Jump to content

JS/Mindspark.G


Jean93
 Share

Recommended Posts

I'm using SMC and ESET Endpoint Antivirus Version: 7.3.2044.0 on my clients.

I have been receiving constant Potential Unwanted Application notification on a specific client notifying that the HTTP filter scanner terminated a connection. Its always three notification in a row everyday for the past few weeks.

image.png.2ee4513f07e04a9bfe98010be15f2fd8.png

I've ran Scan With Cleaning on that specific client twice now and the scan did not pick up any infected file. However the next day I again receive the same notifications as per above.

I finally decided to download Malwarebytes and run a scan on the problematic client, after the scan Malwarebytes found 104 infected files which I then paid a license to have them Quarantined and after delete the files.

image.png.862146eb7fd3359c80bee6fd92e4738a.png

Please advise why ESET is unable to find the infected files, yet it can notify me that it is blocking traffic?

I'm using ESET as protection on over 50 Clients. This is a real concern to my company if ESET is unable to deliver the level of protection we expect.

Link to comment
Share on other sites

Marcos, i will try disabling the extension sync if i receive the notifications again.

However this does not explain why ESET did not detect the infected files that Malwarebytes did - can you give some clarity on this?

Link to comment
Share on other sites

1 hour ago, Jean93 said:

However this does not explain why ESET did not detect the infected files that Malwarebytes did - can you give some clarity on this?

Make sure you Potentially Unsafe Applications set to at least Balanced level per below screen shot. By default, those settings are set to Off. Potentially Unwanted Applications should be set to default Aggressive setting.

image.thumb.png.35361c77b1ca19bded4c17045298203a.png

Also on your client devices, ensure that browsers are not configured to automatically allow extensions/add-ons to be added.

Edited by itman
Link to comment
Share on other sites

  • Administrators

JS/Mindspark is a potentially unwanted application and since it was detected, detection of PUA should be enabled on the machine.

MBAM often detects even benign registry values created by malware or PUAs. In order to tell if the objects detected by MBAM are actually subject to detection, please supply the content of MBAM's quarantine (C:\ProgramData\Malwarebytes\MBAMService\Quarantine) to samples[at]eset.com along with a link to this topic.

Link to comment
Share on other sites

Actually, the Eset KB article  referenced sums it up nicely;

Quote

Details

ESET will clean the detected extension, however when Chrome is re-opened the PUA threat alert will return. This happens when the user is logged into Chrome and Chrome attempts to sync the extensions over and over again after ESET deletes it.

In other words, Eset is "cleaning" the malware from the extension when the extension loads. It however is not removing the extension. This must be done manually by the user.

MBAM on the other hand does have the capability of removing the extension. Based on this posting: https://forums.malwarebytes.com/topic/243104-pupoptionmindspark-blocking-andor-removal/ , appears this is not the case, recommendation given was to permanently disable Chrome's syncing of extensions.

Edited by itman
Link to comment
Share on other sites

12 hours ago, itman said:

Make sure you Potentially Unsafe Applications set to at least Balanced level per below screen shot. By default, those settings are set to Off. Potentially Unwanted Applications should be set to default Aggressive setting.

image.thumb.png.35361c77b1ca19bded4c17045298203a.png

Also on your client devices, ensure that browsers are not configured to automatically allow extensions/add-ons to be added.

Hi itman, Potentially Unsafe Applications was set to Balanced Level. I have now edit the policy to Aggressive level on all counts for the Detection Engine on all my clients using SMC. See below.

image.thumb.png.d503017c0f52261539c5bc3d1fcdc1ee.png

 

Link to comment
Share on other sites

12 hours ago, Marcos said:

JS/Mindspark is a potentially unwanted application and since it was detected, detection of PUA should be enabled on the machine.

MBAM often detects even benign registry values created by malware or PUAs. In order to tell if the objects detected by MBAM are actually subject to detection, please supply the content of MBAM's quarantine (C:\ProgramData\Malwarebytes\MBAMService\Quarantine) to samples[at]eset.com along with a link to this topic.

Hi Marcos,

I've removed all extensions in chrome on the client and cleared cache as per the article you sent yesterday, so far no notification after opening chrome.

If the notification comes back i will proceed with the second part of the article by disabling the extension sync option.

I have already uninstalled MBAM on the client and deleted the infected files from Quarantine.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...