addthis_widget.js alert spam

[jtown82 1]

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

[kingoftheworld 10]

2 minutes ago, jtown82 said:

All the sudden our ERA is spamming alerts for addthis_widget.js  and flagging it as JS/TrojanDownloader.Pegel.BH.  literally 20-30 different computers at the same time.  Not sure if this is legit or if another bad push of definitions went out and its false positives. Anyone else all the sudden getting these alerts?

 

AppData/Local/Microsoft/Windows/INetCache/Low/IE/EZ3ZKCGG/addthis_widget[1].js

er/AppData/Local/Microsoft/Windows/Temporary Internet Files/Low/Content.IE5/W5TI9TST/addthis_widget[3].js

 

Experiencing the same here 

[gerdawg 1]

Same here - About 50+ computers.

[Marcos 5,074]

The detection is from 2011. Something must have changed in the script that made it detected.

[shaggy90 0]

Yep getting the same thing over here too

[rockshox 5]

Same here, dozen computers so far. It looks like the addthis.com is owned by Oracle.

[jtown82 1]

Marcos do you know if a hotfix or something is being worked on?

[Marcos 5,074]

We will temporarily remove the detection soon until we investigate what code has started to trigger this old detection.

[esetdan 0]

ESET does have the roll back feature you can implement as a task in ERA

https://support.eset.com/kb3676/?locale=en_US

 

Edited September 25, 2017 by esetdan

[Mez 0]

Maybe issue is due to mixed content (http on https pages)  by addthis. See attached image from Chrome Developer Console.

 

Edited September 25, 2017 by Mez

[somatoform 0]

Happening on our network too. Our organization's website uses AddThis to provide social sharing icons, which appear to be working just fine. 

Sophos Endpoint isn't triggering it. YMMV.

[Marcos 5,074]

51 minutes ago, esetdan said:

ESET does have the roll back feature you can implement as a task in ERA

https://support.eset.com/kb3676/?locale=en_US

 

That won't help in this case because the detection is not recent but it was made in 2011. Anyways, we've temporarily removed the detection while the script is being reviewed.

[kingoftheworld 10]

If anyone is interested in a work around, I added the URL to the "Exclude from Checking" in the Web Protection section of a policy.  It seems have resolved the issue.  Will remove this entry once the definitions are updated.

Edited September 25, 2017 by kingoftheworld

[mahargnz 0]

Issue seems to have been in signature update 16139 and is resolved with signature update 16140.

[Tdub 0]

Getting the same here as well

[Marcos 5,074]

3 hours ago, mahargnz said:

Issue seems to have been in signature update 16139 and is resolved with signature update 16140.

No, the signature existed since 2011.

[K-Dub 0]

Hello Marcos,

Any update to this issue? We've experienced the same issues off/on for the past 15 hours now.

[CCross 0]

Hi there,

Do we have updates regarding this topic? Should it be considered a false positive?

[Marcos 5,074]

That was fixed about 17 hours ago. Since 2011, the detection hadn't triggered false positives only until recent changes in the AddThis widget script.

[Ivan_Bottion 0]

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

[Marcos 5,074]

10 minutes ago, Ivan_Bottion said:

Hi, I use addthis on my site and my ESET has reported the presence of the Trojan horse as reported by others, so I understand it is a false positive that will be fixed soon, my virus signature database is 16144, I believe than the most current one, and I'm still receiving trojan messages in the code addthis_widget.js, any prediction of when will the problem be resolved?

It was fixed 18 hours ago.

[enforcer 0]

1 hour ago, Marcos said:

It was fixed 18 hours ago.

Obviously not.

[Marcos 5,074]

8 minutes ago, enforcer said:

Obviously not.

What exactly is detected? The signature for JS/TrojanDownloader.Pegel.BH was already removed some time ago.

[jtown82 1]

We do have some machines still getting the alerts but I am assuming that is because we have a few machines that have not been upgraded yet and are still using eset V5 endpoint protection.  Or should the fix cover those aswell?

 

[K-Dub 0]

Below, is what we are essentially seeing:

2017-09-25 21:28:09;trojan;JS/TrojanDownloader.Pegel.BH;;HTTP filter;virlog.dat;file;hxxp://s7.addthis.com/js/300/addthis_widget.js;connection terminated;;1;0;DOMAIN\User1;C:\Program Files (x86)\Internet Explorer\iexplore.exe;;16139 (20170925);12FB3B97A3308B429C6EF44CB8E6A52875E7D85F

Its tapered off almost completely today, fortunately.