My antivirus says browser has been hit by a brower-redirect virus from ocsp.comodoca.com? Solution?
Today (Aug 5) my Firefox browser for Mac suddenly started getting antivirus alerts and a website URL was listed: ocsp.comodoca.com
So I did a Firefox 'refresh,' reducing my browser back to base settings and getting rid of all extensions. The warnings ended. At first. Until I went to restore my browser-protection add-ons like BetterPrivacy, then NoScript and AdBlock plus. As soon as I installed either NoScript or AdBlock plus, the same virus warnings appeared again in their bold red. So I disabled them. When I went to the Firefox forums for these add-ons to post a warning about this, more virus warnings appeared as soon as I went there. Nuts, right? I can't even post a warning there without getting attacked by the same virus (see name of malsite above).
So I did some Google research on this website and this is what I found on one site:
ocsp.comodoca.com blacklisted (by comodo itself) by Carol~ Forum moderator / July 3, 2012 4:01 AM PDT In reply to: NEWS - July 03, 2012 From SANS ISC: Update: Looks like Comodo fixed its classification of the site in an updated report [2]. The site still shows one suspicious scan, but the overall status is "safe". McAfee classifies the site as "minimal risk" but the history still shows a red high risk for web reputation as of today/yesterday. [3] --- A couple of readers have noticed that "ocsp.comodoca.com" has been labeled as "suspicious" and distributing malware for the last couple of days. In particular Comodo's own site inspector service has been identifying the URL as suspect [1] OCSP is a newer web service that allows clients to verify if an SSL certificate has been revoked. The older standard, CRL (Certificate Revocation List) required that browsers download the entire list. With OCSP, it is possible to query the status of an individual certificate. The certificate has to have the URL for the respective CRL or OCSP service embedded. Many browsers will accept a certificate, even if the OCSP service does not respond. They will only mark it as invalid, if the OCSP service responds with a result marking the certificate as revoked. However, for Extended Validation (EV) certificates, browsers tend to be more specific and require a positive OCSP response. Continued : https://isc.sans.edu/diary.html?storyid=13606
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This all sounded rather bland, then I went to a different site which looked far more suspicious but is not so bland about its subject. It reads:
How to Delete ocsp.comodoca.com from Firefox by YAC PC Cleaner?(Removal Guide) How to Delete ocsp.comodoca.com from Firefox by YAC PC Cleaner?(Removal Guide) Can’t get rid of ocsp.comodoca.com virus that pops up on your computer? All the browsers ( Internet Explorer, Firefox, Google Chrome) have been hijacked, it effects from Windows 7, Windows Vista, Windows XP to Windows 8. How do i delete the redirect virus from the infected computer? ocsp.comodoca.com INTRODUCTION:
ocsp.comodoca.com is categorized as a browser hijacker which is used by hackers to allure you to download some useless applications. ocsp.comodoca.com may enter on the system through spam email attachments, downloading freeware from internet, through infected drives and etc. ocsp.comodoca.com will act like an adware infection which take up a big part of system resources and seriously slow down computer running.
ocsp.comodoca.com can records your internet activity data, steals your privacy and compromises your security. ocsp.comodoca.com can violate your privacy as well as steal your confidential data. It ocsp.comodoca.com can cause serious damage by deleting important files and destroying information on your system. Remove ocsp.comodoca.com before it harms your machine.
Download YAC
INFECTED SYMPTOMS:
Compromise your system and may introduce additional infections like rogue software ocsp.comodoca.com forcibly customizes the default homepage, search engine and bookmarks of your computer. You need to take a long time to open a webpage than before. ocsp.comodoca.com is a parasitic browser hijacker Enters your computer without your consent and disguises itself in root of the system once installed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Since I don't trust this second website (called YAC) and they can't even write an ad with decent grammar (a Chinese site???), there's no way I'm downloading anything from them. However, my problem remains. How can I restore my Firefox with all those cool security addons (AdBLock, NoScript) without my addons/brower being hijacked by this comodoca thing? Are these YAC guys even telling the truth?
Should I turn off the certificate OCSP responder toggle inside Firefox or something, too?
All Replies (9)
Definitely ignore yac.mx.
I think this has to be some kind of false positive. What is the specific alert that you're getting?
Okulungisiwe ngu jscher2000 - Support Volunteer
By the way, if you decide you want to roll back your Refresh, please see the steps in this post: https://support.mozilla.org/questions/1071976#answer-762544
My Avast Antivirus simply describes the ocsp.comodoca.com as 'mal', whatever that means. It didn't tag it as any specific type of virus, I think, though one of those websites I mentioned (see above) calls it a 'browser-redirect virus'. I tried getting into Avast's log but it doesn't list it anymore, sigh (maybe because my antivirus stopped the attack each time). I wonder why when I went to certain pages here at Mozilla, I got that virus warning yesterday, even without most of my add-ons installed.
Okulungisiwe ngu Fleabutt
I think it was an error by Avast, but we may never know.
Has anyone here ever heard of this ocsp.comodoca.com thing? Anyone had the same problem?
Hmm, this is interesting. I just updated Firefox just now because it told me there was a newer version (v39.0.3). Then I enabled the NoScript plugin and I didn't get a alert-message from my antivirus this time. That's hopeful.
Two minutes later.
Just installed the AdBlock Plus addon and I'm still okay, no antivirus warnings. Maybe the newer version of Firefox fixed things. Here's hoping.
Okulungisiwe ngu Fleabutt
That address is the standard address for checking whether an SSL certificate issued by Comodo has been revoked. It's in the certificate for my site, for example (screen shot attached). The address itself should not be a problem, so that's why I was wondering what Avast was associating it with.
(About OCSP: https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)
Ah. Interesting!
Well, since I'm still not getting complaints from Avast, maybe I'm okay. I'll see how things go. Thanks! I wonder if the Mozilla guys were anticipating a problem which is why they issued the latest program update so fast.
(On an unrelated note, I read online how it's a bit hard to switch to Firefox from the new Edge browser in Windows 10. Microsoft seems to be up to their usual tricks, those jerks. And apparently Windows 10 spies on you. Gah. I wonder if the Edge browser is as bad as Google's Chrome in that regard.)
Okulungisiwe ngu Fleabutt
https://www.mozilla.org/firefox/39.0.3/releasenotes/
The 39.0.3 (was no 39.0.1 or 39.0.2) was for security fixes and was unusual as Firefox 40.0 is scheduled for Release next Tuesday.