklist soon.

[Herodes]

A couple people told me over email that the site it no longer triggering alerts on Sophos. Yandex will hopefully update its blacklist soon.

That's good. More interestingly it would be to find out what triggered it ? What kind of code triggered it. I would think you don't have any malware on your site in the first place..

[hiltonizer]

Sophos was blocking it for me the other day, haven't tried again on those machines. Both vanilla Win 7 Pro x64 systems.

Checkpoint IPS is blocking something to, the CSS I think, but not the whole site.

[Michael_S]

I still have a warning from Yandex with Opera 12.02 on Ubuntu 8.04, right at this moment.