Jump to content

False positive

ThomasP

By ThomasP,
in Malware Finding and Cleaning

 Share
Go to solution Solved by Aryeh Goretsky,

Recommended Posts

ThomasP

ThomasP 0

Posted
Posted

Hi,

Recently, some users contacted us because they can't access our website (https://passwordrevelator.net/). We have tested with virustotal.com and didn't found any issue. We decided to install the trial version of ESET Internet security and we noticed that the antivirus was blocking our website with a note:

JS/Agent.OZD

We checked our website and didn't found any issue, by the way, other antivirus don't alert about it, you are the only one who is blocking our website.

I followed the guide and by submitting the request to sample@eset.com, but I didn't got response.

Can you please help us and solve the issue?

Thanks

Best Regards


Thomas

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,482

Posted
  • Administrators
Posted

The detection is correct. The website was compromised and contains the JS/Agent.OZD trojan.

However, since the tools offered on the website fulfill the criteria for potentially unsafe/unwanted applications, users with PUA detection enabled will have to allow access even after cleaning the malware on the website.

Link to comment
Share on other sites
itman

itman 1,470

Posted
Posted (edited)
1 hour ago, Marcos said:

However, since the tools offered on the website fulfill the criteria for potentially unsafe/unwanted applications, users with PUA detection enabled will have to allow access even after cleaning the malware on the website.

The web site is heavy infected per below screen shot.

The problem is Eset didn't block connection as stated, the web site rendered, and Eset kept detecting more malware.

I assume allowing a PUA connection should not affect Eset web site blocking capability?

Eset_Trojan.thumb.png.3d7660ac16dcdb202fbf6d00aae15084.png

Edited by itman
Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted (edited)

unwanted or unsafe application of what? we don't propose spyware or badware or commercial adversiting app... your supposition is false.

you are wrong about this

Edited by ThomasP
Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted

according to the report you have done, it seems that all .js files are now infected from JS/Agent.OZD

for Eset now, every file that is JS should be detected as JS/Agent.OZD by your antivirus....

Link to comment
Share on other sites
itman

itman 1,470

Posted
Posted
34 minutes ago, ThomasP said:

unwanted or unsafe application of what? we don't propose spyware or badware or commercial adversiting app... your supposition is false.

Below are Eset's classification details on potential unsafe/unwanted applications:

https://help.eset.com/glossary/en-US/unwanted_application.html?unsafe_application.html

https://help.eset.com/glossary/en-US/unwanted_application.html?unwanted_application.html

The above withstanding, your web site infected with malware.

Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted

I read the 2 links already and I am not concerned by Potentially unwanted applications

Indeed, the users have to purchase the software to download it. It is rattached to a serial number as license, it can't be installed by anyone.

I checked with other antivirus, you are the only one who are claiming that our website is infected by malware. You really should review the way how you detect virus and blocking website. I had to remove Eset to access Instagram! You were blocking Instagram also, this is crazy...

You can't simply block a website only because it is using Javascript.

Link to comment
Share on other sites
itman

itman 1,470

Posted
Posted

Further every time I try to scan your web site for malware here: https://quttera.com/ , a few files are downloaded and the scan terminates with the reason given as unreachable. This would be indicative of your server intercepting and terminating any attempts to scan your web site for malware.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,482

Posted
  • Administrators
Posted

Searching for "img.php?id='+token();" should help you locate the malicious JS in files on your website.

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 338

Posted
  • Most Valued Members
Posted
1 minute ago, ThomasP said:

it seems that eset is still blocking the access to that website, what is the issue now?

Eset is blocking it with a warning as potentially unwanted due to the content e.g. password recovery tools. This is due to the fact that these tools could be misused e.g. used to hack someone else's account.

For example Kali Linux a pen testing OS will detect stuff because the tools it includes can be misused in the wrong hands. TeamViewer a remote access program will also flag up when being installed as it can be used by scammers 

Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted (edited)

I just tried https://www.teamviewer.com/fr/ and Eset is not blocking it...

The software we sale can't be misused because it requires a password to work. What I mean is that the software need a serial number to be initiated.

Thats why until now Eset didn't flagged us, but Marcos didn't understood it well and decided to flag us without any reason!

I understand that Eset can block our software but why blocking our website? Our software is not online, it has to be downloaded! Our website is nothing else than text and tips to protect computers! We also have a blog where we explain how to protect against hacker. Now Eset is blocking everything as PUA for no reason!

Edited by ThomasP
Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 338

Posted
  • Most Valued Members
Posted
58 minutes ago, ThomasP said:

I just tried https://www.teamviewer.com/fr/ and Eset is not blocking it...

The software we sale can't be misused because it requires a password to work. What I mean is that the software need a serial number to be initiated.

Thats why until now Eset didn't flagged us, but Marcos didn't understood it well and decided to flag us without any reason!

I understand that Eset can block our software but why blocking our website? Our software is not online, it has to be downloaded! Our website is nothing else than text and tips to protect computers! We also have a blog where we explain how to protect against hacker. Now Eset is blocking everything as PUA for no reason!

Even with a serial it could be misused e.g. someone purchases the software and uses it alongside malware to infect a user and then using your software steals their passwords. 

For this reason any password recovery software could be flagged 

Link to comment
Share on other sites
  • Most Valued Members
peteyt

peteyt 338

Posted
  • Most Valued Members
Posted
18 minutes ago, ThomasP said:

yes, I agree for software but flagged a website??? it's 2 differents things!

Because of what the website hosts? The same as a website that hosts malware is itself flagged. Because your software is basically classed as potentially risky so is the website

Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted

the user will not ignore the PUA detection because the user will think that the website is dangerous.

So Eset should remove the false positive as soon as possible.

Link to comment
Share on other sites
itman

itman 1,470

Posted
Posted (edited)
22 minutes ago, ThomasP said:

i don't understand why blocking our website and not blocking other websites like https://www.nirsoft.net/ or https://www.passware.com/ that propose exactly the same software as us?

Eset is not blocking your web site!

A PUA web site alert means it's the users choice as to proceed to the web site or not. All Eset is doing is warning the user that there is either content on the web site or that can be downloaded from it that could be of an undesirable nature.

You can keep posting here about this "till hell freezes over" and Eset is not going to change its classification of the web site.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,470

Posted
Posted
29 minutes ago, ThomasP said:

i don't understand why blocking our website and not blocking other websites like https://www.passware.com/

Perhaps you haven't established the reputation for legit usage of the software:

Quote

Passware is used by the world’s top law enforcement agencies

 

Link to comment
Share on other sites
ThomasP

ThomasP 0

Posted
  • Author
Posted (edited)

other websites doesn't get PUA alert and we have a reputation for legit usage as we work with the Dubai Police Force and they are using our software as you may read here: hxxp://watananews.net/jonews/article-news/228249.html#.XLPf9UjgrZ6

Edited by ThomasP
Link to comment
Share on other sites
  • Marcos locked this topic
  • Marcos unlocked this topic
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...