Netlify's IP address is marked as unsafe by Avast

Hi guys. Our site is this one, hosted on Netlify and pointing to a google domain via A type record e.g. A
Our users are reporting that Avast antivirus is blocking access to the site because of it being a phishing URL.
We’ve run a Sucuri check and it comes back as OK. Then we scanned the IP address with and it reported 2 malicious websites on the same IP address

So our site is not infected but because it shares IP it is deemed unsafe by Avast.
The most obvious solution would be to move to a dedicated IP but maybe there are some other ways to solve this? This should be affecting a lot of Netlify customers.

Hey @ihorbond

A little diging and cURLing on top of browser testing paints a slightly clearer picture of this.

When I curl I see

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>What's My Name: Name Generator</title>
    <link rel="stylesheet" href="styles.css">
	<script src="index.js"></script>
<h1 id="titre">What's My Name </h1>
<div id = get_started><button onclick="window.location.href='generator_form.html';">Get Started</button>

The styles.css, index.js and generator_form.html are all equally as tame in terms of content. I would definitely say there is nothing on here (that is published as a known path) that contains a trojan.

Using Chrome however I see this, which is certainly not the same result as above.

cURL explains this behaviour

$ dig A +noall +answer	1538	IN	A	1538	IN	A

There domain uses NS1 nameservers with has multiple A records. One shows the very simple HTML from Netlify, the other a page with an <iframe> that loads another (possible dodgy) placeholder site.

I also downloaded the file from and scanned with AVG (same thing as Avast) and it found no issues.

AVG did not attempt to block access to either site, though my ISP did try to block the first.

These are, potentially, false positives IMHO.

1 Like

Thank you for checking it out! Not gonna lie, don’t completely understand how this works like why when curling it loads the Netlify hosted HTML, and when navigating in the browser something else. Just a server config? My ISP blocks the first one as well actually. For the time being, I’ve reported a false positive to Avast hopefully they can resolve it quickly otherwise we’d have to just move to a different IP.

If you can load the Netlify version, this is what you would see:

This I was able to achieve by using Opera’s built-in VPN set to Americas. Using other locations render a “this site is blocked” message.

So the content served is based on the location it is requested from.

1 Like

Hi! Any updates so far?
It’s an interesting case, considering that is a Netlify load balancer’s IP

Hi @maddsua :wave:t6:,

Welcome to the forums and thanks so much for reaching out. That address is only needed if you need a stable single IP for your apex domain. We recommend using Netlify DNS or cname flattening to get around having to use a single IP in DNS!