Helping people with computers... one answer at a time.

A recent newsletter surfaced warnings from a couple of security services. As a result, we'll look at what false positives are, and what to do.

When I click some of the "continue reading" links in today's newsletter McAfee SiteAdvisor warns me that:

mm.chitika.net/minimall?w=300 may cause a breach of browser security. Why were you redirected to this page? When we tested, this site attempted to make unauthorized changes to our test PC by exploiting a browser security vulnerability. This is a serious security threat which could lead to an infection of your PC.

What is going on with this?

AVAST POTENTIAL VIRUS ALERT was received when your newsletter was coming into my mailbox. Here is what the alert said:

"Sender: "Leo Notenboom - Ask Leo!" <leo@ask-leo.com>
Recipient: *****
Subject: Leo's Answers #179 - May 19, 2009

***
Target of remote iframe:
(You can permit them using "Permitted URLs" button)
rcm.amazon.com

WHAT DOES THIS MEAN? Has someone put a virus in your stuff and you don't know it?

I got those two questions in response to a recent newsletter.

First, there is no malicious code involved at all. Period. I want to be very clear on that. My site's not been hacked and my newsletter's as safe as always. In fact, there's actually nothing wrong.

But in making two changes this week, we expose one of the frustrating side effects of some security software: the dreaded "false positive".

Let me explain what I did, why some security software might be alerting on it, why this can happen to any site or provider, and finally ... what you should do about it.

Let's start with the first one:

mm.chitika.net/minimall?w=300 may cause a breach of browser security.

This week I began running a trial of a new advertising provider, Chitika. Chitika has been around for a long time, and I trust them completely. In researching this issue I heard from their Vice President who also assured me that there was simply no way that their ads would have or involve malware of any form.

"My site's not been hacked and my newsletter's as safe as always."

And, as I said, I believe them.

They were the victims of what's known as a "false positive" - a trustworthy site or service being erroneously flagged as suspicious by security software.

Why?

There are two typical reasons:

  • Errors in the database. It's often unclear how services like SiteAdvisor make their determination, but it's not unexpected that they might make mistakes. Typically, these errors get cleaned up fairly rapidly, but while they're out there they're ... well, they're out there - falsely flagging safe sites as suspicious.

  • Out of date databases. Much like anti-malware software, some of these services cache their databases on your machine. That means that even if the "master" database controlled by the service is up to date, the local copy on your machine may not be. How you ensure that it is (or even if one is used) depends entirely on the specific service you're using.

Now, about that second one:

Target of remote iframe: ... rcm.amazon.com

In this week's newsletter I added a new feature, "What I'm Reading", which includes a small box off to the right with an image of the book, and a link to Amazon. The problem is that the technique used to generate that box (in HTML terms, an "iframe") is apparently considered a possible attack vector by avast!.

In my case, it's not. Period.

But I suppose it's a valid thing to warn about, though screaming "POTENTIAL VIRUS ALERT" seems a tad excessive. So while I might quibble with avast!'s approach, the logic they're using is at least plausible.

What I've done.

  1. I've temporarily removed Chitika from my site. I trust them, they're a good advertising service, but my reputation is more important. It's more important that you trust me, and sadly that means that even false positives can lead me to this action. It's not fair to Chitika, but it's the only real recourse I have at this point.

  2. I'll not be using an "iframe" in my next newsletter to show you what I'm reading. I can use other techniques that shouldn't cause avast! any further fits.

What you should do.

I'm not a big fan of McAfee's SiteAdvisor, for the very reasons you might expect. This isn't the first time I've experienced false positives from people using the tool, and I do periodically hear from others experiencing similar.

There are other technologies out there, such as Web of Trust that perform similar services, though I do not have any data that says how good they are or aren't. (Though lack of hearing about false positives is a good start.)

I tend to run without either, and typically suggest relying on common sense and healthy skepticism instead. However, I realize that common sense isn't always common, and healthy skepticism is rare.

So.

