Multiple computers reporting JS/Kryptik-BPH but 'completion dates' in the past

JxMcGeary · April 8, 2020

Merganser users this morning (we're on ESET Endpoint Security 7.2.2055.0) got pop-ups from their scanners saying that JS/Kryptik-BPH had been blocked from accessing their machines. I ordered a full scan with cleaning on all user computers and similar scans on our servers. We've had multiple users' scans complete with JS/Kryptik-BPH detections in the caches of Chrome, Edge, and the Bloomberg WebView In-Terminal Browser, but when I check these detections in the ESET Security management Center report, it shows 'scan time of completion' as a date significantly in the past- some users in January, some as far back as October. We had a module update this morning at 8:13; did something change?

Here's an example detection detail report:

File

Hash

32A785BD991C229371E76CFA904A0800FBD32E13

Name

JS/Kryptik.BPH

Uniform Resource Identifier (URI)

file:///C:/Documents and Settings/USER NAME REMOVED/AppData/Local/Google/Chrome/User Data/Default/Cache/f_0024a8

Process name

C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe

Scan

Scanner

On-demand scanner

Detection engine version

21132 (20200408)

Current engine version

21132 (20200408)

Scan targets

Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;C:\;D:\

Number of scanned items

1273902

Infected

0

Cleaned

0

Time of completion

2019 Oct 13 04:23:16

Action

cleaned by deleting

Action error

Marcos · April 8, 2020

The detection is being removed right now. It's an obfuscated javascript for delivering ads that was detected.

JxMcGeary · April 8, 2020

Thank you, Marcos. Does that mean the file was adware, or just that the definition was an incorrect marking? I need to pass the information to my boss.

MichaelCain · April 8, 2020

We also just started detecting JS/Kryptik-BPH on all of our ESET Endpoint Antivirus ver 7.2.

We rolled back today's updates on a few endpoints and they stopped detecting. We think there's a problem in today's updates causing a false positive detection of JS/Kryptik-BPH.

We contacted ESET Support but haven't heard any confirmation of the problem to when to expect updates.

Edited April 8, 2020 by MichaelCain

Novacom · April 8, 2020

Thank you Marcos,

We are being flooded by JS/Kryptik-BPH right now. Do you suggest we roll back all clients from ESMC or push a new detection update ? Has it been corrected yet ?

Matt14 · April 8, 2020

We are seeing the same behavior.

Marcos · April 8, 2020

It's already fixed with the Rapid response module 16043 / 16043P:

JxMcGeary · April 8, 2020

Thank you.

Novacom · April 8, 2020

@Marcos :

Would the command "update definitions" from EMSC work with the Rapid Response module. ?

Marcos · April 8, 2020

31 minutes ago, Novacom said:

@Marcos :

Would the command "update definitions" from EMSC work with the Rapid Response module. ?

It would. However, since more than an hour has passed since the release, products should have already updated modules automatically.

MarcFL · April 8, 2020

Same issue on all my clients. But the new definitions seems to have fixed it. Thanks.

RE: Eset NOD32 13.1.21

All of a sudden, ALL my clients are all getting these alerts from visiting sites like nbc or nypost. Please Fix ASAP! Thank You.

Examples:

4/8/2020 11:09:11 AM - Module JavaScript scanner - Threat Alert triggered on GREG computer GREG: <https://tagan.adlightning.com/nbc/blacklist_script.js> contains JS/Kryptik.BPH trojan.
4/8/2020 10:57:10 AM - Module JavaScript scanner - Threat Alert triggered on computer JOHN: https://tagan.adlightning.com/nc-nypost/op.js contains JS/Kryptik.BPH trojan.

MichaelCain · April 8, 2020

Marco, thanks for the updates.

Detection engine 21133 is fixing the issue for us as well.

Marcos · April 8, 2020

Just now, MichaelCain said:

Detection engine 21133 is fixing the issue for us as well.

To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does.

MichaelCain · April 8, 2020

21 minutes ago, Marcos said:

To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does.

Is there a report or dashboard in Security Management Center that will show me the rapid response module version?

I can only find reporting on the detection engine version.

bpainter · April 8, 2020

To clarify - do we need the 16043P module? Our endpoints are not getting the P version but are getting the 16043. Thanks.

Marcos · April 8, 2020

21 minutes ago, bpainter said:

To clarify - do we need the 16043P module? Our endpoints are not getting the P version but are getting the 16043. Thanks.

No. Modules with "P" are on the pre-release update channel.

Sign In

Multiple computers reporting JS/Kryptik-BPH but 'completion dates' in the past

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics