Re: False positive mal/HTMLgen-a

As the top Google hit for "Mal/HTMLGen-A" I thought I'd chime in here.  Sophos users are reporting that they're getting this Mal/HTMLGen-A error for my site:

http://rogerborg.dnsd.me

Which I use solely as a repository for handy images that I link to in other web forums.  Thusly for "rogerborg.dnsd.me/hipster-hulk.jpg", which sums up my feelings about now.

hipster-hulk.jpg

There's also a trivial (single <img>) index.html page, and a robots.txt that denies all.

This is all that the Sophos threat library has to say about this issue:

"Mal/HTMLGen-A is the threat name associated with web pages that have been classified as malicious by SophosLabs.

Web pages blocked by Sophos products as Mal/HTMLGen-A are likely to be used in an infection chain used to infect users with malware"

So it doesn't imply or even suggest any actual infection, it just means that Sophos doesn't much like the look of this site.  Is it because the domain is hosted on a dynamic IP?  The index.html is too simple?  There's a deny robots.txt?  I don't know, and I and the end usesr have no way of knowing.  Telling them that it's infected is deceitful, unhelpful, and alarming.

Poor show, chaps.  Poor show.

:36863
  • Hi Rogerborg,

    First, some history, for the benefit of the rest of the community ...

    1. You added a post (above) to the existing mal/HTMLGen-A thread.
    2. During standard moderation work, I looked at it, and I was immediately given a malware warning.
    3. I asked SophosLabs to take a look, but in the interests of being safe rather than sorry, moved the post with the (apparently) offending links to the SophosTalk quarantine area.
    4. SophosLabs have rescanned your site, and recategorised it as free of threats.
    5. I've put your post back. Unfortuanetly, due to the way the forums platform works, I can't put it back in as a reply, but only as a new thread.

    So, getting down to the real business of this post, it's time for me to apologise for the annoyance and confusion caused. I move content (apart from where it's just in the wrong place) very rarely, as it's not my content. Getting a warning on my screen about mal/HTMLGen-A was sufficient to set the alarm bells going.

    It does occasionally happen that a site has been categorised as showing the presence of malware, but that circumstances change. We at Sophos are always happy to investigate situations like this. So, if you think your site falls into this category, please let us know in this community, or contact Sophos Support direct.

    Apologies again to Rogerborg.

    Best regards,

    spike

    :36923
  • Hello,

    My website : http://www.jobseeker.gr reported as containing malware by virustotal.com (1/53) :

    Sophos URL description
    URL subjected to threat Mal/HTMLGen-A.

    Sophos domain informationThe URL host was subjected to threat Mal/HTMLGen-A.

    I have been already contact sophos support for false positive reporting at least twice without an information.

    Please re-investigate and inform me about http://www.jobseeker.gr

    Best Regards,

    Panagiotis

    :47729
  • Hi. I have the same issue.

    cleverhosting.com.ua

    where is a virus? help me to find... i see nothing in code... 

    :48194
  • I have the same problem on http://lab.fs.uni-lj.si/matematika/new/

    Sophos also gives a warning when I want to download any pdf: http://lab.fs.uni-lj.si/matematika/datoteke/m1/izpiti/060214.pdf 

    Only Wordpress with a few standard plugnis is installed.

    :49096
  • my site sophos block too!

    velobest.ru

    Virustotal say: 

    Sophos URL description

    URL subjected to threat Mal/HTMLGen-A.

    But its Clear!

    :49392
  • Funny story:

    Remember good old 'File Manager' (winfile.exe) from Windows 3.1, 95 and NT4 days?

    Up until a few years ago, upon a brand new install of Windows XP, with the 32 bit File Manager installed into the Windows directory, and then an install of the-then current version of Sophos, it would immediately detect and declare and quarantine File Manager as being a Mal/Gen-A virus. I used to laugh that Sophos detected a Microsoft written product as being viral. ...and then I just had to stop all Sophos's services. Was a right royal pain.

    But after sending report upon report and request upon request to Sophos, they finally fixed their signature code for File Manager.

    :49396
  • Hi,

    I just got a static IP address of the provider for the application I host on the web. As soon as I released the application on this address, users who use Sophos as we began to occur with this problem.

    High Risk Website Blocked

         Location: 77.78.197.50
         Access has been blocked as the threat Mal / HTMLGen-A has been found on this website.
         Return to the page you were previously viewing.

    Is there anything I can do?

