How to unblock sites that are probably false positives?

[BDifferent 0]

Hello,

when trying to open r-project.org (the site of a large open source project on statistical computing), ESET Smart Security 9 denies access and terminates the connection (Reason: JS Redirector NAV Trojan). This happens in Firefox and IE (I do not use Chrome).

Since this is a very well known domain accessed by probably millions everyday I suspect that this is a false positive. A web search did not gain any helpful insight either, neither on the problem as such nor on this specific domain being infected.

However, I have not found a possibility to unblock this domain on my own risk. How is this possible, and do you maybe have additional information on this specific domain?

Thanks in advance!

 

[cyberhash 188]

The site itself is not blocked, i have tried and can navigate around the site with no problems. It's only an "element" within the site that is blocked. Just a bad Javascript link on the site somewhere.

[BDifferent 0]

Hi, thanks for your answer. So what can I do?

[cyberhash 188]

2 minutes ago, BDifferent said:

Hi, thanks for your answer. So what can I do?

If you can navigate around and use the site then there is really nothing to worry about, you will just get that pop up message every time you visit the site.

I guess its letting you browse/use the site but with just that message displaying in the pop up ??

[BDifferent 0]

Ah. No :-(

I see a blank page with only a red rectangle in the middle of the screen, which is generated by ESET, saying what I wrote in my inital post., i.e., connection terminated, access denied, etc., and which threat was detected (" JS/Redirector.NAV Trojan"). See attached screenshot.

Furthermore, it is blocked not only for the browser but also for other programs. There is a repository for R, CRAN, accessible via cran.r-project.org, from which e.g. the R console and the R IDE "RStudio" can install new packages. These programs cannot access the repository as well.

 

Concluding, I can not visit the site and I cannot access the package repository. I wonder why it doesn't work on my PCs (2 systems, both having Smart Security 9 installed) but works on other systems (e.g. your system).

Greetings and thanks.

[itman 1,659]

I just tried to access the site in IE11 and it was blocked on access. Note that the site is a HTTPS site. If SSL protocol scanning was not enabled, Eset might not have detected it upon site access. Also appears to have attempted to drop the Trojan in %AppData% folder.

Note: VirusTotal says the site is 100% clean and I did a rescan. 

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
1/22/2017 1:48:16 PM;HTTP filter;file;https://www.r-project.org;JS/Redirector.NAV trojan;connection terminated;XXX-PC\XXX;Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe (F0FEB5350BD497A9E9BF77ED072315E64ABFFA33).;AAF7FFD8EB4CAA93F627AC850D31EBE5471C581A;
 

[Marcos 5,070]

Ask the owner of the website to replace the obfuscated script for displaying an email address with an image containing the address.

The suspicious script commences with "var s="=b!isfg>#nbjmup;xfcnbtufsAs.qspkfdu/psh#?xfc!qbhf!dpoubdu=0b?";"

[cyberhash 188]

2 hours ago, BDifferent said:

Ah. No :-(

I see a blank page with only a red rectangle in the middle of the screen, which is generated by ESET, saying what I wrote in my inital post., i.e., connection terminated, access denied, etc., and which threat was detected (" JS/Redirector.NAV Trojan"). See attached screenshot.

Furthermore, it is blocked not only for the browser but also for other programs. There is a repository for R, CRAN, accessible via cran.r-project.org, from which e.g. the R console and the R IDE "RStudio" can install new packages. These programs cannot access the repository as well.

 

Concluding, I can not visit the site and I cannot access the package repository. I wonder why it doesn't work on my PCs (2 systems, both having Smart Security 9 installed) but works on other systems (e.g. your system).

Greetings and thanks.

Here is a screenshot from my pc(using firefox 50) , it shows ESS blocking the bad script but allows me to continue using the site properly.

There are plenty of websites that i visit personally that have the same behavior. By blocking the bad stuff and letting me use the content and pages that are clean.

If i remember correctly this was one of the many reasons i personally use the firewall in "interactive mode" and set the rules up myself and not on "automatic" Like ESS defaults with. The inbuilt rules are far too strict by default and caused me too many problems. Prior to using the very first release of ESET smart security (many many moons ago), i used a combination of nod32 and Comodo firewall and again i used this in a learning/interactive mode as the auto rule set Comodo was too strict and gave me similar problems.


