Vojta 0 Posted April 2, 2020 Share Posted April 2, 2020 Hi, I've noticed that Nod32 modifies our Javascript resources and appends some garbage characters to the end (see attached screenshot) which causes Javascript syntax error and our web app does not start because of it. The resource could be downloaded from https://web-board.budgetbakers.com/3.board-669dedc0633412a24830.js but the link might be broken on next release so I've attached the file as well. Nod32 does not warn about some threat, if I submit the file manually it passeess the test. We have also web app on https://web.budgetbakers.com and some test environment domains but the issue is only on the production domain https://web-board.budgetbakers.com. The issue has random behavior on different releases (different Javascript bundles), sometimes it works fine, affected module changes and the garbage changes. Whitelisting our domain does not work. I have to pause Internet protection to make our web app work but it is unacceptable. So what's wrong and how to fix it? Where could I report this? 3.board-669dedc0633412a24830.js.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted April 3, 2020 Administrators Share Posted April 3, 2020 Please enable advanced protocol filtering logging in the advanced setup -> tools -> diagnostics, start logging with Wireshark, reproduce the problem, disable logging and then collect logs with ESET Log Collector. Then disable protocol filtering, start logging with Wireshark, reproduce the same steps and then stop logging. Upload logs from each step in separate archives here. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 3, 2020 Share Posted April 3, 2020 19 hours ago, Vojta said: but the issue is only on the production domain https://web-board.budgetbakers.com. I can't connect to this domain in FireFox: Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 6, 2020 Author Share Posted April 6, 2020 On 4/3/2020 at 9:03 PM, itman said: I can't connect to this domain in FireFox: extra dot at the end? try https://web-board.budgetbakers.com Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 6, 2020 Author Share Posted April 6, 2020 Now the web application works but the issue is visible on other resource, see attached screenshot where you can find some garbage at the end of source map request. Strange thing is that we don't have source maps on production. It might be some clue that the issue happens soon in the browser. When I try to download the resource with curl or wget the content is as expected but IE, Firefox, Chrome contains some garbage. I also packed Wireshark capture session and also found that Nod32 creates some Wireshark files. Is Wireshark files required or content of C:\ProgramData\ESET\ESET Security\Diagnostics is enough? eav_logs.zip web_access_protection_disabled.zip web_access_protection_enabled.zip Link to comment Share on other sites More sharing options...
ESET Staff Posolsvetla 15 Posted April 6, 2020 ESET Staff Share Posted April 6, 2020 I checked the provided logs for GET /6.board-5991e97616a5fcf95475.js (as indicated by the screenshot) and there is no garbage at the end in the data passed to the browser. The data have length of 18682 bytes. Wireshark capture is sometimes needed in order to diagnose some kinds of issues. This is not the case. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 6, 2020 Share Posted April 6, 2020 12 hours ago, Vojta said: extra dot at the end? try https://web-board.budgetbakers.com This time all I get in FireFox is a spinning circle on the displayed web page. Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 6, 2020 Author Share Posted April 6, 2020 2 minutes ago, itman said: This time all I get in FireFox is a spinning circle on the displayed web page. That's the issue, it is consequence of modified Javascript resource that caused fatal error which prevents app to start and hide the spinner. Also it is unfortunatelly the nondeterministic behavior of Nod32, it modifies Javascript resource on one machine but it works perfectly on another. @itman please could you upload log files as requested by @Marcos? I cannot reproduce the issue on my machne now. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 6, 2020 Share Posted April 6, 2020 Below is a screen shot from FireFox. Yes, one of the scripts shows garbage characters at the end. However, the script Firefox is throwing an error on does not. Link to comment Share on other sites More sharing options...
