Jump to content

Potentially Unwanted Content how to determine what the threat is


Go to solution Solved by Marcos,

Recommended Posts

Our users are stating they can't get to macmetalarchitectural.com and want me to whitelist it. They get: Potentially unwanted content found

When I enter the address on VT nothing is found.

When I had a similar issue previously, a VT scan of hxxps://www.dynamitetoolco.com (but with the t's) found nothing... but marcos was able to find an infected file at hxxps://www.dynamitetoolco.com/pub/static/frontend/Smartwave/porto_child/en_US/embed.js and sent me a screenshot of VT noting that file was infected. But no explanation of how that file was located to directly scan the file with VT.

Why would VT not find hxxps://www.dynamitetoolco.com/pub/static/frontend/Smartwave/porto_child/en_US/embed.js during a scan of the address hxxps://www.dynamitetoolco.com?

How do I find out if something similar (not all files on the site being scanned) is happening at macmetalarchitectural.com? If it turns out to be not a very serious threat, how do I whitelist a page with potentially unwanted content (using ESET Security Management Center 7.1?).

Link to post
Share on other sites

Marcos, I am trying to determine how you found embed.js on hxxps://www.dynamitetoolco.com given that a url search on VT of hxxps://www.dynamitetoolco.com (but with t's) did not find it.

And how can I apply the method you used to find it to macmetalarchitectural.com to determine what the threat is on that site, since VT sees nothing with a URL search of macmetalarchitectural.com.

And if it turns out to be a PUA, but not outright malicious, how do I whitelist it in ESET Security Management Center 7.1?

Link to post
Share on other sites

How do I find the file? This is all the detection details is telling me, I only see the URI and IP:

Web protection

An attempt to connect to URL
Occurred
2021 Feb 24 13:12:49

Cause
blocked

user.domain.com
user.domain.com

Select tags

FQDN
user.domain.com

Last connected time
2021 Feb 24 15:18:27

Unresolved detections
1

Alerts
No alerts

Parent group
/All/Policy Implementation Groups/Laptop Computers

More details

Hash
4599E0CDC605AD7BF67B7FD67DD11F611E7AE8ED

Uniform Resource Identifier (URI)
hxxp://macmetalarchitectural.com

Process name
C:\Program Files\Mozilla Firefox\firefox.exe

Event
An attempt to connect to URL

Rule
Blocked by PUA blacklist

Scanner
HTTP filter

Target address
192.99.5.93

Link to post
Share on other sites

I will also add I scanned macmetalarchitectural.com at quttera.com. It downloaded over 80 files from that site and scanned all of them and didn't detect anything.

Link to post
Share on other sites
  • Administrators
37 minutes ago, TheESETuserTHATis said:

How do I find the file? This is all the detection details is telling me, I only see the URI and IP:

image.png

Link to post
Share on other sites
  • Administrators
  • Solution

You must first visit a page on the website which opens the malicious js or the full url to the malicious js in order for it to be detected.

Link to post
Share on other sites

Are you able to see what the issue is with hxxps://macmetalarchitectural.com ? If I go to a policy of a machine and go to settings -> web and email -> Web access protection -> URL address management -> Address list -> list of allowed addresses ... and add it there ... then the browser times out when visiting and ESET shows nothing in the logs.

However, if I visit the site from a Linux machine with an older version of Firefox and without ESET installed, the page loads right away and can be navigated.

Link to post
Share on other sites
  • Administrators
7 minutes ago, TheESETuserTHATis said:

Are you able to see what the issue is with hxxps://macmetalarchitectural.com ? If I go to a policy of a machine and go to settings -> web and email -> Web access protection -> URL address management -> Address list -> list of allowed addresses ... and add it there ... then the browser times out when visiting and ESET shows nothing in the logs.

I don't have any problems opening the website with the address in the "allow" list. Anyways, it appears that it's been cleaned so we will unblock it.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...