 
 

[itman 1,659]

In IE11, web site access is totally blocked. No way to continue.

 

Edited January 22, 2017 by itman

[BDifferent 0]

Hi all,

 

thanks for all the answers so far. I doubt that they will change the r-project.org site for something that looks like an "ESET Smart Security" issue. So based on what cyberhash wrote the only reasonable option for me seems to be to set the firewall to interactive mode. Or did I miss any further options?

Do you also think it can be considered a false positive and how should ESET be notified about it?

 

[Marcos 5,070]

The block has nothing to do with firewall; it's web access protection that is blocking it. It's a highly suspicious javascript obfuscation used on the website which triggers the detection. I'd like to bring this article about using obfuscation to your attention: http://www.welivesecurity.com/2011/05/17/obfuscated-javascript-oh-what-a-tangled-web/.

[cyberhash 188]

1 hour ago, BDifferent said:

Hi all,

 

thanks for all the answers so far. I doubt that they will change the r-project.org site for something that looks like an "ESET Smart Security" issue. So based on what cyberhash wrote the only reasonable option for me seems to be to set the firewall to interactive mode. Or did I miss any further options?

Do you also think it can be considered a false positive and how should ESET be notified about it?

 

Easy fix for you and it takes less than 1 minute to do ....... . You will still get the pop up showing the bad script but will still be able to access and use the site. The reason ESS completely blocks these sites , is down to the way it handles the HTTPS protocol via the web access protection module.

My bad for feeding you the wrong info over the weekend , but in my defence i had too many beers and was in a few forums replying to too many threads.

Apologies and here is the fix

 

[BDifferent 0]

No problem :-)

Thanks for the guide, will try when I am back home.

Thanks to everyone!

[Marcos 5,070]

Note that in case the site becomes actually infected, ESET won't block it. The owner of the website should rather replace the obfuscated code with an image containing the contact email address.

[cyberhash 188]

It still detects and blocks the threat on the page using this method, but still allows you to use and navigate it.
Its basically doing what ESS does with standard HTTP pages. 

Here is something you can try yourself to replicate what i am referring to.

1, Under WEB PROTOCOLS tab , have both HTTP & HTTPS switched ON and try to access the website in question ( r-project.org), and you will be presented with the same outcome as in the image ITMAN has posted above ...... Completely blocked and wont let you access the site.

2, Switch the HTTPS scanner OFF and it lets you access and use the site but blocks the offending script.

3, Have both HTTP & HTTPS scanning ON and add the url of the site to the Exclusion list and it lets you access the page, just like having the HTTPS scanning switched OFF. Where it lets you access and use the site but blocks the offending object.



 

[itman 1,659]

3 hours ago, cyberhash said:

3, Have both HTTP & HTTPS scanning ON and add the url of the site to the Exclusion list and it lets you access the page, just like having the HTTPS scanning switched OFF. Where it lets you access and use the site but blocks the offending object.

Good to know. Shows Eset's new web script protection is working.

However I agree w/Marcos in that if there is one thing "dodgy" about a web site, best to block entire site access. Odds are the site owner is not properly scanning it for malware and it is just a matter of time until something else nasty is added to it. Might just be a 0-day exploit.

[BDifferent 0]

Thanks for the guide, cyberhash, it worked and I can access the page now - it stills gives me the "threat  found" notification, but I can access the page :-)

 

[cyberhash 188]

8 hours ago, BDifferent said:

Thanks for the guide, cyberhash, it worked and I can access the page now - it stills gives me the "threat  found" notification, but I can access the page :-)

 

You are welcome

[um_user 0]

Could someone there address this issue already, rather than just deflecting it?  I am getting awfully annoyed.

 

[Morisato 8]

Eset v8.319 + IE11. I didn't get this notification at all with HTTP checking on and off. Went to the site just fine. Strange...

@um_user Use the method mentioned by @cyberhash above:

 

[Bullhead 0]

I just emailed the webmaster as this is still ongoing, not sure if they'll do anything with it.

 

Thanks Cyber for the workaround!

[peteyt 393]

On 23/03/2017 at 10:15 PM, Morisato said:

Eset v8.319 + IE11. I didn't get this notification at all with HTTP checking on and off. Went to the site just fine. Strange...

@um_user Use the method mentioned by @cyberhash above:

 

Could be due to some changes with the latest version. Newer versions tend to add new features and improve current ones