ThomasP 0 Posted July 18 Share Posted July 18 Hi, Recently, some users contacted us because they can't access our website (https://passwordrevelator.net/). We have tested with virustotal.com and didn't found any issue. We decided to install the trial version of ESET Internet security and we noticed that the antivirus was blocking our website with a note: JS/Agent.OZD We checked our website and didn't found any issue, by the way, other antivirus don't alert about it, you are the only one who is blocking our website. I followed the guide and by submitting the request to sample@eset.com, but I didn't got response. Can you please help us and solve the issue? Thanks Best Regards Thomas Link to comment Share on other sites More sharing options...
Administrators Marcos 3,804 Posted July 18 Administrators Share Posted July 18 The detection is correct. The website was compromised and contains the JS/Agent.OZD trojan. However, since the tools offered on the website fulfill the criteria for potentially unsafe/unwanted applications, users with PUA detection enabled will have to allow access even after cleaning the malware on the website. Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 18 Share Posted July 18 (edited) 1 hour ago, Marcos said: However, since the tools offered on the website fulfill the criteria for potentially unsafe/unwanted applications, users with PUA detection enabled will have to allow access even after cleaning the malware on the website. The web site is heavy infected per below screen shot. The problem is Eset didn't block connection as stated, the web site rendered, and Eset kept detecting more malware. I assume allowing a PUA connection should not affect Eset web site blocking capability? Edited July 18 by itman Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 18 Author Share Posted July 18 (edited) unwanted or unsafe application of what? we don't propose spyware or badware or commercial adversiting app... your supposition is false. you are wrong about this Edited July 18 by ThomasP Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 18 Author Share Posted July 18 according to the report you have done, it seems that all .js files are now infected from JS/Agent.OZD for Eset now, every file that is JS should be detected as JS/Agent.OZD by your antivirus.... Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 18 Share Posted July 18 34 minutes ago, ThomasP said: unwanted or unsafe application of what? we don't propose spyware or badware or commercial adversiting app... your supposition is false. Below are Eset's classification details on potential unsafe/unwanted applications: https://help.eset.com/glossary/en-US/unwanted_application.html?unsafe_application.html https://help.eset.com/glossary/en-US/unwanted_application.html?unwanted_application.html The above withstanding, your web site infected with malware. Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 18 Author Share Posted July 18 I read the 2 links already and I am not concerned by Potentially unwanted applications Indeed, the users have to purchase the software to download it. It is rattached to a serial number as license, it can't be installed by anyone. I checked with other antivirus, you are the only one who are claiming that our website is infected by malware. You really should review the way how you detect virus and blocking website. I had to remove Eset to access Instagram! You were blocking Instagram also, this is crazy... You can't simply block a website only because it is using Javascript. Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 18 Share Posted July 18 Further every time I try to scan your web site for malware here: https://quttera.com/ , a few files are downloaded and the scan terminates with the reason given as unreachable. This would be indicative of your server intercepting and terminating any attempts to scan your web site for malware. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 34 Posted July 18 ESET Insiders Share Posted July 18 passwordrevelator.net - SiteCheck (sucuri.net) Shows infected here as well. itman 1 Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 18 Share Posted July 18 8 minutes ago, NewbyUser said: Shows infected here as well. Yes indeed it does: NewbyUser 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 3,804 Posted July 19 Administrators Share Posted July 19 Searching for "img.php?id='+token();" should help you locate the malicious JS in files on your website. Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 Hi, Thanks, the issue has been solved, can you please check it back from your site with Eset? https://sitecheck.sucuri.net/results/www.passwordrevelator.net Thanks Thomas Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 it seems that eset is still blocking the access to that website, what is the issue now? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 206 Posted July 19 Most Valued Members Share Posted July 19 1 minute ago, ThomasP said: it seems that eset is still blocking the access to that website, what is the issue now? Eset is blocking it with a warning as potentially unwanted due to the content e.g. password recovery tools. This is due to the fact that these tools could be misused e.g. used to hack someone else's account. For example Kali Linux a pen testing OS will detect stuff because the tools it includes can be misused in the wrong hands. TeamViewer a remote access program will also flag up when being installed as it can be used by scammers Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 (edited) I just tried https://www.teamviewer.com/fr/ and Eset is not blocking it... The software we sale can't be misused because it requires a password to work. What I mean is that the software need a serial number to be initiated. Thats why until now Eset didn't flagged us, but Marcos didn't understood it well and decided to flag us without any reason! I understand that Eset can block our software but why blocking our website? Our software is not online, it has to be downloaded! Our website is nothing else than text and tips to protect computers! We also have a blog where we explain how to protect against hacker. Now Eset is blocking everything as PUA for no reason! Edited July 19 by ThomasP Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 206 Posted July 19 Most Valued Members Share Posted July 19 58 minutes ago, ThomasP said: I just tried https://www.teamviewer.com/fr/ and Eset is not blocking it... The software we sale can't be misused because it requires a password to work. What I mean is that the software need a serial number to be initiated. Thats why until now Eset didn't flagged us, but Marcos didn't understood it well and decided to flag us without any reason! I understand that Eset can block our software but why blocking our website? Our software is not online, it has to be downloaded! Our website is nothing else than text and tips to protect computers! We also have a blog where we explain how to protect against hacker. Now Eset is blocking everything as PUA for no reason! Even with a serial it could be misused e.g. someone purchases the software and uses it alongside malware to infect a user and then using your software steals their passwords. For this reason any password recovery software could be flagged Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 yes, I agree for software but flagged a website??? it's 2 differents things! Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 206 Posted July 19 Most Valued Members Share Posted July 19 18 minutes ago, ThomasP said: yes, I agree for software but flagged a website??? it's 2 differents things! Because of what the website hosts? The same as a website that hosts malware is itself flagged. Because your software is basically classed as potentially risky so is the website Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 so why is teamviewer not flagged as you said? Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 19 Share Posted July 19 Eset is no longer blocking access to your website as long as user ignores the PUA detection. Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 the user will not ignore the PUA detection because the user will think that the website is dangerous. So Eset should remove the false positive as soon as possible. Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 (edited) i don't understand why blocking our website and not blocking other websites like https://www.nirsoft.net/ or https://www.passware.com/ that propose exactly the same software as us? Edited July 19 by ThomasP Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 19 Share Posted July 19 (edited) 22 minutes ago, ThomasP said: i don't understand why blocking our website and not blocking other websites like https://www.nirsoft.net/ or https://www.passware.com/ that propose exactly the same software as us? Eset is not blocking your web site! A PUA web site alert means it's the users choice as to proceed to the web site or not. All Eset is doing is warning the user that there is either content on the web site or that can be downloaded from it that could be of an undesirable nature. You can keep posting here about this "till hell freezes over" and Eset is not going to change its classification of the web site. Edited July 19 by itman Link to comment Share on other sites More sharing options...
itman 1,051 Posted July 19 Share Posted July 19 29 minutes ago, ThomasP said: i don't understand why blocking our website and not blocking other websites like https://www.passware.com/ Perhaps you haven't established the reputation for legit usage of the software: Quote Passware is used by the world’s top law enforcement agencies Link to comment Share on other sites More sharing options...
ThomasP 0 Posted July 19 Author Share Posted July 19 (edited) other websites doesn't get PUA alert and we have a reputation for legit usage as we work with the Dubai Police Force and they are using our software as you may read here: hxxp://watananews.net/jonews/article-news/228249.html#.XLPf9UjgrZ6 Edited July 19 by ThomasP Link to comment Share on other sites More sharing options...
Recommended Posts