Jump to content

addthis_widget.js alert spam


jtown82
 Share

Recommended Posts

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

Link to comment
Share on other sites

2 minutes ago, jtown82 said:

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

Experiencing the same here 

Link to comment
Share on other sites

Maybe issue is due to mixed content (http on https pages)  by addthis. See attached image from Chrome Developer Console.

image.thumb.png.c2d26f76f4edafe1f0957750a4aa5b88.png

 

Edited by Mez
Link to comment
Share on other sites

  • Administrators
51 minutes ago, esetdan said:

ESET does have the roll back feature you can implement as a task in ERA

https://support.eset.com/kb3676/?locale=en_US

 

That won't help in this case because the detection is not recent but it was made in 2011. Anyways, we've temporarily removed the detection while the script is being reviewed.

Link to comment
Share on other sites

If anyone is interested in a work around, I added the URL to the "Exclude from Checking" in the Web Protection section of a policy.  It seems have resolved the issue.  Will remove this entry once the definitions are updated.

Edited by kingoftheworld
Link to comment
Share on other sites

  • Administrators
3 hours ago, mahargnz said:

Issue seems to have been in signature update 16139 and is resolved with signature update 16140.

No, the signature existed since 2011.

Link to comment
Share on other sites

  • Administrators

That was fixed about 17 hours ago. Since 2011, the detection hadn't triggered false positives only until recent changes in the AddThis widget script.

Link to comment
Share on other sites

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

Link to comment
Share on other sites

  • Administrators
10 minutes ago, Ivan_Bottion said:

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

It was fixed 18 hours ago.

Link to comment
Share on other sites

  • Administrators
8 minutes ago, enforcer said:

Obviously not.

What exactly is detected? The signature for JS/TrojanDownloader.Pegel.BH was already removed some time ago.

Link to comment
Share on other sites

We do have some machines still getting the alerts but I am assuming that is because we have a few machines that have not been upgraded yet and are still using eset V5 endpoint protection.  Or should the fix cover those aswell?

 

Link to comment
Share on other sites

Below, is what we are essentially seeing:

2017-09-25 21:28:09;trojan;JS/TrojanDownloader.Pegel.BH;;HTTP filter;virlog.dat;file;hxxp://s7.addthis.com/js/300/addthis_widget.js;connection terminated;;1;0;DOMAIN\User1;C:\Program Files (x86)\Internet Explorer\iexplore.exe;;16139 (20170925);12FB3B97A3308B429C6EF44CB8E6A52875E7D85F

Its tapered off almost completely today, fortunately.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...