su2.ff.avast.com - being blocked

[spimby]

Hello,

 

Today multiple people in my house (all using Avast! Antivirus) are getting a malicious website blocked message for the site su2.ff.avast.com .  I'm assuming this is a false positive?

 

Thanks!

[MysteryFCM]

Please post the actual IP being blocked.

[daledoc1]

Sorry to intrude.

It looks -- from this related thread in other sub-forum -- as if it might be:
 

92.242.140.21

Thanks!

https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/

[MysteryFCM]

hehe yep, just replied to it

 

That IP isn't associated with Avast (never has been), and curiously, su2.ff.avast.com doesn't resolve here (its NXDOMAIN). Their hostnames are usually found residing on their own IP space (last seen on 77.234.43.60)

[spimby]

Sorry to intrude.

It looks -- from this related thread in other sub-forum -- as if it might be:

 

https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/

 

Correct.  The IP address I'm seeing is 92.242.140.21

 

[MysteryFCM]

Just to clarify, 92.242.140.21 belongs to a known DNS hijacker (Verizon users will no doubt have seen this particular one before for example, as they were using Barefruit (the company that owns the IP) to redirect NXDOMAIN (non-resolving hostnames) to their own "search" pages/portals).

[blackbow]

Sorry if this is a dumb question, but like I posted in my other topic (since I'm new-ish to Windows) -- do I need to be concerned? I've run full scans of both MBAM and Avast; both came up clean.

[MysteryFCM]

Please follow the instructions at:

 

https://forums.malwarebytes.org/index.php?/topic/9573-im-infected-what-do-i-do-now/

[MsKarma]

We are also avast and MB users with this same error popping up all day from 92.242.140.21 .... sorting through a long list of threads for something to let me know what to do ..... it feels like a needle in a haystack at the moment.

[redwolfe_98]

it is an avast-issue.. the avast program is trying to make connections to "su2.ff.avast.com" but "su2.ff.avast.com" does NOT resolve to an IP address and therefore the connection is redirected to the "92.242.140.21" IP address which is being flagged by the MBAM program..

 

y'all need to take up this issue with avast.. tell avast that the avast program is trying to make connections to "su2.ff.avast.com" but "su2.ff.avast.com" does not resolve to an IP address and, so, the connection is redirected to the "92.242.140.21" IP address which is flagged by the MBAM program..

[MysteryFCM]

As mentioned, this is an Avast issue (at least partially), due to the use of a hostname that does not resolve (and hasn't done for months), consequently, and depending on ISPs, configs etc, this results in the resolution and subsequent redirection, to content on a Barefruit IP that has no relation to Avast.

 

One of two things that can be done in the meantime;

 

1. Add the following to the HOSTS file and either wait for or hope, Avast updates the DNS record or updates the software;

77.234.41.65 su2.ff.avast.com

2. Change your DNS provider (e.g. to Google (8.8.8.8, 8.8.4.4), OpenDNS (208.67.220.220, 208.67.222.222))

[stereo55]

Same problem as others which just started for me today, and Iam also avast and verizon/fios user .

 

As mentioned it being an Avast thing , of which a very simular problem has happened in the past with Avast . With any luck next update will clear it up 'cause the constant pop-ups are driving me crazy !

[Soozy]

Same thing is happening to me also.

Not only am I seeing it with Avast, but also AOL Topspeed, Viewpoint.

I also use Verizon FIOS and this only started at mid day today.

[DKL]

I have the same issue, although with Facebook urls instead of Avast. I also use Verizon FIOS. I do not use Avast at the moment, although I am using Premium Malwarebytes and it gives numerous pop ups.

 

@MysteryFCM How do I do that exactly?

[MrCharlie]

Changing your DNS provider should fix the problem:

Change your DNS provider to OpenDNS or Google

OpenDNS use: 208.67.220.220 and 208.67.222.222
Google use: 8.8.8.8 and 8.8.4.4

These two links should help you change the settings:
http://208.69.38.205/
http://www.isitdownrightnow.com/how-to/setup-opendns-in-windows-7.html

====================================

Here's a good tutorial for the host file...make sure you look at the correct one for you operating system:
http://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

 

MrC

[DKL]

Just to check, this is being done by Verizon themselves or a blackhat hacker or...?

Also, according to http://www.computerhope.com/jargon/d/dnshijac.htmthere is a way to opt out? 

Just trying to make sure I understand what's going on.

Also, for my friends and family is there any free software that can help block these?

[DKL]

Oh, and since there doesn't seem to be a way to edit, is this going to effect Macs as well as Windows machines(I assume so?)

[MrCharlie]

Just to check, this is being done by Verizon themselves or a blackhat hacker or...?

Also, according to http://www.computerhope.com/jargon/d/dnshijac.htmthere is a way to opt out? 

Just trying to make sure I understand what's going on.

Also, for my friends and family is there any free software that can help block these?

I believe it may be by Verizon

 

Oh, and since there doesn't seem to be a way to edit, is this going to effect Macs as well as Windows machines(I assume so?)

I'm not sure what you mean??

[DKL]

I mean, is it something that effects Macs by Apple as well as PCs with Windows on it?

[MrCharlie]

I mean, is it something that effects Macs by Apple as well as PCs with Windows on it?

I'm not sure

[MysteryFCM]

As its DNS related, the OS is irrelevant.

 

For those wishing to change DNS settings, please see;

 

https://forums.malwarebytes.org/index.php?/topic/172652-read-me-seeing-9224214021-blocks-read-me-please/