Solved

Shield (webpage)


Userlevel 5
Badge +22
I read in the forums that "Web Shield" has been replaced by "Webroot Filtering Extension" but my installation refers to "Web Shield" and "SecureAnywhere Shields"  when talking about what I would like help with; again.
 
Two questions were asked of support.
If a link can be provided that answers my question please provide it rather than wasting your time. However, generic responses will not help.
  1. How can I tell what the “malicious links and/or payloads” are?
  2. Is the following domain actually dangerous or is it a false report? I’m guessing if their website is malicious then their product (which is downloaded and installed) is even more dangerous.
The answer to both was "We do not have access to the information on what is wrong with the website, however if we are giving it a low score and warning you about the website that means something is wrong with the site like it may have adware, ads, pop-ups, *or* may contain a malicious link which can cause issues *  (emphasis mine)
 
The webpage is:
http://www.cryoutcreations.eu/wp_super_faq/c2-how-do-i-use-a-different-font-than-the-ones-that-are-available-with-mantra
 
Cryout Creations publishes a WordPress theme named Tempera that our church is using.  I am having an issue and would like to look at their FAQS to see if they answer my questions.  However, the Google Search came up with the following
Webroot URL classification
Category: Computer and Internet Info
Confidence: 72
Category: Business and Economy
Confidence: 93
Score: 39 
 
Before the Google Search was found the webpage started to be accessed through a link from a safe page.  Webroot stopped me stating:
This website has been reported as unsafe
http://www.cryoutcreations.eu/wp_super_faq/c2-how-do-i-use-a-...

We recommend that you don't continue to this website because it is reported to contain the following threats:
Suspicious threat:
This is a suspicious site. There is a higher than average probability that you will be exposed to malicious links or payloads.

How can I determine if this page contains an advertisment or pop up, as Webroot suport stated or is actually a malicious site.
 
It is my belief that if their support pages are malicious then the theme they provide (downloaded, installe, and used on every page of the website would also be malicioius.  However, reporting is not always correct yet I can find no link stating what was found by Webroot to flag it as a dangerous site.
 
 
 
 
 
icon

Best answer by Shran 24 June 2014, 21:49

View original

19 replies

Userlevel 7
@ can you take a look at the ticket?  Doesnt Support generally know the reason for a classification and have the ability to request a change?
 
I am on tablet, but it looks like the site is flagged due to 'popularity' issues and not any known infections.
Userlevel 7
Hi ExpertNovice,
 
While I don't have all the answers, I hope I can help with some.
 
You can look up why the Webroot filtering extension is blocking a website by going to http://www.brightcloud.com/tools/url-ip-lookup.php . Just enter the address, type in the CAPTCHA, and it will give you the reasons for its rating.
 
Looking at the report for the website you gave, it appears to have a "suspicious" rating not because "hard-positives" (actual confirmed malware) were detected, but because the website is fairly new and does not have that many visitors.
 


The reason why a page might get a "suspicious" rating for being new and not having many visitors is because often times malicous websites are "here today, gone tomorrow".
 
EDIT: Sorry David, I did not see your reply until the page reloaded when I posted mine.
 
Hope this helps,
 
Shran
Userlevel 7
Shran, 
 
No apologies, that is quite perfect!  You gave the imagry for what I was describing....that is exactly what I was looking at when making my reply.  :-) 
 
TEAMWORK!
Userlevel 7
Badge +56
I looked up the ticket and didn't find any more info than you've already posted.  From the Brightcloud analysis it looks like this site is actually free of malware and pop-ups, and the score is based on newness as others have mentioned.  Here's the link in case you need to manually lookup any URLs:
 
http://www.brightcloud.com/tools/url-ip-lookup.php
Userlevel 7
Thank you David and Nic!
Userlevel 7
Hi ExpertNovice
 
In case you were not aware of it you can also seek to affect the sites reputation with BrightCloud by submitting a URL Reputation Change Request for the site if you are familiar with it and believe that it is being 'downplayed'.  And it all helps to improve the accuracy of the Shield.
 
How it functions is self explanatory...but let us know if you have any further questions.
 
Regards
 
 
 
Baldrick
Userlevel 5
Badge +22
DavidP,
 
Thanks for responding.
 
Questions (designed to help me learn and understand) will follow.
Support's response was quoted but here it is again but with their question added.  Emphasis mine.
 
We do not have access to the information on what is wrong with the website, however if we are giving it a low score and warning you about the website that means something is wrong with the site like it may have adware, ads, pop-ups or may contain a malicious link which can cause issues. Is this your website or just a site you like to use?
 
Question:
1. If Webroot support isn't the proper group to determine if a website is malicious or even knows why then who should we contact?  (Note:  i don't visit websites with a rating below the top rating.  Dark green with white checkmark.)  However, if a website is important to my work then it must be determined if it is falsely being flagged.
 
2. How did you determine "the site [might be] flagged due to 'popularity' issues and not any known infections?  All I see is the following.
Webroot URL classification
Category: Computer and Internet Info
Confidence: 72
Category: Business and Economy
Confidence: 93
Score: 39
 
A score of 39 has the second lowest rating possible.  As for popularity, I visit sites that are arguably more popular than the FAQ page of Cryout Creations.  Websites such as Wimp.com, Google, Microsoft, Vimeo, YouTube, etc. and have never seen their pages flagged as malicious.
 
For the record, I trust Webroot over Google but just found this:  (note the last visit was on May 1, nearly two months ago.
 
