TheESETuserTHATis 0 Posted February 24, 2021 Share Posted February 24, 2021 Our users are stating they can't get to macmetalarchitectural.com and want me to whitelist it. They get: Potentially unwanted content found When I enter the address on VT nothing is found. When I had a similar issue previously, a VT scan of hxxps://www.dynamitetoolco.com (but with the t's) found nothing... but marcos was able to find an infected file at hxxps://www.dynamitetoolco.com/pub/static/frontend/Smartwave/porto_child/en_US/embed.js and sent me a screenshot of VT noting that file was infected. But no explanation of how that file was located to directly scan the file with VT. Why would VT not find hxxps://www.dynamitetoolco.com/pub/static/frontend/Smartwave/porto_child/en_US/embed.js during a scan of the address hxxps://www.dynamitetoolco.com? How do I find out if something similar (not all files on the site being scanned) is happening at macmetalarchitectural.com? If it turns out to be not a very serious threat, how do I whitelist a page with potentially unwanted content (using ESET Security Management Center 7.1?). Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted February 24, 2021 Administrators Share Posted February 24, 2021 Embed.js contains a malicious javasript. The detection was added in March 2020, today it's detected by 10 AVs at VT: https://www.virustotal.com/gui/file/59ec9e936dcb9f44d9806b5f5a105a1980ab9439ac51b0b634b3c50f70e47a04/detection Link to comment Share on other sites More sharing options...
TheESETuserTHATis 0 Posted February 24, 2021 Author Share Posted February 24, 2021 Marcos, I am trying to determine how you found embed.js on hxxps://www.dynamitetoolco.com given that a url search on VT of hxxps://www.dynamitetoolco.com (but with t's) did not find it. And how can I apply the method you used to find it to macmetalarchitectural.com to determine what the threat is on that site, since VT sees nothing with a URL search of macmetalarchitectural.com. And if it turns out to be a PUA, but not outright malicious, how do I whitelist it in ESET Security Management Center 7.1? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted February 24, 2021 Administrators Share Posted February 24, 2021 It's the file in which ESET detected the malware. I just downloaded the file from the url and scanned it at VT. Link to comment Share on other sites More sharing options...
TheESETuserTHATis 0 Posted February 24, 2021 Author Share Posted February 24, 2021 How do I find the file? This is all the detection details is telling me, I only see the URI and IP: Web protection An attempt to connect to URL Occurred 2021 Feb 24 13:12:49 Cause blocked user.domain.com user.domain.com Select tags FQDN user.domain.com Last connected time 2021 Feb 24 15:18:27 Unresolved detections 1 Alerts No alerts Parent group /All/Policy Implementation Groups/Laptop Computers More details Hash 4599E0CDC605AD7BF67B7FD67DD11F611E7AE8ED Uniform Resource Identifier (URI)hxxp://macmetalarchitectural.com Process name C:\Program Files\Mozilla Firefox\firefox.exe Event An attempt to connect to URL Rule Blocked by PUA blacklist Scanner HTTP filter Target address 192.99.5.93 Link to comment Share on other sites More sharing options...
itman 1,542 Posted February 24, 2021 Share Posted February 24, 2021 I will also add I scanned macmetalarchitectural.com at quttera.com. It downloaded over 80 files from that site and scanned all of them and didn't detect anything. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted February 24, 2021 Administrators Share Posted February 24, 2021 37 minutes ago, TheESETuserTHATis said: How do I find the file? This is all the detection details is telling me, I only see the URI and IP: Link to comment Share on other sites More sharing options...
TheESETuserTHATis 0 Posted February 24, 2021 Author Share Posted February 24, 2021 Thanks Marcos, where/how do I get it to display like that? My object column is not showing as much information. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,716 Posted February 25, 2021 Administrators Solution Share Posted February 25, 2021 You must first visit a page on the website which opens the malicious js or the full url to the malicious js in order for it to be detected. Link to comment Share on other sites More sharing options...
TheESETuserTHATis 0 Posted February 25, 2021 Author Share Posted February 25, 2021 Are you able to see what the issue is with hxxps://macmetalarchitectural.com ? If I go to a policy of a machine and go to settings -> web and email -> Web access protection -> URL address management -> Address list -> list of allowed addresses ... and add it there ... then the browser times out when visiting and ESET shows nothing in the logs. However, if I visit the site from a Linux machine with an older version of Firefox and without ESET installed, the page loads right away and can be navigated. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,716 Posted February 25, 2021 Administrators Share Posted February 25, 2021 7 minutes ago, TheESETuserTHATis said: Are you able to see what the issue is with hxxps://macmetalarchitectural.com ? If I go to a policy of a machine and go to settings -> web and email -> Web access protection -> URL address management -> Address list -> list of allowed addresses ... and add it there ... then the browser times out when visiting and ESET shows nothing in the logs. I don't have any problems opening the website with the address in the "allow" list. Anyways, it appears that it's been cleaned so we will unblock it. Link to comment Share on other sites More sharing options...
Recommended Posts