Jump to content
Vojta

NOD32 modifies Javascript files

Recommended Posts

Hi,

I've noticed that Nod32 modifies our Javascript resources and appends some garbage characters to the end (see attached screenshot) which causes Javascript syntax error and our web app does not start because of it. The resource could be downloaded from https://web-board.budgetbakers.com/3.board-669dedc0633412a24830.js but the link might be broken on next release so I've attached the file as well. Nod32 does not warn about some threat, if I submit the file manually it passeess the test. We have also web app on https://web.budgetbakers.com and some test environment domains but the issue is only on the production domain https://web-board.budgetbakers.com. The issue has random behavior on different releases (different Javascript bundles), sometimes it works fine, affected module changes and the garbage changes. Whitelisting our domain does not work. I have to pause Internet protection to make our web app work but it is unacceptable.

So what's wrong and how to fix it? Where could I report this?

modified_js_bundle.png

3.board-669dedc0633412a24830.js.txt

Share this post


Link to post
Share on other sites

Please enable advanced protocol filtering logging in the advanced setup -> tools -> diagnostics, start logging with Wireshark, reproduce the problem, disable logging and then collect logs with ESET Log Collector.

Then disable protocol filtering, start logging with Wireshark, reproduce the same steps and then stop logging. Upload logs from each step in separate archives here.

Share this post


Link to post
Share on other sites
19 hours ago, Vojta said:

but the issue is only on the production domain https://web-board.budgetbakers.com.

I can't connect to this domain in FireFox:

Eset_Secure_Connect.thumb.png.063d818a62305aeb593db75e2a5270b6.png

 

Share this post


Link to post
Share on other sites

Now the web application works but the issue is visible on other resource, see attached screenshot where you can find some garbage at the end of source map request. Strange thing is that we don't have source maps on production. It might be some clue that the issue happens soon in the browser. When I try to download the resource with curl or wget the content is as expected but IE, Firefox, Chrome contains some garbage.

 

I also packed Wireshark capture session and also found that Nod32 creates some Wireshark files. Is Wireshark files required or content of C:\ProgramData\ESET\ESET Security\Diagnostics is enough?

eset_nod32_sourcemaps.png

eav_logs.zip web_access_protection_disabled.zip web_access_protection_enabled.zip

Share this post


Link to post
Share on other sites

I checked the provided logs for GET /6.board-5991e97616a5fcf95475.js (as indicated by the screenshot) and there is no garbage at the end in the data passed to the browser. The data have length of 18682 bytes.

Wireshark capture is sometimes needed in order to diagnose some kinds of issues. This is not the case.

Share this post


Link to post
Share on other sites
2 minutes ago, itman said:

This time all I get in FireFox is a spinning circle on the displayed web page.

That's the issue, it is consequence of modified Javascript resource that caused fatal error which prevents app to start and hide the spinner. Also it is unfortunatelly the nondeterministic behavior of Nod32, it modifies Javascript resource on one machine but it works perfectly on another. @itman please could you upload log files as requested by @Marcos? I cannot reproduce the issue on my machne now.

 

 

Share this post


Link to post
Share on other sites

Below is a screen shot from FireFox. Yes, one of the scripts shows garbage characters at the end. However, the script Firefox is throwing an error on does not.

FireFox_error.thumb.png.3ec0e04fcea400262c9d274be0c5c3d5.png

Share this post


Link to post
Share on other sites

Not sure if this is important and would make any difference, but there is missing charset=utf-8 in the content-type header sent by the server.

Share this post


Link to post
Share on other sites
46 minutes ago, Posolsvetla said:

Not sure if this is important and would make any difference, but there is missing charset=utf-8 in the content-type header sent by the server.

I'm not sure too because this issue happens only on one domain web-board.budgetbakers.com of 5 domains we use (including test environment), the resource modified is random even if we have no new release. Also behavior is different for different users. If it were caused by missing charset or other configuration then all resources would be modified, right? We use Docker images so all servers on all our domains have the same configuration.

Share this post


Link to post
Share on other sites
3 hours ago, Vojta said:

I'm not sure too because this issue happens only on one domain web-board.budgetbakers.com

This has nothing to do with Eset. I disabled Internet Security Web Access protection and received the same spinning wheel behavior.

It might be an Issue with FireFox and you can contact Mozilla about that. I don't have Chrome installed, so I could not not test with it.

Share this post


Link to post
Share on other sites
Posted (edited)
15 minutes ago, itman said:

This has nothing to do with Eset. I disabled Internet Security Web Access protection and received the same spinning wheel behavior.

It might be an Issue with FireFox and you can contact Mozilla about that. I don't have Chrome installed, so I could not not test with it.

No, I'm sure that it it caused by Nod32, I have bug reports from our users and also I checked it by myself. Until I installed Nod32 then everything was ok and I also made some tests with or without Web Access protection that confirmed my suspicion. The issue happens on Firefox, Chrome and IE. Nod32 is favorite security software on Windows and we have no such report from Linux or Mac users. If it were browser bug we had more bug reports but we don't.

Your behavior could be result of cached Javascript file with that garbage. Plese try it again with cache disabled.

