JS/Adware.Agent.AF application

[DaveB-Opt 0]

We're trying to test a website for a client of ours but we're getting the following block message from ESET. We've contacted the client and they've confirmed no malicious JS on the website. What can we do in this instance? I don't want to whitelist if it is malicious, but it's holding up production. I can provide links if required.

Edited May 1, 2019 by DaveB-Opt
spelling

[Marcos 5,070]

Please post the url which is detected in an obfuscated form so that the link is non-clickable.

[DaveB-Opt 0]

27 minutes ago, Marcos said:

Please post the url which is detected in an obfuscated form so that the link is non-clickable.

https   zonestor dot com fec9c24dca291d2000/adv12628/test/link

Edited May 1, 2019 by DaveB-Opt

[Nightowl 202]

According to VirusTotal , the URL scanned is marked malicious by CRDF only.

[DaveB-Opt 0]

Ok so that zonestor URL redirects to a.net-dag34.stream - which appears to be the malicious url

It redirects to

a.net-dag34.stream     /iwxb/rimnc/index-en-c-xs.html?td=www.watervilleireland.com&browser=Chrome&country=United%20Kingdom&city=Islington&os=Windows&pr=$999&yp=$1&cep=aZSUB41JfS1fP6UO41IiKF9rubuwVLziFs1m2U8_gN0JnFBE2VtEOExzRbMVub1gZo_xS6A18PxQifQHCZdZTJ6qB18tVidF9aIdIdiSOdCPhRE4kDFZ1njq5aGgkwWzExqb5bFnnILAedgwek7vG8iPQtmzzY_RYdiY2tBkH8o_JqBHah2OtLoC2LV4inGhlWMfa1UHmmezP1ZxkknPVYSmLcIxfGkqCqBGL1cgMGI&4=&3=&5=&6=&7=&8=470001&2=&1=824532983&s1=470001&s0=824532983# 

Edited May 1, 2019 by DaveB-Opt

[Nightowl 202]

It might be some kind of ad in the website that redirects to that url , or the page is infected with malicious code.

[DaveB-Opt 0]

Ok so what do we do in this instance? 

The choices are effectively:

1. Allow the URL and hope for the best

2. Tell our client they are malicious and lose business

Thanks

[Nightowl 202]

9 minutes ago, DaveB-Opt said:

Ok so what do we do in this instance? 

The choices are effectively:

1. Allow the URL and hope for the best

2. Tell our client they are malicious and lose business

Thanks

You shouldn't allow the URL because it might infect your machines or cause some damage to you incase ESET didn't detect it , you shouldn't turn off the protection , it's trying to protect you from malicious codes

You should inform the people who are responsible for this website that their website redirects to a malicious website.

[DaveB-Opt 0]

4 minutes ago, Rami said:

You shouldn't allow the URL because it might infect your machines or cause some damage to you incase ESET didn't detect it , you shouldn't turn off the protection , it's trying to protect you from malicious codes

You should inform the people who are responsible for this website that their website redirects to a malicious website.

Thanks Rami - thought I would double check

[Nightowl 202]

7 minutes ago, DaveB-Opt said:

Thanks Rami - thought I would double check

You are welcome