This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: False positive mal/HTMLgen-a

As the top Google hit for "Mal/HTMLGen-A" I thought I'd chime in here.  Sophos users are reporting that they're getting this Mal/HTMLGen-A error for my site:

http://rogerborg.dnsd.me

Which I use solely as a repository for handy images that I link to in other web forums.  Thusly for "rogerborg.dnsd.me/hipster-hulk.jpg", which sums up my feelings about now.

hipster-hulk.jpg

There's also a trivial (single <img>) index.html page, and a robots.txt that denies all.

This is all that the Sophos threat library has to say about this issue:

"Mal/HTMLGen-A is the threat name associated with web pages that have been classified as malicious by SophosLabs.

Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be used in an infection chain used to infect users with malware"

So it doesn't imply or even suggest any actual infection, it just means that Sophos doesn't much like the look of this site.  Is it because the domain is hosted on a dynamic IP?  The index.html is too simple?  There's a deny robots.txt?  I don't know, and I and the end usesr have no way of knowing.  Telling them that it's infected is deceitful, unhelpful, and alarming.

Poor show, chaps.  Poor show.

:36863


This thread was automatically locked due to age.
Parents
  • Hello Michael,

    I have to admit that I have goofed with the Mal/HTMLGen-A, had Web Protection off on the test machine ... sorry. Indeed the site is blocked. Anyway, Mal/HTMLGen-A is about the site (in this case the TLD uptodown.net) and doesn't mean, as noted in the Detailed Analysis, that a particular URL (like gstatic.uptodown.net/img/logo.png) would deliver a threat. Now, I'm not Sophos - you could submit the mentioned Reassessment Request but if the item which is the cause for the block is still present it won't help at all. Note that uptodown.net is hosted at many locations and one of the hosts could be compromised while the others are clean. In the end the site's owner would have to step in.        

    I don't think though I deserved the somewhat contemptuous reply as my post mainly referred to the Mal/Behav-230 detection - on which you gave no feedback.

    Christian

    :54693
Reply
  • Hello Michael,

    I have to admit that I have goofed with the Mal/HTMLGen-A, had Web Protection off on the test machine ... sorry. Indeed the site is blocked. Anyway, Mal/HTMLGen-A is about the site (in this case the TLD uptodown.net) and doesn't mean, as noted in the Detailed Analysis, that a particular URL (like gstatic.uptodown.net/img/logo.png) would deliver a threat. Now, I'm not Sophos - you could submit the mentioned Reassessment Request but if the item which is the cause for the block is still present it won't help at all. Note that uptodown.net is hosted at many locations and one of the hosts could be compromised while the others are clean. In the end the site's owner would have to step in.        

    I don't think though I deserved the somewhat contemptuous reply as my post mainly referred to the Mal/Behav-230 detection - on which you gave no feedback.

    Christian

    :54693
Children
No Data