 

Edited by Vojta

Share this post


Link to post
Share on other sites
1 minute ago, Vojta said:

The issue happens on Firefox, Chrome and IE. 

I tried to access the web site: https://web-board.budgetbakers.com/ in IE11. A web page displayed stating that only FireFox and Chrome are supported.

Share this post


Link to post
Share on other sites
2 minutes ago, itman said:

I tried to access the web site: https://web-board.budgetbakers.com/ in IE11. A web page displayed stating that only FireFox and Chrome are supported.

Sorry, old habbit, by IE I mean Edge, IE11 is generally unsupported browser.

Share this post


Link to post
Share on other sites
12 minutes ago, Vojta said:

Your behavior could be result of cached Javascript file with that garbage. Plese try it again with cache disabled.

OK, that worked with Eset Web Access protection disabled:

Eset_Bakers.thumb.png.080e5ce25911a1881bd84b2c6f8ee989.png

Share this post


Link to post
Share on other sites

Interesting. I tried to add the URL as an Eset allowed address to Web Access scanning and it still hung up on access. Event log entries below:

Time;URL;Status;Application;User;IP address;SHA1

4/7/2020 11:45:36 AM;https://web-board.budgetbakers.com;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;2620:1ec:bdf::10;A846AB501566E41A396241BA20FF777D4AFAFA11


4/7/2020 11:45:38 AM;https://web-board.budgetbakers.com/environment.cfg;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;2620:1ec:bdf::10;A846AB501566E41A396241BA20FF777D4AFAFA11

Appears when Eset got to the environment.cfg area is where it hung. Also what the issue is lies in Eset SSL/TLS protocol scanning perhaps.

Share this post


Link to post
Share on other sites

I disabled SSL/TLS protocol scanning and that is not the issue.

Whatever this issue is with Eset's Web Access processing, it appears to be unique to this web site. If it was otherwise, the forum would be full of like postings.

Share this post


Link to post
Share on other sites

However if I try to access the login page directly, the below screenshot shows a certificate issue. Something doesn't look right to me here:

Bakers_Secure.thumb.png.f4c46cb9aff5f46295ef3f48135cd8d7.png

Share this post


Link to post
Share on other sites

Looks like the problem has been fixed in FireFox:

Eset_FireFox.thumb.png.ca5967e12e12721cfc2e889c5c884ddc.png

Share this post


Link to post
Share on other sites

Also a FYI here. My version of FireFox just recently updated to ver. 75 which confirms my suspicion that the issue was originally FireFox related. Most likely:

Quote

Firefox will locally cache all trusted Web PKI Certificate Authority certificates known to Mozilla. This will improve HTTPS compatibility with misconfigured web servers and improve security.

So if any FireFox users of Eset still have issues with your web site, tell them to upgrade FireFox.

Share this post


Link to post
Share on other sites
Posted (edited)

The issue is related to Chrome as well and I reproduced the issue in Virtualbox with Nod32 trial and fresh installation of Chrome and Firefox. I see in Chrome and Firefox that the certificate is valid but it is wrong certificate.

But even in case of wrong/invalid certificate Nod32 should not silently modify resources. Nod32 should keep it as is and delegate validity check to a browser or display some warning, right?

 

Edited by Vojta

Share this post


Link to post
Share on other sites

We were able to reproduce the issue and obtained the log files which confirm the bogus data are added by our product.

Share this post


Link to post
Share on other sites

The extra character issue withstanding, there is something weird going on with this web site.

Prior to the latest FireFox release correcting the problem, I was logging activity on the web via Web Access allowed URL list feature. Normally I see one entry in the Web Access Event log per attempted URL access. Such is not the case with this web site. Below are the log entries created till I manually disconnected from the web site. It appears each object on this web site is set up as a separate URL entry as best as I can explain it:

Time;URL;Status;Application;User;IP address;SHA1

4/7/2020 1:39:33 PM;https://web-board.budgetbakers.com;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:33 PM;https://web-board.budgetbakers.com/board-4ef326c940f272415377.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/2.board-50eb0af0bb3895019f61.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/14.board-096f312803bc04993286.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/board-d9ddbec8016d52c7c461.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/environment.cfg;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/assets/apple-touch-icon-1024x1024.png;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:34 PM;https://web-board.budgetbakers.com/assets/favicon-32x32.png;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/7.board-a30149ad6f1fa52fc5b9.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/6.board-5991e97616a5fcf95475.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/3.board-669dedc0633412a24830.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/15.board-855c22dd6a9608507526.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/0.board-5e985e9eeb415d783dcb.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/0.board-6c40f5363ffa9c095bbd.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/1.board-c912d467d84224f020ab.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/1.board-32ed7232b4112294c17e.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/16.board-ad367b65ed0f61790092.css;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11
4/7/2020 1:39:35 PM;https://web-board.budgetbakers.com/16.board-9b39aa77b24b411f74c3.js;Allowed;C:\Program Files\Mozilla Firefox\firefox.exe;XXX\XXX;13.107.246.10;A846AB501566E41A396241BA20FF777D4AFAFA11

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...