• Announcements

    • Marcos

      Filecoder.Crysis updated to decode .dharma files   03/01/2017

      We are happy to announce you that we have updated the Filecoder.Crysis decoder to support decryption of files with the .wallet and .onion extensions. The decoder is downloadable from https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe.
jtown82

addthis_widget.js alert spam

Recommended Posts

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

shaggy90 likes this

Share this post


Link to post
Share on other sites
2 minutes ago, jtown82 said:

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

Experiencing the same here 

shaggy90 likes this

Share this post


Link to post
Share on other sites

The detection is from 2011. Something must have changed in the script that made it detected.

Share this post


Link to post
Share on other sites

Same here, dozen computers so far. It looks like the addthis.com is owned by Oracle.

Share this post


Link to post
Share on other sites

We will temporarily remove the detection soon until we investigate what code has started to trigger this old detection.

Share this post


Link to post
Share on other sites

Maybe issue is due to mixed content (http on https pages)  by addthis. See attached image from Chrome Developer Console.

image.thumb.png.c2d26f76f4edafe1f0957750a4aa5b88.png

 

Edited by Mez

Share this post


Link to post
Share on other sites

Happening on our network too. Our organization's website uses AddThis to provide social sharing icons, which appear to be working just fine. 

Sophos Endpoint isn't triggering it. YMMV.

Share this post


Link to post
Share on other sites
51 minutes ago, esetdan said:

ESET does have the roll back feature you can implement as a task in ERA

https://support.eset.com/kb3676/?locale=en_US

 

That won't help in this case because the detection is not recent but it was made in 2011. Anyways, we've temporarily removed the detection while the script is being reviewed.

Share this post


Link to post
Share on other sites

If anyone is interested in a work around, I added the URL to the "Exclude from Checking" in the Web Protection section of a policy.  It seems have resolved the issue.  Will remove this entry once the definitions are updated.

Edited by kingoftheworld

Share this post


Link to post
Share on other sites

Issue seems to have been in signature update 16139 and is resolved with signature update 16140.

Share this post


Link to post
Share on other sites
3 hours ago, mahargnz said:

Issue seems to have been in signature update 16139 and is resolved with signature update 16140.

No, the signature existed since 2011.

Share this post


Link to post
Share on other sites

Hello Marcos,

Any update to this issue? We've experienced the same issues off/on for the past 15 hours now.

Share this post


Link to post
Share on other sites

Hi there,

Do we have updates regarding this topic? Should it be considered a false positive?

Share this post


Link to post
Share on other sites

That was fixed about 17 hours ago. Since 2011, the detection hadn't triggered false positives only until recent changes in the AddThis widget script.

Share this post


Link to post
Share on other sites

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

Share this post


Link to post
Share on other sites
10 minutes ago, Ivan_Bottion said:

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

It was fixed 18 hours ago.

Share this post


Link to post
Share on other sites
8 minutes ago, enforcer said:

Obviously not.

What exactly is detected? The signature for JS/TrojanDownloader.Pegel.BH was already removed some time ago.

Share this post


Link to post
Share on other sites

We do have some machines still getting the alerts but I am assuming that is because we have a few machines that have not been upgraded yet and are still using eset V5 endpoint protection.  Or should the fix cover those aswell?

 

Share this post


Link to post
Share on other sites

Below, is what we are essentially seeing:

2017-09-25 21:28:09;trojan;JS/TrojanDownloader.Pegel.BH;;HTTP filter;virlog.dat;file;hxxp://s7.addthis.com/js/300/addthis_widget.js;connection terminated;;1;0;DOMAIN\User1;C:\Program Files (x86)\Internet Explorer\iexplore.exe;;16139 (20170925);12FB3B97A3308B429C6EF44CB8E6A52875E7D85F

Its tapered off almost completely today, fortunately.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.