Eset Not Detecting Test Coin Miner

[itman 1,659]

http://malware.wicar.org/data/js_crypto_miner.html

This one actually does coin mining.

Also doesn't look good that SmartScreen detected it. At least now I can say I found something that SmartScreen detects that Eset doesn't.?

Edited July 27, 2018 by itman

[Marcos 5,070]

I'm getting an alert:

https://coinhive.com/lib/coinhive.min.js;JS/CoinMiner.D potentially unwanted application;blocked

[itman 1,659]

Just to be sure, I disabled SmartScreen in Edge and still no alert from Eset. Sure the same will happen in IE11. Eset always alerts prior to SmartScreen.

Running EIS ver. 11.2.42 with default settings as far as Internet Protection goes.

[itman 1,659]

Also, don't believe this is Coin Hive based since I have the following in an Eset URL block list and those didn't trigger either:

*.coinhive.com/*
*.coin-hive.com/*

[Marcos 5,070]

Not sure what the problem could be. No problems here:

[itman 1,659]

I don't get it either. Below is the code it is executing. The block list should have detected it regardless:

Quote

 

<html>
<script src="https://coinhive.com/lib/coinhive.min.js">
    </script><script>var miner = new CoinHive.Anonymous('VrqhGymiL9VzA7DO9YcZNzOVyNkY6tVS',       {throttle: 0.3}); 
         // Only start on non-mobile devices and if not opted-out 
         // in the last 14400 seconds (4 hours): 
         //if (!miner.isMobile() && !miner.didOptOut(14400))  {   miner.start();

         //}

</script>

</html>

 

If I click on the coinhive link, the block list detects it.

And all PUA detection settings are enabled.

Edited July 27, 2018 by itman

[itman 1,659]

@Marcos, it gets weirder.

I am using Easylist Privacy tpl in IE11. Additional in Edge, I am using AdGuard extension with both Easylist Privacy and NoCoin lists. All these will detect Coinhive. None of them triggered in this Wicar.org coin miner test.  

So I went to the AMTSO Desktop Test site and ran the PUA test. Eset performed as expected and alerted on PUA detection. So at this point, I am at a loss as to why this is happening.

Also I am running on Win 10 x(64) 1803.

Looks like Wicar.org copied the code straight from here: https://medium.com/@bitcoinloverr/100-latest-coinhive-javascript-mining-trick-monero-b525f38ce545

[0xDEADBEEF 43]

Mine detects it, but I have to disable my adblock plugin to see ESET's prompt because my adblock will block the mining script before ESET kicks in.

[itman 1,659]

- Posting edited to reflect what the issue really was -

Indeed, further testing confirmed tracking protection lists used in Edge and IE11 were intercepting and blocking the connection to coinhive.com prior to Eset having a chance to do likewise. 

As far as the SmartScreen alert, it is a bogus one as most browser based SmartScreen alerts are. All SmartScreen is blocking is access to the wicar.org coin miner test web site; not any actual coin mining activity occurring there.

Edited July 29, 2018 by itman

[itman 1,659]

Will also add that I found an obscure European coinhive test web site that SmartScreen does not detects to test Eset's coin miner protection. 

 

Edited July 29, 2018 by itman