Safe Browsing Diagnostic page for cryoutcreations.eu
What is the current listing status for cryoutcreations.eu?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 10 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-05-01, and suspicious content was never found on this site within the past 90 days.This site was hosted on 1 network(s) including AS16265 (FIBERRING).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, cryoutcreations.eu did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
Userlevel 7
Question #1: Support will often do it but see Baldricks reply for the official reclassification request link.  :-) 
 
Question #2: Simple.....  no known infections andthe only item flagged was age and popularity.... see Shran's reply above with the graphics.
Userlevel 7
We get the low popularity and age by visiting the BrightCloud URL lookup page. When we say popularity issues, we don't mean it has high popularity; the site has low popularity, not high popularity like the other sites you mentioned, meaning it is less proven than the other sites. From the information you are giving, it looks like you are looking at the Web Shield icon in the search results. If you check the website on BrightCloud (Webroot's website checker/filter), it gives you more details. The screenshot I posted earlier and the information David gave both come directly from the page lookup on BrightCloud. The link to get more details on a rating is here http://www.brightcloud.com/tools/url-ip-lookup.php. It very well may be that BrightCloud's web crawler didn't discover the site until recently, which is why it shows as potentially suspicious. It shows no hard-positives which makes me think it probably just recently discovered the website. I may be wrong but I think the reason support asked if it was your website or a website you visit is because if it was your personal website, then they would have to work with you differently to verify the website and give it a higher rating than if you were a visitor using the website. I would definitely follow Baldrics's advice and submit a reputation change request. The threat team usually looks at it pretty quickly and changes the automatic rating if it is a clean site.
Hope this helps,
Shran
Userlevel 7
Badge +56
And our system isn't perfect, so we might just have gotten the reputation wrong in this case.  That's where the feedback comes in that Shran linked to.
Userlevel 7
@ wrote:
And our system isn't perfect, so we might just have gotten the reputation wrong in this case.  That's where the feedback comes in that Shran linked to.
Well Nic, given that this Shield is still in relative infancy compared to the rest of WSA...it is very likely that you could be right here.
 
But I do agree with ExpertNovices point that the information given when one hovers of the check marks does leave things to be desired informationally speaking, and personally I would like to see the option to get a little more detail...but I am sure that in the fullness of time the feature will prove itself to be best in class...like most other things WSA. ;)
 
Regards
 
 
Baldrick 
Userlevel 7
Badge +56
Yeah, there's a lot of resources being put towards this, so we'll definitely see improvements as we go.
Userlevel 7
Badge +35
I had a look at this one, and have determined it to be a False Positve. I have submitted a change request to have the warning removed. These requests can take up to 24-48 hours to complete. Since the request was sent internally it should get expedited though.
 
The site was flagged as suspicious due to the age and popularity as others have mentioned. 
 
Thanks,
 
-Fan
Userlevel 7
Thanks DanP!  You, like everyone else at Webroot, ROCK!
Userlevel 5
Badge +22
WOW!  All y’all have always given great support but today, everyone went well beyond excellent support.
 
Shran_GoSpursGo,  Other than the web crawler, does BrightCloud find webpages as a Webroot user accesses a site or during a web search where the shield “grades” the site?
   (You are forgiven for your support of the wrong team… :P  :D)
    Seriously, your answer was the perfect answer for my personality type!  It was complete, taught me, and allows me to find future answers on my own.  Please forgive me for not knowing about the URL/IP lookup webpage.  I must not have researched enough (on my own) to learn about it.
 
DavidP, Doh!  I should have realized, based on your quoting of the word popularity that you meant lack thereof.  It makes perfect sense after reading the explanation why it is a factor.  Your comment to DanP and everyone else was spot on.
 
Baldrick, Thanks.  I would submit the request (after testing) but see DanP already took action.
 
Nic, Yeah, no protection can ever be perfect and (using a broad term) false positives are a fact of life.
 
DanP, Thanks!  Oh, howdy… again.
 
 
To paraphrase DavidP, y'all ROCK!
 
Godspeed,
Jim
 
Userlevel 7
OUCH.  Personally, I think I failed. 
 
Thank you for your feedback... I need to phrase things better when it comes to explaining 'site popularity" as in a lack thereof.  I am VERY sorry for not explaining it more clearly!!
 
I always learn more everyday, and today's learning comes from you.  How to phrase it better to avoid confusion.
 
Thanks 🙂
Userlevel 7
Thank you for the compliment Jim!
I may be wrong, but I believe that BrightCloud does at least que a site for review/inspection when a user visits it. One of the threat researcers such as@Rakanisheu,@DanP, or @ the product manager would be the source for a more defintive answer regarding that, as I am not an expert. I do know that the Filtering extension anylyzes pages in real time for phishing so it would make sense that it probably does submit the URL to BrightCloud for reputation/analysis purposes.
Userlevel 5
Badge +22
DavidP,
 
No, you did not fail.  We can all agree that communication is harder than most people think and typically requires a frame of reference for clarity.  For example, everyone thinks they know the definition of "people".  Well, there are at least four opinions when the frame of reference is the U.S. Constitution.  The most extreme, as argued before the Supreme Court by two administrations over the past 20 years, is "certain government employees."
 
Besides, I have read technical manuals and understood the significance of quoted words so it should have been understood (had I thought) when it was read.  For me, the most important is this lingering question is now understood.
 
Thank you so much
 
 
Userlevel 7
@ wrote:
Yeah, there's a lot of resources being put towards this, so we'll definitely see improvements as we go.
What I really like about all of this is what Nic stated...sounds super excellent and cool...can hardly wait for the improvements to be released. :D

 
Cheers, Nic

Reply