Jump to content

False positive


Recommended Posts

  • Most Valued Members

Hi all,

I just submitted what i believed to be a false positive with a website to ESET, and i got a reply saying that they could not replicate the issue and i am wondering if this is something that's unique to the current BETA release as i have not manually edited any settings that could explain this happening. Could one of you kind people please try and access this website for me and let me know if you receive the same alert (JS.Redirector.NFC Trojan) when you click on one of the lenses from the list there (like the video).

Happens on any browser i have installed also.

hxxps://www.sigma-imaging-uk.com/lenses/


 

Link to comment
Share on other sites

  • Administrators

I'm not getting any alert on the said web page. There can be many reasons for that, e.g. a different region, infected machine, compromised router, etc. You can provide ELC logs with also quarantined files collected for verification of the detection.

Link to comment
Share on other sites

  • Most Valued Members
17 minutes ago, Marcos said:

I'm not getting any alert on the said web page. There can be many reasons for that, e.g. a different region, infected machine, compromised router, etc. You can provide ELC logs with also quarantined files collected for verification of the detection.

Thanks for checking that for me @Marcos. I don't believe that my machine is infected as this is the only page where i encounter the issue. I have browsed the same page before without a problem, but i recently changed ISP and the router was changed when i made the switch in January.

I will attach the logs and quarantines files back to ESET for a look at, but have a sneaking suspicion that this is going to turn out to be something relating to my ISP if nobody else can replicate the issue.

Thanks again :)

 

Link to comment
Share on other sites

3 hours ago, cyberhash said:

hxxps://www.sigma-imaging-uk.com/lenses/

I duplicated the Eset detection when I selected the same lens you did. Appears to be malicious re-direct activity:

Eset_Malware.thumb.png.dbb9c9b1debec24b1c9c809df3f98ad2.png

-EDIT- Of note is no one at VT is detecting the hash, DDD0318AB432F659AFB556A62B98BF950A3E7512, Eset shows in the Detection log entry.

 

 

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

i replicated it as well. selecting whatever lens at the bottom of the page provided in the OP, results in eset blocking it.

Untitled.thumb.png.bf359647b8e10609a7f058c688e58bc5.png

Link to comment
Share on other sites

  • Most Valued Members

Thanks @itman and @shocked, for checking and replying. I am going to proceed and send some more requested information back and see what comes of it. Bit of a strange one this 😏

Link to comment
Share on other sites

I just accessed the web site again. Eset is still showing the same threat detection.

Using the URL from the Eset detection log entry, I submitted it to VT for a scan. Since Quttera is detecting it, I would say the web site is hacked. You might want to inform the web site owner of this status:

Eset_Malware.thumb.png.f584113f0fc77af71e4b8d915b8cd389.png

Link to comment
Share on other sites

  • Administrators

I confirm there is an obfuscated JS on the website which is what ESET detected and blocked:

image.png

Link to comment
Share on other sites

  • Most Valued Members

Be nice to see how this progresses and if indeed the code is bad. I had used VT myself before submitting it as a false positive as generally the more and more time passes, then the score on there swings up or down. If any of the other major vendors had it listed on VT as being bad i would not have questioned it and never sent a FP report in.

According to VT, ESET still does not see this as being bad as of 23:36 GMT on 06/03 and there are less detecting it now. I can understand that VT will have some type of delay before it gets proper readings on the detections, but i did leave it for a week before i reported it as being a possible FP and monitored the detection rate of other vendors.

Regardless of the outcome and the slight confusion on the VT matter, i would rather be using a product that erred on the side of caution when it encountered this type of thing and blocked it. ESET has done exactly what it was asked of in my opinion. Blocked my access until it can be properly looked at. :)

 

Screenshot_2021-03-06 VirusTotal(1).png

Link to comment
Share on other sites

  • Administrators

It's a web threat and as such may not be detected by ESET at VT. We use various mechanisms to detect and block malware. 

By the way, ESET's detection is from Oct 23, 2020.

Link to comment
Share on other sites

I will also add that Quttera unlike many URL scanners that use blacklists, actually downloads everything hosted by a web site. It will often find hidden malware on a web site that none of these other scanners show. The fact that Quttera continues to show the site as malicious on VT is further confirmation of Eset's detection.

Here's Quttera's detailed analysis: https://quttera.com/detailed_report/www.sigma-imaging-uk.com which found 11 malware instances on the web site. All the same JavaScript code Eset detected:

Eset_malware.png.b9a9b748f19a480f41dda1a826ef6398.png

My suspicion is the site has infected Wordpress plug-in:.

Eset_malware.png.03ec8bde2fa8b5d3fa8414c5840da642.png

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...