This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: False positive mal/HTMLgen-a

As the top Google hit for "Mal/HTMLGen-A" I thought I'd chime in here.  Sophos users are reporting that they're getting this Mal/HTMLGen-A error for my site:

http://rogerborg.dnsd.me

Which I use solely as a repository for handy images that I link to in other web forums.  Thusly for "rogerborg.dnsd.me/hipster-hulk.jpg", which sums up my feelings about now.

hipster-hulk.jpg

There's also a trivial (single <img>) index.html page, and a robots.txt that denies all.

This is all that the Sophos threat library has to say about this issue:

"Mal/HTMLGen-A is the threat name associated with web pages that have been classified as malicious by SophosLabs.

Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be used in an infection chain used to infect users with malware"

So it doesn't imply or even suggest any actual infection, it just means that Sophos doesn't much like the look of this site.  Is it because the domain is hosted on a dynamic IP?  The index.html is too simple?  There's a deny robots.txt?  I don't know, and I and the end usesr have no way of knowing.  Telling them that it's infected is deceitful, unhelpful, and alarming.

Poor show, chaps.  Poor show.

:36863


This thread was automatically locked due to age.
Parents
  • Hi Rogerborg,

    First, some history, for the benefit of the rest of the community ...

    1. You added a post (above) to the existing mal/HTMLGen-A thread.
    2. During standard moderation work, I looked at it, and I was immediately given a malware warning.
    3. I asked SophosLabs to take a look, but in the interests of being safe rather than sorry, moved the post with the (apparently) offending links to the SophosTalk quarantine area.
    4. SophosLabs have rescanned your site, and recategorised it as free of threats.
    5. I've put your post back. Unfortuanetly, due to the way the forums platform works, I can't put it back in as a reply, but only as a new thread.

    So, getting down to the real business of this post, it's time for me to apologise for the annoyance and confusion caused. I move content (apart from where it's just in the wrong place) very rarely, as it's not my content. Getting a warning on my screen about mal/HTMLGen-A was sufficient to set the alarm bells going.

    It does occasionally happen that a site has been categorised as showing the presence of malware, but that circumstances change. We at Sophos are always happy to investigate situations like this. So, if you think your site falls into this category, please let us know in this community, or contact Sophos Support direct.

    Apologies again to Rogerborg.

    Best regards,

    spike

    :36923
Reply
  • Hi Rogerborg,

    First, some history, for the benefit of the rest of the community ...

    1. You added a post (above) to the existing mal/HTMLGen-A thread.
    2. During standard moderation work, I looked at it, and I was immediately given a malware warning.
    3. I asked SophosLabs to take a look, but in the interests of being safe rather than sorry, moved the post with the (apparently) offending links to the SophosTalk quarantine area.
    4. SophosLabs have rescanned your site, and recategorised it as free of threats.
    5. I've put your post back. Unfortuanetly, due to the way the forums platform works, I can't put it back in as a reply, but only as a new thread.

    So, getting down to the real business of this post, it's time for me to apologise for the annoyance and confusion caused. I move content (apart from where it's just in the wrong place) very rarely, as it's not my content. Getting a warning on my screen about mal/HTMLGen-A was sufficient to set the alarm bells going.

    It does occasionally happen that a site has been categorised as showing the presence of malware, but that circumstances change. We at Sophos are always happy to investigate situations like this. So, if you think your site falls into this category, please let us know in this community, or contact Sophos Support direct.

    Apologies again to Rogerborg.

    Best regards,

    spike

    :36923
Children
No Data