While searching for virtualization back-up solutions for ESXi, I came accros the following website:
http://joealdeguer.com/backing-up-and-restoring-esxi-virtual-machines/index.php
But the proxy server that filters internet browsing, where I am at the moment, yelled a warning and blocked the page:
(Yes, the is a Squid proxy server powered, and antivirus engine is ClamAV).
As you can see, Clam says "PUA.Script.Packed-1.
Now, let's try VirusTotal for this same URL:
https://www.virustotal.com/en/url/9be98ad47adc382824285f27289bd20cc9f2b71ba1f5761a8c15ecb95b877a1b/analysis/1364141731/
Well... nothing found! even Clam...
| URL Scanner | Result |
|---|---|
| ADMINUSLabs | Clean site |
| AlienVault | Clean site |
| Antiy-AVL | Clean site |
| Avira | Clean site |
| BitDefender | Clean site |
| C-SIRT | Clean site |
| CLEAN MX | Clean site |
| Comodo Site Inspector | Clean site |
| Dr.Web | Clean site |
| ESET | Clean site |
| Fortinet | Unrated site |
| Google Safebrowsing | Clean site |
| K7AntiVirus | Clean site |
| Malc0de Database | Clean site |
| Malekal | Clean site |
| MalwareDomainList | Clean site |
| MalwarePatrol | Clean site |
| Minotaur | Clean site |
| Netcraft | Clean site |
| Opera | Clean site |
| ParetoLogic | Clean site |
| Phishtank | Clean site |
| Quttera | Clean site |
| SCUMWARE.org | Clean site |
| SecureBrain | Unrated site |
| Sophos | Unrated site |
| SpyEyeTracker | Clean site |
| Sucuri SiteCheck | Clean site |
| URLQuery | Unrated site |
| VX Vault | Clean site |
| Websense ThreatSeeker | Unrated site |
| Wepawet | Unrated site |
| Yandex Safebrowsing | Clean site |
| ZDB Zeus | Clean site |
| ZeusTracker | Clean site |
| zvelo | Clean site |
And no, don't tell me it's because it's a PUA, and therefore it's not reported in the main view...! The "additional information" tab says:
| Websense ThreatSeeker URL category Uncategorized. |
| Quttera domain information See Quttera report |
| Sucuri SiteCheck domain information Full threat report |
| Webutation domain information Verdict..................: unsure Adult content............: no Safety score.............: 70 Take a look at the full Webutation review. |
| URL after redirects http://joealdeguer.com/backing-up-and-restoring-esxi-virtual-machines/ |
| Network location to IP address resolution 108.56.209.3 |
| Response code 200 |
| Response headers via: HTTP/1.1 GWA |
| Response content SHA-256 82132433d7fe11cacada4b1a9573c9f2b292702ed7198b89e7078d9a35e1dcf5 |
| Google trends for the term joealdeguer: See full report |
| Alexa daily reach Estimated percentage of global internet users who visit joealdeguer.com: |
Here, OK the URL by itself is not categorized as "malicious", but at least one AV engine (Clam) should trigger a warning on VT, if it really matches the AV regular behavior.
In a nutshell, you may want to try VirusTotal for URL scan, but even if it does not give you any result, I do suggest you to manually download the content targetted by the URL, and then upload it to VirusTotal, to double check.
Small update:
if you download the webpage, save it as " web archive" in IE, and upload that to VT, here are the results:
https://www.virustotal.com/en/file/1d9df59ad8b58e5101361b45b2a4ae06fcea2f9e814acedcc3c335c7a178cc6c/analysis/1364142725/
Yes, there you see that Clam does detect a PUA (additional information tab).
