javascript scanner URL exclude

[Ken_Suen_STKF 0]

Hi everyone,

How do you exclude URL on javascript scanner?

website URL: https://www.drjart.com/ko/main/index

I tried add the URL in below address list, but it is still blocking the website.

Advanced setup -> Network Protection -> web access protection -> address list
I have input *drjart.com* on "List of allowed addresses" and "List of addresses excluded from content scan"

Below is the log

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui.shopmain_layer.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;E4D4DA51DE9F8C96E06300A78B0A7F8556362A19;

-------------------------------------------------------------------------------------------------------------------------------------------------
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/ui_main.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;9A42C174A4F8960A2F6F056DF1DE086F8D364761;

-------------------------------------------------------------------------------------------------------------------------------------------------
Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
22/9/2020 5:43:29 PM;JavaScript scanner;file;https://image.drjart.com/front/ko/js/jquery.cookie.js;JS/Redirector.NKX trojan;blocked;KIDCHAN-PC\ken.suen;Event occurred during an attempt to access the web by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (943A2D62A7AB288B239DC690AEAF75A67155C642).;43D745FA74B449E78A358790FC7E5CB3ED69AC80;

 

Thank you.

Edited September 22, 2020 by Ken_Suen_STKF
missing URL

[Marcos 5,070]

Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end:

[itman 1,659]

For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*",  less the quote marks .

Edited September 22, 2020 by itman

[Ken_Suen_STKF 0]

15 hours ago, Marcos said:

Adding the detection name to Detection exclusions possibly also with the hash of the file could help. However, I strongly recommend not doing it since the js is indeed infected and a malicious script is appended at the end:

Thanks for the advise, adding it to Detection exclusions works.

So is it normal that added the URL in allowed list/excluded from content scan will not prevent javascript scanner scan the URL?

[Ken_Suen_STKF 0]

11 hours ago, itman said:

For future reference in adding URLs to Eset's URL Address Management lists, to fully block/allow all sub-domains associated with an URL, enter the URL for example as; "*.drjart.com/*",  less the quote marks .

isn't "*drjart.com*" already covered "*.drjart.com/*" ?

 

the syntax you quote should be just safety purpose, am i correct?

[Marcos 5,070]

4 hours ago, Ken_Suen_STKF said:

Thanks for the advise, adding it to Detection exclusions works.

It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed.

[Ken_Suen_STKF 0]

18 minutes ago, Marcos said:

It is very strange that you want to bypass malware detection and that you're ok with the malicious script being executed.

actually, I only tested if the Detection exclusions works or not, haven't really enroll it on the user's computer.

of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it.

[Marcos 5,070]

32 minutes ago, Ken_Suen_STKF said:

of course i will warn the user about this, but sometime it is not our choose if the user insist they must access it.

There should never be a situation when you trade security for the possibility to access a compromised resource (by creating exclusions to let malware run). Security should be of top priority at all times.

[itman 1,659]

10 hours ago, Ken_Suen_STKF said:

isn't "*drjart.com*" already covered "*.drjart.com/*" ?

the syntax you quote should be just safety purpose, am i correct?

Per Eset online help:

Quote

A leading "*." sequence is treated specially if used at the beginning of domain name. First, the * wildcard does not match the slash character ('/') in this case. This is to avoid circumventing the mask, for example the mask *.domain.com will not match http://anydomain.com/anypath#.domain.com (such suffix can be appended to any URL without affecting the download). And second, the "*." also matches an empty string in this special case. This is to allow matching whole domain including any subdomains using a single mask. For example the mask *.domain.com also matches http://domain.com. Using *domain.com would be incorrect, as that would also match http://anotherdomain.com.

https://help.eset.com/eis/13/en-US/idh_config_epfw_scan_http_address_list.html?idh_dialog_epfw_add_url_addr_mask.html