Jump to content

javascript scanner URL exclude


Recommended Posts

Hi everyone,

How do you exclude URL on javascript scanner?

website URL: https://www.drjart.com/ko/main/index

I tried add the URL in below address list, but it is still blocking the website.

Advanced setup -> Network Protection -> web access protection -> address list
I have input *drjart.com* on "List of allowed addresses" and "List of addresses excluded from content scan"

Below is the log

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui.shopmain_layer.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;E4D4DA51DE9F8C96E06300A78B0A7F8556362A19;

-------------------------------------------------------------------------------------------------------------------------------------------------
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui_main.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;9A42C174A4F8960A2F6F056DF1DE086F8D364761;

-------------------------------------------------------------------------------------------------------------------------------------------------
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/jquery.cookie.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;43D745FA74B449E78A358790FC7E5CB3ED69AC80;

 

Thank you.

Edited by Ken_Suen_STKF
missing URL
Link to post
Share on other sites
  • Administrators

Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end:

image.png

Link to post
Share on other sites

For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*",  less the quote marks .

Edited by itman
Link to post
Share on other sites
15 hours ago, Marcos said:

Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end:

image.png

Thanks for the advise, adding it to Detection exclusions works.

So is it normal that added the URL in allowed list/excluded from content scan will not prevent javascript scanner scan the URL?

Link to post
Share on other sites
11 hours ago, itman said:

For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*",  less the quote marks .

isn't "*drjart.com*" already covered "*.drjart.com/*" ?

 

the syntax you quote should be just safety purpose, am i correct?

Link to post
Share on other sites
  • Administrators
4 hours ago, Ken_Suen_STKF said:

Thanks for the advise, adding it to Detection exclusions works.

It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed.

Link to post
Share on other sites
18 minutes ago, Marcos said:

It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed.

actually, I only tested if the Detection exclusions works or not, haven't really enroll it on the user's computer.

of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it.

Link to post
Share on other sites
  • Administrators
32 minutes ago, Ken_Suen_STKF said:

of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it.

There should never be a situation when you trade security for the possibility to access a compromised resource (by creating exclusions to let malware run). Security should be of top priority at all times.

Link to post
Share on other sites
10 hours ago, Ken_Suen_STKF said:

isn't "*drjart.com*" already covered "*.drjart.com/*" ?

the syntax you quote should be just safety purpose, am i correct?

Per Eset online help:

Quote

A leading "*." sequence is treated specially if used at the beginning of domain name. First, the * wildcard does not match the slash character ('/') in this case. This is to avoid circumventing the mask, for example the mask *.domain.com will not match http://anydomain.com/anypath#.domain.com (such suffix can be appended to any URL without affecting the download). And second, the "*." also matches an empty string in this special case. This is to allow matching whole domain including any subdomains using a single mask. For example the mask *.domain.com also matches http://domain.com. Using *domain.com would be incorrect, as that would also match http://anotherdomain.com.

https://help.eset.com/eis/13/en-US/idh_config_epfw_scan_http_address_list.html?idh_dialog_epfw_add_url_addr_mask.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...