Tag: Norton Safe Web

Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced

In the past we have discussed the fact that the web security company Sucuri’s scanner SiteCheck is rather poor at what it does, including falsely claiming that a website was infected with malware due to a bad false positive and claiming that a website was running on outdated software without knowing if that was true.

We just ran across another example, which this time involves our own website. On a post about them astroturfing from four years ago, we recently got this comment:

The Scam is strong with this one

https://sitecheck.sucuri.net/results/www.whitefirdesign.com

If you follow that link as of us writing this you will see that the status of our website is “Website Defaced (hacked)”:

Not only is it not actually defaced, but there reason for claiming that is just baffling, as the claim is based on the title of one of the pages on our website being “Hacked Website Cleanup – White Fir Design”:

It would appear they are claiming that a website is defaced just due to the words “hacked” and “website” in the title of a page, which clearly isn’t reliable to determine if a website is defaced. On top of that they are claiming an issue that doesn’t actually exist is of “Critical” severity.

We of course can spot that their claim was wrong since we deal with websites that are actually hacked all the time (and it was quite obvious at least in this case), but based on plenty of experience dealing with people that think that their websites have been hacked, we would guess that a lot of webmasters and owners could be mislead by this type of thing, leading to some of them paying Sucuri to clean up a hack that didn’t exist.

Sucuri Also Misrepresents Other Companies Data

The problems with their scanner don’t end there as the results for our website show. They also mention that our website is “Blacklisted”:

Looking into the details of that they claim the website is blacklisted by Norton Safe Web:

The reality is lot less alarming then they claim. Here are the Norton results:

What seems rather relevant to that is this part:

Web sites rated “Caution” may have a small number of threats and annoyances, but are not considered dangerous enough to warrant a red “Warning”.

So unlike Sucuri they don’t think that it should get a red warning.

So what are the threats on our website? There are not any, instead Norton’s scanner doesn’t understand the difference between showing malicious code in harmless form on one of our website’s pages, with actual malicious code on a website (the poor quality of website scanners isn’t limited to Sucuri):

While Sucuri warning if websites are actually blacklisted by other services would be useful, it should be accompanied by a disclaimer that the other services results may not be accurate instead of overhyping the issue to try to sell their services.

A Better Way to Get Your Website Check to Confirm if it is Hacked

Based on all that there is plenty of reason to avoid Sucuri’s SiteCheck, but what is a better way to confirm whether your website is hacked if you believe it is? The simple answer is to contact us, as we are happy to do a free check to confirm whether a website is hacked or not. We don’t rely on low quality automated tools to do that, since they produce poor results as was shown above. Instead we will discuss the situation with you and then do any necessary checking to look into the possible issue. For websites that are hacked we will also provide a free consultation on how best to deal with the issue, instead of trying to scare you into using our services, unlike Sucuri.

Questionable Support Advice on Dealing With Hacked Websites From WordPress and Norton Safe Web’s Mystery Blacklisting

One of the things we do to keep track of vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service is to monitor the WordPress support forum for threads related to them. In addition to threads that actual relate to that issue, we frequently run into to other security related threads. In doing that we noticed that in many threads a reply containing the same advice is given, which consisted mainly of a series of links. Some of the pages linked don’t seem to provide the best information, so we wondered if the various members providing that reply were actually aware of what they were linking to or if they were just repeating something they had seen others saying. While looking into another issue involving the forum we found that the source of the message was from a series of pre-defined replies for moderators.

While looking into another thread that came up during that monitoring of the forum we came across evidence that one of the links they include, a link to something called Sucuri SiteCheck, may not be the most appropriate to include. In that thread the original poster had written:

Sucuri is showing my site as harmful and is asking for $16/month to fix it, yet my site seems fine, traffic is normal and I have no log in / access problems on any browser or device.

When we went to look to see why Sucuri was claiming the website was harmful, the SiteCheck page was light on details and high on pushing you to use their service:

sucuri-sitecheck-results

Looking at the other two tabs of information, the only issue that they were identifying was that website was blacklisted by “Norton Safe Web”:

sucuri-sitecheck-blacklist-status

It seems to us that a service would be careful in situation where they are not themselves detecting anything malicious, but Sucuri seems to be labeling the website as “Site Potentially Harmful” and “Site Likely Compromised” based only on the fact that Norton Safe Web was blacklisting it. Based on our limited experience with Norton Safe Web, that would seem to not be appropriate because the results we have seen from it in the past have been rather poor.

Looking at what they are claiming to have detected with this website makes us more confident of the position.

Here is what they are reporting as of now:

norton-safe-web-report

You can see they are not claiming that there are any “computer threats” or “identity threats”, just an “annoyance factor”. What the “annoyance factor” isn’t really further explained, with the only information being that  a page is listed as having a “SWBPL” threat. There is no explanation what a “SWBPL” threat is either on the page or through a link. In searching around to try to find out what that is, we found that we were not alone in trying to figure that and that even some people at Norton did not know what it is. The most detailed information we could find was in a thread on the Norton website, where it was stated that:

SWBPL is one of the threat type in safeweb which is based on telemetry which we collect from 3rd party vendor feeds. Since these sites are classified based on the static data it is pron to few FPs

So Norton is apparently warning about the website based on unidentified third-party’s data, which is also apparently prone to  a “few” false positives. That doesn’t really seem like something that should be the source for Norton warning about a website and certainly shouldn’t be used by someone else to make claims as to the security of the website.

Looking at the URL they identified as being a “SWBPL” threat, visiting it normally just returns a “Page not Found” message and when visiting it in some other ways didn’t produce any different result. Without having access to the backend of the website we can’t rule out there is some issue with it, but from the outside there is nothing we could find harmful about it.

We hope that WordPress will review the boiler plate message they provide to those with questions about hacked websites and consider if they are providing the best information in it.