jtown82 1 Posted September 25, 2017 Share Posted September 25, 2017 All the sudden our ERA is spamming alerts for addthis_widget.js and flagging it as JS/TrojanDownloader.Pegel.BH. literally 20-30 different computers at the same time. Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts? AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js Link to comment Share on other sites More sharing options...
kingoftheworld 10 Posted September 25, 2017 Share Posted September 25, 2017 2 minutes ago, jtown82 said: All the sudden our ERA is spamming alerts for addthis_widget.js and flagging it as JS/TrojanDownloader.Pegel.BH. literally 20-30 different computers at the same time. Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts? AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js Experiencing the same here Link to comment Share on other sites More sharing options...
gerdawg 1 Posted September 25, 2017 Share Posted September 25, 2017 Same here - About 50+ computers. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 25, 2017 Administrators Share Posted September 25, 2017 The detection is from 2011. Something must have changed in the script that made it detected. Link to comment Share on other sites More sharing options...
shaggy90 0 Posted September 25, 2017 Share Posted September 25, 2017 Yep getting the same thing over here too Link to comment Share on other sites More sharing options...
rockshox 5 Posted September 25, 2017 Share Posted September 25, 2017 Same here, dozen computers so far. It looks like the addthis.com is owned by Oracle. Link to comment Share on other sites More sharing options...
jtown82 1 Posted September 25, 2017 Author Share Posted September 25, 2017 Marcos do you know if a hotfix or something is being worked on? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 25, 2017 Administrators Share Posted September 25, 2017 We will temporarily remove the detection soon until we investigate what code has started to trigger this old detection. Link to comment Share on other sites More sharing options...
esetdan 0 Posted September 25, 2017 Share Posted September 25, 2017 (edited) ESET does have the roll back feature you can implement as a task in ERA https://support.eset.com/kb3676/?locale=en_US Edited September 25, 2017 by esetdan Link to comment Share on other sites More sharing options...
Mez 0 Posted September 25, 2017 Share Posted September 25, 2017 (edited) Maybe issue is due to mixed content (http on https pages) by addthis. See attached image from Chrome Developer Console. Edited September 25, 2017 by Mez Link to comment Share on other sites More sharing options...
somatoform 0 Posted September 25, 2017 Share Posted September 25, 2017 Happening on our network too. Our organization's website uses AddThis to provide social sharing icons, which appear to be working just fine. Sophos Endpoint isn't triggering it. YMMV. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 25, 2017 Administrators Share Posted September 25, 2017 51 minutes ago, esetdan said: ESET does have the roll back feature you can implement as a task in ERA https://support.eset.com/kb3676/?locale=en_US That won't help in this case because the detection is not recent but it was made in 2011. Anyways, we've temporarily removed the detection while the script is being reviewed. Link to comment Share on other sites More sharing options...
kingoftheworld 10 Posted September 25, 2017 Share Posted September 25, 2017 (edited) If anyone is interested in a work around, I added the URL to the "Exclude from Checking" in the Web Protection section of a policy. It seems have resolved the issue. Will remove this entry once the definitions are updated. Edited September 25, 2017 by kingoftheworld Link to comment Share on other sites More sharing options...
mahargnz 0 Posted September 26, 2017 Share Posted September 26, 2017 Issue seems to have been in signature update 16139 and is resolved with signature update 16140. Link to comment Share on other sites More sharing options...
Tdub 0 Posted September 26, 2017 Share Posted September 26, 2017 Getting the same here as well Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 26, 2017 Administrators Share Posted September 26, 2017 3 hours ago, mahargnz said: Issue seems to have been in signature update 16139 and is resolved with signature update 16140. No, the signature existed since 2011. Link to comment Share on other sites More sharing options...
K-Dub 0 Posted September 26, 2017 Share Posted September 26, 2017 Hello Marcos, Any update to this issue? We've experienced the same issues off/on for the past 15 hours now. Link to comment Share on other sites More sharing options...
CCross 0 Posted September 26, 2017 Share Posted September 26, 2017 Hi there, Do we have updates regarding this topic? Should it be considered a false positive? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 26, 2017 Administrators Share Posted September 26, 2017 That was fixed about 17 hours ago. Since 2011, the detection hadn't triggered false positives only until recent changes in the AddThis widget script. Link to comment Share on other sites More sharing options...
Ivan_Bottion 0 Posted September 26, 2017 Share Posted September 26, 2017 Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 26, 2017 Administrators Share Posted September 26, 2017 10 minutes ago, Ivan_Bottion said: Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved? It was fixed 18 hours ago. Link to comment Share on other sites More sharing options...
enforcer 0 Posted September 26, 2017 Share Posted September 26, 2017 1 hour ago, Marcos said: It was fixed 18 hours ago. Obviously not. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted September 26, 2017 Administrators Share Posted September 26, 2017 8 minutes ago, enforcer said: Obviously not. What exactly is detected? The signature for JS/TrojanDownloader.Pegel.BH was already removed some time ago. Link to comment Share on other sites More sharing options...
jtown82 1 Posted September 26, 2017 Author Share Posted September 26, 2017 We do have some machines still getting the alerts but I am assuming that is because we have a few machines that have not been upgraded yet and are still using eset V5 endpoint protection. Or should the fix cover those aswell? Link to comment Share on other sites More sharing options...
K-Dub 0 Posted September 26, 2017 Share Posted September 26, 2017 Below, is what we are essentially seeing: 2017-09-25 21:28:09;trojan;JS/TrojanDownloader.Pegel.BH;;HTTP filter;virlog.dat;file;hxxp://s7.addthis.com/js/300/addthis_widget.js;connection terminated;;1;0;DOMAIN\User1;C:\Program Files (x86)\Internet Explorer\iexplore.exe;;16139 (20170925);12FB3B97A3308B429C6EF44CB8E6A52875E7D85F Its tapered off almost completely today, fortunately. Link to comment Share on other sites More sharing options...
Recommended Posts