ESET Staff Posolsvetla 15 Posted April 7, 2020 ESET Staff Share Posted April 7, 2020 Not sure if this is important and would make any difference, but there is missing charset=utf-8 in the content-type header sent by the server. Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 7, 2020 Author Share Posted April 7, 2020 46 minutes ago, Posolsvetla said: Not sure if this is important and would make any difference, but there is missing charset=utf-8 in the content-type header sent by the server. I'm not sure too because this issue happens only on one domain web-board.budgetbakers.com of 5 domains we use (including test environment), the resource modified is random even if we have no new release. Also behavior is different for different users. If it were caused by missing charset or other configuration then all resources would be modified, right? We use Docker images so all servers on all our domains have the same configuration. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 3 hours ago, Vojta said: I'm not sure too because this issue happens only on one domain web-board.budgetbakers.com This has nothing to do with Eset. I disabled Internet Security Web Access protection and received the same spinning wheel behavior. It might be an Issue with FireFox and you can contact Mozilla about that. I don't have Chrome installed, so I could not not test with it. Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 7, 2020 Author Share Posted April 7, 2020 (edited) 15 minutes ago, itman said: This has nothing to do with Eset. I disabled Internet Security Web Access protection and received the same spinning wheel behavior. It might be an Issue with FireFox and you can contact Mozilla about that. I don't have Chrome installed, so I could not not test with it. No, I'm sure that it it caused by Nod32, I have bug reports from our users and also I checked it by myself. Until I installed Nod32 then everything was ok and I also made some tests with or without Web Access protection that confirmed my suspicion. The issue happens on Firefox, Chrome and IE. Nod32 is favorite security software on Windows and we have no such report from Linux or Mac users. If it were browser bug we had more bug reports but we don't. Your behavior could be result of cached Javascript file with that garbage. Plese try it again with cache disabled. Edited April 7, 2020 by Vojta Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 1 minute ago, Vojta said: The issue happens on Firefox, Chrome and IE. I tried to access the web site: https://web-board.budgetbakers.com/ in IE11. A web page displayed stating that only FireFox and Chrome are supported. Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 7, 2020 Author Share Posted April 7, 2020 2 minutes ago, itman said: I tried to access the web site: https://web-board.budgetbakers.com/ in IE11. A web page displayed stating that only FireFox and Chrome are supported. Sorry, old habbit, by IE I mean Edge, IE11 is generally unsupported browser. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 12 minutes ago, Vojta said: Your behavior could be result of cached Javascript file with that garbage. Plese try it again with cache disabled. OK, that worked with Eset Web Access protection disabled: Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 Interesting. I tried to add the URL as an Eset allowed address to Web Access scanning and it still hung up on access. Event log entries below: Time;URL;Status;Application;User;IP address;SHA1 4/7/2020 11:45:36 AM;https://web-board.budgetbakers.com;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;2620:1ec:bdf::10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 11:45:38 AM;https://web-board.budgetbakers.com/environment.cfg;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;2620:1ec:bdf::10;A846AB501566E41A396241BA20FF777D4AFAFA11 Appears when Eset got to the environment.cfg area is where it hung. Also what the issue is lies in Eset SSL/TLS protocol scanning perhaps. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 I disabled SSL/TLS protocol scanning and that is not the issue. Whatever this issue is with Eset's Web Access processing, it appears to be unique to this web site. If it was otherwise, the forum would be full of like postings. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 However if I try to access the login page directly, the below screenshot shows a certificate issue. Something doesn't look right to me here: Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 The problem is with FireFox. I can access https://web-board.budgetbakers.com/login in Edge w/o issue per the below screen shot with Eset Web Access options fully enabled. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 Looks like the problem has been fixed in FireFox: Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 7, 2020 Share Posted April 7, 2020 Also a FYI here. My version of FireFox just recently updated to ver. 75 which confirms my suspicion that the issue was originally FireFox related. Most likely: Quote Firefox will locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers and improve security. So if any FireFox users of Eset still have issues with your web site, tell them to upgrade FireFox. Link to comment Share on other sites More sharing options...
Vojta 0 Posted April 7, 2020 Author Share Posted April 7, 2020 (edited) The issue is related to Chrome as well and I reproduced the issue in Virtualbox with Nod32 trial and fresh installation of Chrome and Firefox. I see in Chrome and Firefox that the certificate is valid but it is wrong certificate. But even in case of wrong/invalid certificate Nod32 should not silently modify resources. Nod32 should keep it as is and delegate validity check to a browser or display some warning, right? Edited April 8, 2020 by Vojta Link to comment Share on other sites More sharing options...
ESET Staff Posolsvetla 15 Posted April 8, 2020 ESET Staff Share Posted April 8, 2020 We were able to reproduce the issue and obtained the log files which confirm the bogus data are added by our product. Vojta 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 8, 2020 Share Posted April 8, 2020 The extra character issue withstanding, there is something weird going on with this web site. Prior to the latest FireFox release correcting the problem, I was logging activity on the web via Web Access allowed URL list feature. Normally I see one entry in the Web Access Event log per attempted URL access. Such is not the case with this web site. Below are the log entries created till I manually disconnected from the web site. It appears each object on this web site is set up as a separate URL entry as best as I can explain it: Time;URL;Status;Application;User;IP address;SHA1 4/7/2020 1:39:33 PM;https://web-board.budgetbakers.com;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:33 PM;https://web-board.budgetbakers.com/board-4ef326c940f272415377.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/2.board-50eb0af0bb3895019f61.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/14.board-096f312803bc04993286.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/board-d9ddbec8016d52c7c461.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/environment.cfg;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/assets/apple-touch-icon-1024x1024.png;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/assets/favicon-32x32.png;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/7.board-a30149ad6f1fa52fc5b9.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/6.board-5991e97616a5fcf95475.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/3.board-669dedc0633412a24830.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/15.board-855c22dd6a9608507526.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/0.board-5e985e9eeb415d783dcb.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/0.board-6c40f5363ffa9c095bbd.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/1.board-c912d467d84224f020ab.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/1.board-32ed7232b4112294c17e.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/16.board-ad367b65ed0f61790092.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/16.board-9b39aa77b24b411f74c3.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11 Link to comment Share on other sites More sharing options...
Recommended Posts