Club Pogo and selective games blocked by eset

[Brple54 0]

I have played club pogo since 2001.  This is a new problem for me.  Yesterday I could access most of the games but Tri-peaks, First class solitaire, and canasta when I tried to load them, I would only get a blue screen.  I found out on the EA site that everyone that had this problem also had eset anti virus protection.  I looked at my log file and sure enough there it was.  It only started yesterday but is continuing today.  I am up for renewal with club pogo so I need to know if this is a major problem.  Can you advise?  thank you cam

eset log.txt

[Marcos 5,070]

The detection is more than a week old so probably they've started using a specific obfuscation. Since it's detected as a suspicious application, it should be safe to create a detection exclusion for it.

 

[Purpleroses 21]

How to make a a detection exclusion for it? I'm also facing this issue.

[Marcos 5,070]

You can exclude the detection as follows:

[Mrzocor 0]

Still don't know how to exclude the detection from that.

[Mrzocor 0]

It only comes up in the Edge browser. Firefox it doesn't.

[JanGlo 0]

I have no idea how to get to this exception.  A lot more information would be helpful.

[Mrzocor 0]

• Open the main program window of your ESET Windows product.
• Press the F5 key to access Advanced setup.
• Click Detection Engine, expand Exclusions and click Edit next to Performance Exclusion

[Marcos 5,070]

You can also create a detection exclusion from logs:

Afterwards you can make the exclusion safer by editing it and setting the path to

https://cdn-*-prod.pogospike.com/*

[Purpleroses 21]

Marco when I put https://cdn-*-prod.pogospike.com/*  as the path I get the warning again.  But If I leave the path out and just have detection exclude it works but not this the path

[Marcos 5,070]

Strange. For me the following exclusion works and the detection is not triggered on the CDN urls listed in the list that @Brple54provided.

[Purpleroses 21]

What would I put for path for  this one it is first class solitaire

[JanGlo 0]

Marcos:

This isn't working for me.  My first issue is when I follow the directions above, my windows don't look like yours.  I only have the path and comment.  When I go to the log, it also doesn't give me the create exclusion selection when I click (or right click, I don't remember).  I'm sorry but I am not very good at this kind of stuff.  I tried typing JS/Packed.Agent.H and cdn-*-prod.pogospike.com.  Neither of these worked.  I am on Google.  Is it different on Google?  I feel like such an idiot.😕

[JanGlo 0]

I went back again and found the window that looks like yours.  I typed in https://cdn-*-prod.pogospike.com/* and it didn't work.  I changed the first * to h5pickles (the game that doesn't work today) and changed the second * to 40/game.js.  This is what the screen shows when it blocks it.  This also doesn't work.

[jpom18 0]

I have multiple computers having the same issue.  If a blanket exclusion is created just for JS/Packed.Agent.H then it works however this is not ideal since it applies the exclusion to all apps and traffic.

Adding any other criteria appears to break the exclusion, for example adding the object or any variation (i.e. using wild cards) into the path field stops the exclusion from working.  I have tried https://cdn-*-prod.pogospike.com/*, https://*.pogospike.com/*, and *.pogospike.com/*.  

One thing I did notice is that if you add the blanket exclusion first, then test, then go back and add the additional criteria (i.e. object) the game will still work for a time but after closing the window and leaving for a bit when you come back it will block with the same issue again.

It does appear that adding an exclusion for the hash works, from what I've been able to tell, but every game has a different hash value (again as far as I can tell) so that's not really viable.

ESET really needs to correct this or provide a way to add an exception based on the site (a way that actually works).

Edited July 13, 2021 by jpom18

[Marcos 5,070]

2 hours ago, jpom18 said:

ESET really needs to correct this or provide a way to add an exception based on the site (a way that actually works).

Currently you have 2 options:
1, Exclude the detection on any website. The detection covers a specific obfuscation so it may be triggered on legitimate (e.g. ad-enabled) websites.

2, Add the hostname or the whole or partial url to the list of websites excluded from content filtering. However, there's a risk that other possible malware on the excluded url would not be detected if the website is not 100% trusted.

[Purpleroses 21]

Marco where to we go for option 2 and what do we add there

2, Add the hostname or the whole or partial url to the list of websites excluded from content filtering. However, there's a risk that other possible malware on the excluded url would not be detected if the website is not 100% trusted.

