Jump to content
cmit

JS/Mindspark.E (still need proper solution)

Recommended Posts

Still has this issue even with ESET v7 on multiple domain computers. Can't waste time one-by-one checking Chrome on affected domain computers.
Already checked this thread (https://forum.eset.com/topic/13073-jsmindsparke/) but could ESET experts kindly help ESET customers to talk to Google how to properly resolve this?

Also, is it always only from Google Chrome or could also be from somewhere else?

Share this post


Link to post
Share on other sites
7 minutes ago, Marcos said:

Please refer to https://support.eset.com/kb6551/. It is important to disable syncing of extensions to stop PUA extensions from being synced and detected again.

Checked manually and found out one of our domain computers (Win 7 x64) does not have Google Chrome installed nor Firefox. Only Internet Explorer as the web browser.
This 'disable syncing' "solution" does not apply if no Chrome installed, right?

Share this post


Link to post
Share on other sites
2 minutes ago, cmit said:

Checked manually and found out one of our domain computers (Win 7 x64) does not have Google Chrome installed nor Firefox. Only Internet Explorer as the web browser.
This 'disable syncing' "solution" does not apply if no Chrome installed, right?

If running a full disk scan with strict cleaning doesn't remove the PUA, please gather logs with ESET Log Collector and upload the generated archive here.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

If running a full disk scan with strict cleaning doesn't remove the PUA, please gather logs with ESET Log Collector and upload the generated archive here.

attached screenshot and checked the directory, ESET does remove it (from real-time), but same issue re-occurred again on and off multiple times.

what am I missing?

mindspark cleaned.jpg

Share this post


Link to post
Share on other sites
13 hours ago, galaxy said:

It happened on multiple domain computers (Win7 x64). Not always on the same PC. Sometimes same PC has same issue multiple times on and off, sometimes happened on different computer(s).
So far the applications (Process Name) that cause this behavior are Google Chrome and Firefox.

Edited by cmit

Share this post


Link to post
Share on other sites

I don't know what version of Chrome you are using. But the current versions with sandboxing configured, I thought were supposed to prevent something like a .js script being dropped into %LocalAppData%\Temp folder.

Share this post


Link to post
Share on other sites
4 minutes ago, itman said:

I don't know what version of Chrome you are using. But the current versions with sandboxing configured, I thought were supposed to prevent something like a .js script being dropped into %LocalAppData%\Temp folder.

Latest version (updated automatically).

What about Firefox?

Share this post


Link to post
Share on other sites
1 hour ago, cmit said:

Latest version (updated automatically).

What about Firefox?

According to this: https://superuser.com/questions/1309249/is-firefox-really-that-insecure-for-not-having-sandbox-like-chrome , FireFox also has a sandbox.

Since you're using Eset Endpoint, I believe it supports wildcards in file names for the HIPS. Create a HIPS ask or block rule that will monitor anything written to %LocalAppUser%\Temp\*\*.js. Note that I believe you will have to specify the full user path name. Don't know if Eset supports the %% notation in a HIPS rule. Also if you create a block rule, make sure you specify that logging is enabled and set it to "warning." This will ensure its written to the event log. This will at least point you to the source process that is creating the *.js script in the Temp directory.

Edited by itman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×