TPFC is currently hosted with vpslink.com. I received a support ticket from them yesterday:
I wrote back to them as soon as I could:03/01/2012 5:42 PM EST
I am writing this to inform you that we found malicious contents 'http://www.portablefreeware.com/download.php?dd=1660' in your account. It is against of our Terms of Service due to this we have suspended your account for security reason.
To revoke the suspension you need to remove all the files from your account and upload clean copies from your local backup and check every pages to see if such codes are not present in them.
If you have any further questions, please update the Support Console.
After waiting for a couple of hours, I wrote to them again:03/01/2012 7:13 PM EST
I am unable to access the server via SFTP. Does this have anything to do with the suspension?
I can't check the files in my account if I am unable to SFTP into the server.
After over 24 hours from my original reply, I finally heard from them:03/01/2012 11:43 PM EST
I refer to ticket #9346904.
I am unable to login to the system to correct the problem that you highlighted.
Can you please help?
Here where I got a little pissed:03/02/2012 8:06 AM EST
Thank you for contacting Support.
The files mentioned in ticket 9346904 are malicious and can cause users to be exposed to a virus or malware and due to this the suspension can not be removed until the account is reinstalled. This will wipe all information from the container and return it to a default state. Once this is complete you can then reconfigure your container and upload your clean backup. If you do not have a backup we can save your data to a folder during the reinstall, but this is not recommended as backdoors may have been left in the account. To create this backup there is a charge of $75. Please let us know how you wish to proceed.
Amazingly, they still think the file is malicious and insist that I remove the link.03/02/2012 11:23 AM EST
Look, I think you guys are totally mistaken.
I run a user-maintained database/forum of portable freeware. The link "http://www.portablefreeware.com/download.php?dd=1660" is a user-submitted URL that points to "http://www.f2ko.de/downloads/Bat_To_Exe_Converter.zip". That file is not hosted on my site at all. I don't think I can be responsible for files not hosted on my site, can I?
Furthermore, based on user comments for that particular database entry, any flagging by antivirus software for that file is almost certainly a false positive. You can check the VirusTotal scan for that file here:
https://www.virustotal.com/file/a597d3f ... 324306662/
or download the file and scan it for yourself.
I am extremely unhappy with the way you guys have single-handedly suspended my account without consulting me first. I suspect you have put in place an overzealous scanner that does not consider the possibility of false positives and without a clue that the target file is not even hosted locally!
However, if you insist that your scanner is correct, then please let me know and I will have to take my business elsewhere. Since I run a community-based database/forum, if any URL that my users post points to a file that you *suspect* is malware without taking false positives into account, my account will probably be suspended indiscriminately many more times in the future.
So I replied:03/02/2012 2:44 PM EST
The suggestion to reinstall is given mainly as an easy way to ensure that any malicious content that exists on the server is removed. However, because you have been able to identify that the link was created by a user we will permit you to continue using our services given that you remove the link (and all instances are removed from any databases or text files containing the link).
We will not permit you to continue hosting the link on our servers. So, if you must have the link on your site your suggestion of moving to an alternate hosting provider is your only option. We've actually received the report of malicious content from a third party company. We cannot risk having a third party label our network as a source of malicious content as that would adversely affect our other VPSLink customers.
With your acknowledgement of what you would like to do, we will unsuspend the server.
And here's their reply:03/02/2012 6:57 PM EST
I will remove the link from the server as requested.
I will also need to have the identity of the third party company as well as any contact information so that I can bring this matter to their attention. I think there is a real problem with their method of identifying malware, that if not arrested, will lead to real issues for more people.
I would also like your assurance that my account will not be unilaterally suspended in the future without giving me some lead time to investigate and correct the issue.
And my reply was:03/02/2012 6:09 PM EST
Thank you for contacting support.
We have re-enabled the server as requested. The report came to us from clean-mx.de, if you wish to address the complaint with them.
I regret, we can not provide any assurance with regard to what may happen in the future. We have to act when notified of malware by responsible sources, and the level of investigation needed to establish whether or not each of these are a "false positive" - something which is not the case in the vast majority of notifications - is outweighed by our responsibility to help stop the distribution of malware to unsuspecting visitors. I am sorry for any resulting inconvenience.
Still waiting for their reply.03/02/2012 6:57 PM EST
In that case, I would like to find out your methodology for investigating complaints by said "responsible sources".
1. Do you perform your own independent investigation, or do you always trust these sources without verification?
2. As I have detailed in my previous post, the file in question is most definitely a false positive. What method(s) did you guys use that lead you to confirm that it is malicious?
3. Can you provide me with a list of your trusted "responsible sources"?
Deep breathes... 1.. 2.. 3..