    Thanks

    :49892
  • Hi,

    I'm being blocked from accessing genesis.domains.com by Sophos.  I put in a request for reassessment a couple of weeks ago but have heard nothing.  I'm trying to reactivate an old domain but am unable to do so because the site is blocked.  I contacted the registrar by phone and according to them, it must be a false positive because there is no malware on the site.  As I'm trying to reactivate the domain for business purposes, being unable to do so is of course causing us mucho dinero.

    Any answer to the problem would be much appreciated.

    :52711
  • Hi Sandy,

    Thanks for responding.  I didn't speak to anyone at Sophos but rather to someone at the domain registrar.  The website that I'm trying to access that is being blocked is genesisdomains.com.  I wonder if it is possible that it is being confused with another website.

    Thanks,

    Stormy

    :52757
  • Hi Sandy,

    Thanks for the response.  

    Yes I previously put in two requests for reassessment after reading the article and by using the form at the link you provided.  Since you don't acknowledge requests, how would I know if the reassessment has taken place?  Also, is it possible that this site genesisdomains.com is being confused with genesisdomain.com (without the "s" at the end) as I suspect that the second site is bogus.

    I purchase a domain from this particular registrar a few years ago and now I want to transfer it to another registrar to launch our new webiste.  To do that, I need to be able to access genesisdomains.com to put through the request.  Is there anyway you can suggest to fix this problem?

    thanks,

    Stormy

    :52799
  • I just got these mal/htmlgen-a error:

    20141105 231035 Blocked web request to "gstatic.uptodown.net/img/logo.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 231036 Blocked web request to "img.uptodown.net/icons/android-x86.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 231038 Blocked web request to "gstatic.uptodown.net/v9/btn_pizza_v8.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233805 Blocked web request to "img.uptodown.net/icons/virtualbox-3-1-4.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233806 Blocked web request to "gstatic.uptodown.net/img/logo.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233826 Blocked web request to "img.uptodown.net/icons/virtualbox-3-1-4.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233826 Blocked web request to "gstatic.uptodown.net/blog/facebook.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233940 Blocked web request to "img.uptodown.net/icons/virtualbox-3-1-4.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.
    20141105 233940 Blocked web request to "gstatic.uptodown.net/blog/rss.png" (linked from "blog.en.uptodown.com/virtualize-android-x86-virtualbox") for user (domain)\(user). 'Mal/HTMLGen-A' has been found at this website, reference ID 91105722.

    I assume it is a false positive from http://blog.en.uptodown.com/virtualize-android-x86-virtualbox/

    Thanks,

    Michael

    :54543
  • I am also getting these messages in windows Event Viewer:

    File "C:\Windows\Temp\5296df35-1dce-4155-b4b5-098df578374b\tmp00005151\tmp00033c21" belongs to virus/spyware 'Mal/Behav-320'.

    Unfortunatly your virus scanner is too fast so I cannot grab a copy of the file. This seems to happen intermittantly, the last time being Friday 11/7/2014. I assume this too is a false positive. As I have run the Sophos Virus Removal Tool twice, third time right now, and so far nothing has been found.

    Thanks,

    Michael

    :54639
  • Hello Michael,

    can't say whether it was a FP or not, at present the images mentioned in your previous post can be accessed.

    Mal/Behav-230 is a generic detection. What makes you think this is a false positive? If the scanner has successfully dealt with it then there'll be nothing SVRT could detect as it uses the same detection data. If it has been cleaned up (removed) by the scanner you'lll find a corresponding message in the AV log. With appropriate cleanup settings it is possible to obtain a sample and submit it to Labs (details can be found following the link on the analysis' Summary page).

    Christian

    :54645
  • Sorry but I gave you the link to the web site, URL, so you can get the images and check them just as easily as I can.

    :54663
  • Hello Michael,

    I have to admit that I have goofed with the Mal/HTMLGen-A, had Web Protection off on the test machine ... sorry. Indeed the site is blocked. Anyway, Mal/HTMLGen-A is about the site (in this case the TLD uptodown.net) and doesn't mean, as noted in the Detailed Analysis, that a particular URL (like gstatic.uptodown.net/img/logo.png) would deliver a threat. Now, I'm not Sophos - you could submit the mentioned Reassessment Request but if the item which is the cause for the block is still present it won't help at all. Note that uptodown.net is hosted at many locations and one of the hosts could be compromised while the others are clean. In the end the site's owner would have to step in.        

    I don't think though I deserved the somewhat contemptuous reply as my post mainly referred to the Mal/Behav-230 detection - on which you gave no feedback.

    Christian

    :54693