Much as it pains me the conclusion I'm forced to come to is simply this: pay attention to the tools anyway, even if they steer you away from safe sites. Yes, even if that means mine.

I'd rather have you be safe than sorry.

And if you run across a site that you're shocked would be considered malicious (like, say, this one), then let the site owner know. (As many of you did, for which I thank you.)

The site owner can often take action, as I have, to mitigate the impact of false positives, and if needed contact the offending parties to hopefully resolve the issue.

Article C3737 - May 21, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

11 Comments
john
May 26, 2009 9:21 AM

Well, AVAST warned me of a TROJAN in you email .

That's NOT what it says here.{?}

george
May 26, 2009 9:30 AM

My windows live hotmail flags your e-mails as questionable.

Specifically how do I permanently fix this.

I have already clicked on the warning that your site is safe - still get warning.

In Hotmail: Options, More Options, Safe and blocked senders, Safe senders - add leo-at-ask-leo.com (replace -at- with @) to that list.
- Leo
28-May-2009
Victoria German
May 26, 2009 9:31 AM

I received the same warning about Chitika causing browser problems. I had previously used the site with no problems. I just waited about 2 or 3 days and clicked on the site again with no warnings or problems of any kind.

Jerry
May 26, 2009 9:59 AM

This is somewhat off topic, but I need to add that I don't trust McAfee... no how, no way. A botched installation of a McAfee upgrade resulted in my spending over $300 to have my PC repaired. I went round and round with McAfee about it and they finally just stopped responding.

My point here is that anything (capital ANY THING) that gets so deeply intertwined with your system software that it needs special software and procedures to fully remove it should itself not be trusted because if it (i.e. McAfee) makes a mistake, it's YOUR headache.

Dave Markley
May 26, 2009 10:46 AM

I use and have sworn by AVG Anti-virus for years. Having a PC repair business, I'd say 30% to 50% of the problems I see are virus-related. With that said, I've heard many, many people complain about false-positives when using AVG. By default, AVG employs 'Hueristic scanning', which doesn't only scan for particular 'known' threats, but also Hueristic threats, or any code that acts similar to known malicious code like .exe, .dll's etc. You can turn off this feature by unchecking the 'use hueristics' box under e-mail scanning in the advanced settings under 'tools'. I imagine many other anti-virus programs have a similar feature.

whs
May 26, 2009 12:32 PM

Ya, I run the McAfee site advisor too and it seems to be very picky. I had a few false positives on sites like howtogeek.com/forum which I visit daily and where I have nearly 9000 postings. Even on a site of a big German computer mag. So as you said, take it with a grain of salt and use common sense.

Margaret Louk
May 26, 2009 2:05 PM

I used to have Nortons but it got to the point everything was considered a threat. I switched to Trend and it is somewhat better except they keep disabling 2 of my games I bought from a very reputable site EA. Seems like all of them are flawed.

Gigi
May 27, 2009 12:33 AM

Since iFrames are a threat only to IE users just switch to a different browser. I use Opera and Avast and i never had a warning relating to Leo, of any kind.
Chitica was flagged because they used to employ tracking cookies - don't konw if they still do it, i've blocked them in my url filter - but his is practically harmless.

Jostein
May 27, 2009 1:15 AM

I am using Mozilla Thunderbird, and for every newsletter email I have got a warning that it could be a possible fraud - up to this last newsletter where I got no warnings! Even If I trusted Leo the changes in the newsletter removed this irritating warning for me :-)

Dave
May 27, 2009 6:28 AM

Interesting Reading with reference to Leo's site being flagged- False/Positive. If a service is employed and that service uses Tracking Cookies
then I would regard that as a serious breach to my privacy. Leo I must congratulate you for taking immediate and positive DECISION to withdraw
the use of IFrame.Incidentally,I use Avast on one of my PC and I have had no problems. Good to be security aware, but end user must also try and learn a little bit beyond the warnings.
Keep-up The Good Work, Leo.

billkennedy
May 27, 2009 12:13 PM

I am trying to learn as much as I can
so far no warnings

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.