Editer l'article Suivre ce blog Administration + Créer mon blog
24 mars 2013 7 24 /03 /mars /2013 17:17

While searching for virtualization back-up solutions for ESXi, I came accros the following website:




But the proxy server that filters internet browsing, where I am at the moment, yelled a warning and blocked the page:


(Yes, the is a Squid proxy server powered, and antivirus engine is ClamAV).


As you can see, Clam says "PUA.Script.Packed-1.


Now, let's try VirusTotal for this same URL:




Well... nothing found! even Clam...


URL Scanner Result
ADMINUSLabs Clean site
AlienVault Clean site
Antiy-AVL Clean site
Avira Clean site
BitDefender Clean site
C-SIRT Clean site
CLEAN MX Clean site
Comodo Site Inspector Clean site
Dr.Web Clean site
ESET Clean site
Fortinet Unrated site
Google Safebrowsing Clean site
K7AntiVirus Clean site
Malc0de Database Clean site
Malekal Clean site
MalwareDomainList Clean site
MalwarePatrol Clean site
Minotaur Clean site
Netcraft Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
Quttera Clean site
SCUMWARE.org Clean site
SecureBrain Unrated site
Sophos Unrated site
SpyEyeTracker Clean site
Sucuri SiteCheck Clean site
URLQuery Unrated site
VX Vault Clean site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Yandex Safebrowsing Clean site
ZDB Zeus Clean site
ZeusTracker Clean site
zvelo Clean site



And no, don't tell me it's because it's a PUA, and therefore it's not reported in the main view...!  The "additional information" tab says:


Websense ThreatSeeker URL category
Quttera domain information
See Quttera report
Sucuri SiteCheck domain information
Full threat report
Webutation domain information
 Verdict..................: unsure Adult content............: no Safety score.............: 70 

Take a look at the full Webutation review.

URL after redirects
Network location to IP address resolution
Response code
Response headers
 via: HTTP/1.1 GWA
x-powered-by: PHP/5.3.10-1ubuntu3.6
x-google-cache-control: remote-fetch
vary: Accept-Encoding
server: Apache/2.2.22
link: <http://wp.me/p2SbCr-cs>; rel=shortlink
date: Sun, 24 Mar 2013 16:15:36 GMT
content-type: text/html; charset=UTF-8
x-pingback: http://joealdeguer.com/xmlrpc.php
Response content SHA-256
Google trends for the term joealdeguer:

See full report
Alexa daily reach
Estimated percentage of global internet users who visit joealdeguer.com:



Here, OK the URL by itself is not categorized as "malicious", but at least one AV engine (Clam) should trigger a warning on VT, if it really matches the AV regular behavior.


In a nutshell, you may want to try VirusTotal for URL scan, but even if it does not give you any result, I do suggest you to manually download the content targetted by the URL, and then upload it to VirusTotal, to double check.



Small update:


if you download the webpage, save it as " web archive" in IE, and upload that to VT, here are the results:


Yes, there you see that Clam does detect a PUA (additional information tab).

Partager cet article