JxMcGeary 0 Posted April 8, 2020 Posted April 8, 2020 Merganser users this morning (we're on ESET Endpoint Security 7.2.2055.0) got pop-ups from their scanners saying that JS/Kryptik-BPH had been blocked from accessing their machines. I ordered a full scan with cleaning on all user computers and similar scans on our servers. We've had multiple users' scans complete with JS/Kryptik-BPH detections in the caches of Chrome, Edge, and the Bloomberg WebView In-Terminal Browser, but when I check these detections in the ESET Security management Center report, it shows 'scan time of completion' as a date significantly in the past- some users in January, some as far back as October. We had a module update this morning at 8:13; did something change? Here's an example detection detail report: File Hash 32A785BD991C229371E76CFA904A0800FBD32E13 Name JS/Kryptik.BPH Uniform Resource Identifier (URI) file:///C:/Documents and Settings/USER NAME REMOVED/AppData/Local/Google/Chrome/User Data/Default/Cache/f_0024a8 Process name C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe Scan Scanner On-demand scanner Detection engine version 21132 (20200408) Current engine version 21132 (20200408) Scan targets Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;C:\;D:\ Number of scanned items 1273902 Infected 0 Cleaned 0 Time of completion 2019 Oct 13 04:23:16 Action cleaned by deleting Action error
Administrators Marcos 5,468 Posted April 8, 2020 Administrators Posted April 8, 2020 The detection is being removed right now. It's an obfuscated javascript for delivering ads that was detected.
JxMcGeary 0 Posted April 8, 2020 Author Posted April 8, 2020 Thank you, Marcos. Does that mean the file was adware, or just that the definition was an incorrect marking? I need to pass the information to my boss.
MichaelCain 0 Posted April 8, 2020 Posted April 8, 2020 (edited) We also just started detecting JS/Kryptik-BPH on all of our ESET Endpoint Antivirus ver 7.2. We rolled back today's updates on a few endpoints and they stopped detecting. We think there's a problem in today's updates causing a false positive detection of JS/Kryptik-BPH. We contacted ESET Support but haven't heard any confirmation of the problem to when to expect updates. Edited April 8, 2020 by MichaelCain
Novacom 0 Posted April 8, 2020 Posted April 8, 2020 Thank you Marcos, We are being flooded by JS/Kryptik-BPH right now. Do you suggest we roll back all clients from ESMC or push a new detection update ? Has it been corrected yet ?
Administrators Marcos 5,468 Posted April 8, 2020 Administrators Posted April 8, 2020 It's already fixed with the Rapid response module 16043 / 16043P: drath 1
Novacom 0 Posted April 8, 2020 Posted April 8, 2020 @Marcos : Would the command "update definitions" from EMSC work with the Rapid Response module. ?
Administrators Marcos 5,468 Posted April 8, 2020 Administrators Posted April 8, 2020 31 minutes ago, Novacom said: @Marcos : Would the command "update definitions" from EMSC work with the Rapid Response module. ? It would. However, since more than an hour has passed since the release, products should have already updated modules automatically.
MarcFL 33 Posted April 8, 2020 Posted April 8, 2020 Same issue on all my clients. But the new definitions seems to have fixed it. Thanks. RE: Eset NOD32 13.1.21 All of a sudden, ALL my clients are all getting these alerts from visiting sites like nbc or nypost. Please Fix ASAP! Thank You. Examples: 4/8/2020 11:09:11 AM - Module JavaScript scanner - Threat Alert triggered on GREG computer GREG: <https://tagan.adlightning.com/nbc/blacklist_script.js> contains JS/Kryptik.BPH trojan. 4/8/2020 10:57:10 AM - Module JavaScript scanner - Threat Alert triggered on computer JOHN: https://tagan.adlightning.com/nc-nypost/op.js contains JS/Kryptik.BPH trojan.
MichaelCain 0 Posted April 8, 2020 Posted April 8, 2020 Marco, thanks for the updates. Detection engine 21133 is fixing the issue for us as well.
Administrators Marcos 5,468 Posted April 8, 2020 Administrators Posted April 8, 2020 Just now, MichaelCain said: Detection engine 21133 is fixing the issue for us as well. To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does.
MichaelCain 0 Posted April 8, 2020 Posted April 8, 2020 21 minutes ago, Marcos said: To me it looks like that the engine update 21133 should not fix it. However, the Rapid response module 16043 does. Is there a report or dashboard in Security Management Center that will show me the rapid response module version? I can only find reporting on the detection engine version.
bpainter 0 Posted April 8, 2020 Posted April 8, 2020 To clarify - do we need the 16043P module? Our endpoints are not getting the P version but are getting the 16043. Thanks.
Administrators Marcos 5,468 Posted April 8, 2020 Administrators Posted April 8, 2020 21 minutes ago, bpainter said: To clarify - do we need the 16043P module? Our endpoints are not getting the P version but are getting the 16043. Thanks. No. Modules with "P" are on the pre-release update channel.
Recommended Posts