Ken_Suen_STKF 0 Posted September 22, 2020 Share Posted September 22, 2020 (edited) Hi everyone, How do you exclude URL on javascript scanner? website URL: https://www.drjart.com/ko/main/index I tried add the URL in below address list, but it is still blocking the website. Advanced setup -> Network Protection -> web access protection -> address list I have input *drjart.com* on "List of allowed addresses" and "List of addresses excluded from content scan" Below is the log Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui.shopmain_layer.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;E4D4DA51DE9F8C96E06300A78B0A7F8556362A19; ------------------------------------------------------------------------------------------------------------------------------------------------- Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui_main.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;9A42C174A4F8960A2F6F056DF1DE086F8D364761; ------------------------------------------------------------------------------------------------------------------------------------------------- Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/jquery.cookie.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;43D745FA74B449E78A358790FC7E5CB3ED69AC80; Thank you. Edited September 22, 2020 by Ken_Suen_STKF missing URL Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted September 22, 2020 Administrators Share Posted September 22, 2020 Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end: Link to comment Share on other sites More sharing options...
itman 1,629 Posted September 22, 2020 Share Posted September 22, 2020 (edited) For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*", less the quote marks . Edited September 22, 2020 by itman Link to comment Share on other sites More sharing options...
Ken_Suen_STKF 0 Posted September 23, 2020 Author Share Posted September 23, 2020 15 hours ago, Marcos said: Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end: Thanks for the advise, adding it to Detection exclusions works. So is it normal that added the URL in allowed list/excluded from content scan will not prevent javascript scanner scan the URL? Link to comment Share on other sites More sharing options...
Ken_Suen_STKF 0 Posted September 23, 2020 Author Share Posted September 23, 2020 11 hours ago, itman said: For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*", less the quote marks . isn't "*drjart.com*" already covered "*.drjart.com/*" ? the syntax you quote should be just safety purpose, am i correct? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted September 23, 2020 Administrators Share Posted September 23, 2020 4 hours ago, Ken_Suen_STKF said: Thanks for the advise, adding it to Detection exclusions works. It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed. Link to comment Share on other sites More sharing options...
Ken_Suen_STKF 0 Posted September 23, 2020 Author Share Posted September 23, 2020 18 minutes ago, Marcos said: It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed. actually, I only tested if the Detection exclusions works or not, haven't really enroll it on the user's computer. of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted September 23, 2020 Administrators Share Posted September 23, 2020 32 minutes ago, Ken_Suen_STKF said: of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it. There should never be a situation when you trade security for the possibility to access a compromised resource (by creating exclusions to let malware run). Security should be of top priority at all times. Link to comment Share on other sites More sharing options...
itman 1,629 Posted September 23, 2020 Share Posted September 23, 2020 10 hours ago, Ken_Suen_STKF said: isn't "*drjart.com*" already covered "*.drjart.com/*" ? the syntax you quote should be just safety purpose, am i correct? Per Eset online help: Quote A leading "*." sequence is treated specially if used at the beginning of domain name. First, the * wildcard does not match the slash character ('/') in this case. This is to avoid circumventing the mask, for example the mask *.domain.com will not match http://anydomain.com/anypath#.domain.com (such suffix can be appended to any URL without affecting the download). And second, the "*." also matches an empty string in this special case. This is to allow matching whole domain including any subdomains using a single mask. For example the mask *.domain.com also matches http://domain.com. Using *domain.com would be incorrect, as that would also match http://anotherdomain.com. https://help.eset.com/eis/13/en-US/idh_config_epfw_scan_http_address_list.html?idh_dialog_epfw_add_url_addr_mask.html Link to comment Share on other sites More sharing options...
Recommended Posts