Why is AVG blocking legitimate sites?

AVG is a “free” antivirus software package that has become fairly popular lately. The b5media tech team has been asked many times in the last 24 hours about why AVG is blocking legitimate sites. There is a FAQ on AVG’s site about this, but it is incomplete and, in my opinion, inaccurate*. People are asking the questions in the AVG forum, but responses have just been long paragraphs explaining how they’ve asked the question in the wrong forum and links to the FAQ. I’ll attempt to better address the question here.

The FAQ says:

There are several possibilities how a clean and legitimate website may become infected:

  • Website was exploited by some hacktoolkit which searches for vulnerable websites, and automatically infects them.
  • Infection was inserted on the machine that is used to create/upload websites, which means that the author’s/administrator’s computer is infected.
  • An attacker gained direct access to the website administration thanks to a weak or stolen access password.

We recommend to contact the administrator of such website.

This may have largely been true 5 years ago, but it isn’t now. Yes, breaches in security happen and always will. However, the most common vector for malware to get on today’s sites is through ads.  These ads aren’t even ever seen by the webserver you are visiting**. 

The FAQ would be accurate if they added:

  • The website is currently displaying an ad/image hosted on a site that AVG has deemed dangerous.

The unprinted bullet point is:

  • We mess up. We are humans. We are not perfect and neither are the tools we use. Sometimes we will say a site is infected when it isn’t. Sometimes we will say something is malware, that really is, but it is so common place that blocking it will make so many sites unusable that we will have to back down. When this happens, we will try to “fix” the issue as quickly as possible.

This ad vector is something that all websites are fighting right now. It’s difficult because servers can be spotless and tight, but tools like AVG and the Google toolbar will see one of these ads (that we have nothing to do with) and will list that site as infected.  If a bad ad is served when Google scans for infection, then the site is completely dropped from the Google index. NOT GOOD. Then the admin has to go and figure out which ad is bad and from that which ad manager let something slip through that they should have blocked.***

So, what is the current issue? Well, on October 14, 2009 AVG reclassified an ad/cookie used on a large majority of websites out there as dangerous. That’s why AVG is blocking familiar sites such as http://nytimes.com, http://imageshack.us, http://yahoo.co.uk, http://babelfish.yahoo.com, http://problogger.com as well as other b5media entities like http://everyjoe.com http://splendicity.com and http://blisstree.com

Everything seems to point to ads.YieldManager.com as what is being blocked. Yieldmanager.com has an Alexa rating of 198. Think what you want of Alexa, 198 means they are BIG. You probably know the name as they have been on most sites you’ve visit for years.  YieldManager is run by Right Media, which, since 2007, has been controlled by Yahoo. This is why the ip addresses, that come up in the AVG LinkScanner alerts, all point to Yahoo.

In short, AVG will either change this decision or lose market share. It won’t take long for them to make up their mind.

UPDATE: Around 9am the forum included a post stating “UPDATE…. It’s now been ascertained that it was actually a false positive. Please update the AVG on your system.”

Forum users report that AVG has changed their statement from:

Let us inform you that this is not a false detection. Our LinkScanner
technology detects a real threat, which is Geo-IP and also browser
specific targeted, therefore it is detected only at www.yahoo.co.uk
(IP: ) in Mozilla Firefox web browser only.

Over to:

Unfortunately, the previous AVG Link scanner database might have
detected the mentioned web page as threat. However, after thorough
analysis we can confirm that it was a false alarm. We have released a
new Link scanner update that removes the false positive detection on
this web page. Please update your AVG and check if your are able to
open the web page properly.

As you can also see from that thread, some people received an update this morning, but still are having problems on popular sites.  My only suggestion is that you update AVG a few more times and hope that they allow you to surf your favorite sites.

 

 

 

* Yes, I’ve submitted feedback about this.

** The way most ads work is a webpage will include instructions for your computer to say “Hey, you big sexy ad server, give me an ad to display.” when the page is loaded.  At that point, the big sexy ad server says “Very well then. Go to ads.example.com and get the ad.”.  Your computer then visits ads.example.com which can return any number of different ads. Some will be perfect nice ads. Some may be nasty infectious ads. Others will work on one browser, and throw errors on another.  The site has no control over this. Really, neither does the big, sexy ad server (though it should run its own periodic checks) since the ad that appears at ads.example.com was probably legit when the ad was purchased. The ads that appear are only as reliably legit as the checks in place at that third party ad server.

*** That said, it is kinda interesting to look at all the sites out there listed as infected. For example go here to see an infected site and then bounce up from there into any of the 3 networks that site is hosted on. That will lead you to thousands of other infected listings.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>