This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re: False positive mal/HTMLgen-a

As the top Google hit for "Mal/HTMLGen-A" I thought I'd chime in here.  Sophos users are reporting that they're getting this Mal/HTMLGen-A error for my site:

http://rogerborg.dnsd.me

Which I use solely as a repository for handy images that I link to in other web forums.  Thusly for "rogerborg.dnsd.me/hipster-hulk.jpg", which sums up my feelings about now.

hipster-hulk.jpg

There's also a trivial (single <img>) index.html page, and a robots.txt that denies all.

This is all that the Sophos threat library has to say about this issue:

"Mal/HTMLGen-A is the threat name associated with web pages that have been classified as malicious by SophosLabs.

Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be used in an infection chain used to infect users with malware"

So it doesn't imply or even suggest any actual infection, it just means that Sophos doesn't much like the look of this site.  Is it because the domain is hosted on a dynamic IP?  The index.html is too simple?  There's a deny robots.txt?  I don't know, and I and the end usesr have no way of knowing.  Telling them that it's infected is deceitful, unhelpful, and alarming.

Poor show, chaps.  Poor show.

:36863


This thread was automatically locked due to age.
  • Hi Rogerborg,

    First, some history, for the benefit of the rest of the community ...

    1. You added a post (above) to the existing mal/HTMLGen-A thread.
    2. During standard moderation work, I looked at it, and I was immediately given a malware warning.
    3. I asked SophosLabs to take a look, but in the interests of being safe rather than sorry, moved the post with the (apparently) offending links to the SophosTalk quarantine area.
    4. SophosLabs have rescanned your site, and recategorised it as free of threats.
    5. I've put your post back. Unfortuanetly, due to the way the forums platform works, I can't put it back in as a reply, but only as a new thread.

    So, getting down to the real business of this post, it's time for me to apologise for the annoyance and confusion caused. I move content (apart from where it's just in the wrong place) very rarely, as it's not my content. Getting a warning on my screen about mal/HTMLGen-A was sufficient to set the alarm bells going.

    It does occasionally happen that a site has been categorised as showing the presence of malware, but that circumstances change. We at Sophos are always happy to investigate situations like this. So, if you think your site falls into this category, please let us know in this community, or contact Sophos Support direct.

    Apologies again to Rogerborg.

    Best regards,

    spike

    :36923
  • Hello,

    My website : http://www.jobseeker.gr reported as containing malware by virustotal.com (1/53) :

    Sophos URL description
    URL subjected to threat Mal/HTMLGen-A.

    Sophos domain informationThe URL host was subjected to threat Mal/HTMLGen-A.

    I have been already contact sophos support for false positive reporting at least twice without an information.

    Please re-investigate and inform me about http://www.jobseeker.gr

    Best Regards,

    Panagiotis

    :47729
  • Hi. I have the same issue.

    cleverhosting.com.ua

    where is a virus? help me to find... i see nothing in code... 

    :48194
  • I have the same problem on http://lab.fs.uni-lj.si/matematika/new/

    Sophos also gives a warning when I want to download any pdf: http://lab.fs.uni-lj.si/matematika/datoteke/m1/izpiti/060214.pdf 

    Only Wordpress with a few standard plugnis is installed.

    :49096
  • my site sophos block too!

    velobest.ru

    Virustotal say: 

    Sophos URL description

    URL subjected to threat Mal/HTMLGen-A.

    But its Clear!

    :49392
  • Funny story:

    Remember good old 'File Manager' (winfile.exe) from Windows 3.1, 95 and NT4 days?

    Up until a few years ago, upon a brand new install of Windows XP, with the 32 bit File Manager installed into the Windows directory, and then an install of the-then current version of Sophos, it would immediately detect and declare and quarantine File Manager as being a Mal/Gen-A virus. I used to laugh that Sophos detected a Microsoft written product as being viral. ...and then I just had to stop all Sophos's services. Was a right royal pain.

    But after sending report upon report and request upon request to Sophos, they finally fixed their signature code for File Manager.

    :49396
  • Hi,

    I just got a static IP address of the provider for the application I host on the web. As soon as I released the application on this address, users who use Sophos as we began to occur with this problem.

    High Risk Website Blocked

         Location: 77.78.197.50
         Access has been blocked as the threat Mal / HTMLGen-A has been found on this website.
         Return to the page you were previously viewing.

    Is there anything I can do?

    Thanks

    :49892
  • Hi,

    I'm being blocked from accessing genesis.domains.com by Sophos.  I put in a request for reassessment a couple of weeks ago but have heard nothing.  I'm trying to reactivate an old domain but am unable to do so because the site is blocked.  I contacted the registrar by phone and according to them, it must be a false positive because there is no malware on the site.  As I'm trying to reactivate the domain for business purposes, being unable to do so is of course causing us mucho dinero.

    Any answer to the problem would be much appreciated.

    :52711
  • Hi Sandy,

    Thanks for responding.  I didn't speak to anyone at Sophos but rather to someone at the domain registrar.  The website that I'm trying to access that is being blocked is genesisdomains.com.  I wonder if it is possible that it is being confused with another website.

    Thanks,

    Stormy

    :52757
  • Hi Sandy,

    Thanks for the response.  

    Yes I previously put in two requests for reassessment after reading the article and by using the form at the link you provided.  Since you don't acknowledge requests, how would I know if the reassessment has taken place?  Also, is it possible that this site genesisdomains.com is being confused with genesisdomain.com (without the "s" at the end) as I suspect that the second site is bogus.

    I purchase a domain from this particular registrar a few years ago and now I want to transfer it to another registrar to launch our new webiste.  To do that, I need to be able to access genesisdomains.com to put through the request.  Is there anyway you can suggest to fix this problem?

    thanks,

    Stormy

    :52799