Jump to content

Multiple computers reporting JS/Kryptik-BPH but 'completion dates' in the past


Recommended Posts

Posted

Merganser users this morning (we're on ESET Endpoint Security 7.2.2055.0) got pop-ups from their scanners saying that JS/Kryptik-BPH had been blocked from accessing their machines. I ordered a full scan with cleaning on all user computers and similar scans on our servers. We've had multiple users' scans complete with JS/Kryptik-BPH detections in the caches of Chrome, Edge, and the Bloomberg WebView In-Terminal Browser, but when I check these detections in the ESET Security management Center report, it shows 'scan time of completion' as a date significantly in the past- some users in January, some as far back as October. We had a module update this morning at 8:13; did something change?

 

Here's an example detection detail report:

 

File
Hash
32A785BD991C229371E76CFA904A0800FBD32E13
Name
JS/Kryptik.BPH
Uniform Resource Identifier (URI)
file:///C:/Documents and Settings/USER NAME REMOVED/AppData/Local/Google/Chrome/User Data/Default/Cache/f_0024a8
Process name
C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe
Scan
Scanner
On-demand scanner
Detection engine version
21132 (20200408)
Current engine version
21132 (20200408)
Scan targets
Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;C:\;D:\
Number of scanned items
1273902
Infected
0
Cleaned
0
Time of completion
2019 Oct 13 04:23:16
Action
cleaned by deleting
Action error
 
 
  • Administrators
Posted

The detection is being removed right now. It's an obfuscated javascript for delivering ads that was detected.

Posted

Thank you, Marcos. Does that mean the file was adware, or just that the definition was an incorrect marking? I need to pass the information to my boss.

Posted (edited)

We also just started detecting JS/Kryptik-BPH on all of our ESET Endpoint Antivirus ver 7.2.

We rolled back today's updates on a few endpoints and they stopped detecting.  We think there's a problem in today's updates causing a false positive detection of JS/Kryptik-BPH.

We contacted ESET Support but haven't heard any confirmation of the problem to when to expect updates.

Edited by MichaelCain
Posted

Thank you Marcos,

We are being flooded by JS/Kryptik-BPH right now. Do you suggest we roll back all clients from ESMC or push a new detection update ? Has it been corrected yet ?  

  • Administrators
Posted

It's already fixed with the Rapid response module 16043 / 16043P:

image.png

Posted

@Marcos :

Would the command "update definitions" from EMSC work with the Rapid Response module. ?

  • Administrators
Posted
31 minutes ago, Novacom said:

@Marcos :

Would the command "update definitions" from EMSC work with the Rapid Response module. ?

It would. However, since more than an hour has passed since the release, products should have already updated modules automatically.

Posted

Same issue on all my clients.  But the new definitions seems to have fixed it. Thanks.

 

RE: Eset NOD32 13.1.21

All of a sudden, ALL my clients are all getting these alerts from visiting sites like nbc or nypost.  Please Fix ASAP!  Thank You.

Examples:

4/8/2020 11:09:11 AM - Module JavaScript scanner - Threat Alert triggered on GREG computer GREG:  <https://tagan.adlightning.com/nbc/blacklist_script.js> contains JS/Kryptik.BPH trojan.
4/8/2020 10:57:10 AM - Module JavaScript scanner - Threat Alert triggered on computer JOHN:  https://tagan.adlightning.com/nc-nypost/op.js contains JS/Kryptik.BPH trojan.

Posted

Marco, thanks for the updates.

Detection engine 21133 is fixing the issue for us as well.

  • Administrators
Posted
Just now, MichaelCain said:

Detection engine 21133 is fixing the issue for us as well.

To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does.

Posted
21 minutes ago, Marcos said:

To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does.

Is there a report or dashboard in Security Management Center that will show me the rapid response module version?

I can only find reporting on the detection engine version.

Posted

To clarify - do we need the 16043P module?  Our endpoints are not getting the P version but are getting the 16043.  Thanks.

  • Administrators
Posted
21 minutes ago, bpainter said:

To clarify - do we need the 16043P module?  Our endpoints are not getting the P version but are getting the 16043.  Thanks.

No. Modules with "P" are on the pre-release update channel.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...