F-Secure gone wild with blocking websites

All of a sudden yesterday F-Secure started blocking multiple web sites as harmful. These include sites that I have used for a long time, some even for years. For example, when trying to access www.policymic.com, I get a notification saying that harmful webpage, http://js-agent.newrelic.com/nr-100.js, has been blocked. In several instances the reference is to some apis.google.com address. What is going on? Why are, for example, my local news sites such as yle.fi or mtv.fi all of a sudden supposedly harmful? And why is the address that F-Secure reports to have blocked not the same as the one I was in fact trying to access (i.e. js-agent.newrelic.com vs. policymic.com in the above example)? I have not installed anything new lately, in fact, I have a separate account for admin rights and usually browse the web as a regular user without admin rights for this computer.

 

I'm ashamed to admit, I know very little about these things. Any help would be very much appreciated!

Answers

  • SimonSimon Posts: 2,582

    I'm having the same problem this morning, but with Malwarebytes blocking all of Google.com's IPs, from 173.194.41.176-180.  There's a post on MWB's forums saying it's 'Not a F/P", which I assume to mean not a false positive, but no further information is given, and I can't even join the forum to ask, as the stupid security code box requires when registering isn't visible in any browser I've tried!

     

    F-Secure, perhaps coincidentally, found one item of 'Riskware' this morning, so I've since been frantically scanning with all sorts of adware / malware scanners, all of which have come up clean.

     

    As Google.com is also being blocked by MWB on my laptop, I've concluded that it's not a local infection, but it would be useful to know what's going on.

     

  • SimonSimon Posts: 2,582

    By the way, I'm even getting alerts when on this forum, so I'm assuming there must be some sort of association with Google.com somewhere.

     

    Incidentally, Google.co.uk is not affected.

  • EmEm Posts: 4

    Thank you, Simon, for your reply. Good to know at least that it's nothing I did!

  • NikKNikK Posts: 931

    I tried all sites you both mentioned including the .fi ones. No sites blocked. At least not a "visible" block.

    When I check the statistics for Online Safety and change from All to Day it says only 1 potentially harmful block. As it was no visual block that I could see, it's probably a .js file or similar (javascript)

    OSstats.png

     

    Em, what does the statistics say on your PC?

    And the notification you get, does is look something like this?

    BPblocked.png

  • SimonSimon Posts: 2,582

    My F-Secure shows no sites blocked today either.  Perhaps it's just a coincidence that MWB is blocking Google.com at the moment? 

     

    Nik, do you have MWB, and is it blocking the IP range I mentioned above?

  • EmEm Posts: 4

    This is embarrassing, but I cannot find any statistics on blocked web sites from my F-Secure. The only statistics I can find look like this ("tilastot" is statistics in Finnish): F-S-tilastot.PNG

     

    The notification I get looks similar, although it's in Finnish:

    F-S.PNG

  • NikKNikK Posts: 931

    I just noticed that MWB haven't been updated in 2 days. I updated and guess what, those Google IPs are now blocked by MWB!

     

    The person saying on MWB forum that it's not a FP has not explained why, but I guess we have to assume these sites are not safe for now.

     

    Em, when you launch F-Secure, click on Online Safety and not Computer Security. Then Settings, and Statistics.

  • SimonSimon Posts: 2,582
    I'm surprised there's not more about this on the MWB forums, as it must be affecting lots of users.
  • Just noticed the same issue suddenly, e.g. articles on http://hs.fi are getting blocked because F-secure prevents loading of https://apis.google.com/js/plusone.js which is apparently the JS code used by the Google+ social button.

  • SimonSimon Posts: 2,582

    I've noticed this morning that google.com is now redirecting to google.co.uk for me. 

  • NikKNikK Posts: 931

    Em, maybe it's different in Business products to find the online statistics. I see you have Client Security.

     

    I tried all sites again today and nothing blocked.

     

     

  • EmEm Posts: 4

    NiikK: Yeah, I was wondering if that could explain it as I have gone over everything I can come up with and still cannot find the statistics you were asking for. My F-Secure is provided to me on my personal laptop courtesy of my University.

     

    I'm in a bit of a rush right now, but at the moment at least policymic.com seems to work again, however, for example, youtube does not work.

     

    ps. Can anyone hint me towards an internet resourse that could help me understand all this stuff? I.e. material that is written to, well, idiots. I would very much appreciate some approapriate links! I hate being so helpless whenever something goes wrong, that's not how it should go.

  • NikKNikK Posts: 931

    For Home versions you can download User Guides, but I don't know about Business versions. What you can do is click help (a picture with a question mark) in the F-Secure application. From there you can browse the content or search, to get more information about how the product or a specific function works.

     

    The .js harmful files you encountered is only a small part of a web site. Certain web sites can use hundreds of javacripts from entirely different locations/web sites. If a javascript is blocked it can affect some functionality on the page but it's not necessarily a visible one. For example: everything looks like usual but when you click a button nothing happens because that particular javascript was blocked.

     

    That YouTube doesn't work sounds strange. I can't see any problems with it. It could be an ad or something that is blocked on it.

     

    Don't know if this would be helpful or confusing, but if you're curious you can enable Developer Tools in the browser, F12 in Internet Explorer or Ctrl+Shift+Q in Firefox. A short example from policymic.com where I've highlighted a javascript from another web site:

    F12.png

     

    I use https://www.virustotal.com to scan both files and URLs (web addresses). It's a multi-engine scanner with currently about 50 different anti-virus(AV) engines. F-Secure is one of these engines when you scan a file, but not when you scan a URL (don't know why)

    It's safer scanning with 50 than only one, right? Smiley Wink  For example a scan for www.policymic.com gives the detection ratio 0 out of 53 scanners, while js-agent.newrelic.com/nr-100.js gives 1/53. It seems that .js reference is now removed from policymic.com so it's now "clean".

     

    I think the important things to know about multi scanners in particular is that it increases the risk for false positives(FPs) which means it wrongly identifies a site or a file as malicious. So if the results are only 1/53 chances are it's still clean.

    Also the results can change more quickly than scanning with only one AV.

  • BenBen Posts: 2,640

    Hello all,

     

    The issue you experienced was most certainly a false positive.
    Are you still experiencing any problem(with youtube for example)?

    Some trusted websites might indeed get blocked due to the add that are shown on the websites.
    When an add is serving out malicious ad's (Or in the case of an FP believed to be malicious) the whole of the pages that display ad's from them might get flagged.
    In most cases the pages are safe just that the ad's are not or in this case might have been a false positive.

    Concerning the statistics they are indeed not shown similarly on our corporate products(Which Client security is as pointed by @NikK).

     

     

    Thank you

  • RusliRusli Posts: 991

    If F-Secure accidently blocking the URL site.

     

    This is a must!

     

    Report the matter to the  F-Secure SAS team immediately.

     

    By submitting a false positive URL to this link.

     

    https://analysis.f-secure.com/portal/login.html

     

    Register your account from the link above and log in, so that F-Secure SAS team can response to your reply if you have any link that have been block accidently by F-Secure.

     

     

    {{ Please Click on Kudos button , if it solve your problems }}

     

    Ukko
This discussion has been closed.