[Purpleroses 21]

Also would like to add that I use waterfox and palemoon browsers an they don't detect this.  Only Firefox, Google Chrome and Edge

[Marcos 5,070]

31 minutes ago, Purpleroses said:

Also would like to add that I use waterfox and palemoon browsers an they don't detect this.  Only Firefox, Google Chrome and Edge

Probably because the first two are not supported browsers and you may need to enable SSL filtering for them + import the ESET root CA certificate into their trusted root CA cert. store manually if the system trusted root CA cert. store is not used.

[Marcos 5,070]

41 minutes ago, Purpleroses said:

Marco where to we go for option 2 and what do we add there

2, Add the hostname or the whole or partial url to the list of websites excluded from content filtering. However, there's a risk that other possible malware on the excluded url would not be detected if the website is not 100% trusted.

However, using a loose url exclusion for any detection is not safe.

[Brple54 0]

7 hours ago, Marcos said:

10 hours ago, jpom18 said:

ESET really needs to correct this or provide a way to add an exception based on the site (a way that actually works).

Currently you have 2 options:
1, Exclude the detection on any website. The detection covers a specific obfuscation so it may be triggered on legitimate (e.g. ad-enabled) websites.

2, Add the hostname or the whole or partial url to the list of websites excluded from content filtering. However, there's a risk that other possible malware on the excluded url would not be detected if the website is not 100% trusted.

 

[Purpleroses 21]

So If I exclude and don't have path with https://cdn-*-prod.pogospike.com/* If another website has the same detection will it triggered that on another site

 

1, Exclude the detection on any website. The detection covers a specific obfuscation so it may be triggered on legitimate (e.g. ad-enabled) websites.

[Brple54 0]

Okay, now I am really confused and I do not know what to do.  I certainly do not what to open the contents of my hard drive to this malware just to play pogo.

[KCCutieK 0]

I am also confused with all this happening the past several days.  On the first daily challenge, I get the error message - for example, yesterday was Paranormal Adventures, today it is Mahjong Safari.  But, I am able to do the 2nd daily challenge with no problem.  I am not having issues with any of the other challenges either.  Not sure how to go about the work around - I am fairly computer literate, but am totally lost by what the previous strands show as a work around.  Thanks for any help you can provide!

[jpom18 0]

 

20 hours ago, Marcos said:

1, Exclude the detection on any website. The detection covers a specific obfuscation so it may be triggered on legitimate (e.g. ad-enabled) websites.

I'm not sure what you mean by the above.  As far as I can tell the JS/AGENT.* are typically trojan downloaders, I can't find anything on the .H variant.  So in your above "solution" are you suggesting that this specific type of activity that contains the .H variant will still be detected on other sites.  In my understanding if JS/Agent.H is added to a blanket exclusion then any site that triggers detection JS/Agent.H will be ignored, any other variant (i.e. JS/Agent.D) will be detected.

As stated I can't find anything on .H so possibly Eset is just using that as a generic name for some sort of suspicious traffic but the fact remains that if any other site triggers that same activity and JS/Agent.H has been added to the exclusion list it will be ignored and allowed, this does not seem like a viable option unless I am misunderstanding something.

The second option is not ideal either since as you state excluding the site from content filtering could potentially allow traffic that could be truly malicious.

Barring a definition update that eliminates this, the best option would be to allow this specific activity from that specific site, and I can't understand why this would not work on Eset.  Being able to do this would be the ideal balance of security and usability as only this "suspicious" traffic would only be allowed for the pogo website, if something else was seen as suspicious on the pogo site it would still be detected and if this particular traffic were seen on any other website it would also still be detected.  Is it 100%, no, any exclusion opens a potential risk but it is far better then the other options provided and only requires a single exclusion so it is easy to setup.

The only other viable option I can see is excluding each game by hash, so create an exclusion based on hash value instead of detection name.  This will prevent the issue with each game added to the exclusion list but will still allow detection on any other site or even on the pogo site since the hash will change if the game is changed.  This would be the most secure option however the downside of course is that every game has a different hash value so you will need to create an exclusion for each individual game and if the game is updated and the hash changes you will need to create a new exclusion.  This would be the most secure option but is also the most work especially for those that may not be familiar with the program or have strong computer skills.

I have a hard time believing (although it is not impossible) that the Pogo site has been compromised and is attempting to drop a trojan on users systems, it is more likely that Pogo has updated something on their site and this is now being detected as a false positive.  As an False Positive it should be on Eset to correct this issue without users having to expose their system more then required, unless Eset believes that Pogo is compromised and attempting to drop a trojan on everybody's system.

All in all it looks like it is becoming the typical blame game, there is a thread on EA's forum about it with EA blaming ESET and ESET doesn't appear to be interested in offering any valid fixes for it.