Jump to content

JS/Agent.OZD false positive?


Recommended Posts

On our staging server https://maxwellstagingsite.com/StagingGreen/ I keep getting ESET Smart Security results that there is a JS/Agent.OZD trojan, but on Sucuri it comes back as clean. 

I'm having trouble finding this malicious code. Where can I get error reports of the specific file location so I can remove it?

Thanks!

Link to comment
Share on other sites

  • Administrators

The detection is correct. However, it looks like the website has already been cleaned.

Link to comment
Share on other sites

The domain is blacklisted by Quttera and also URLhaus: https://quttera.com/detailed_report/maxwellstagingsite.com .

Note that a blacklisting status is as severe malware status as it gets.

-EDIT- Also, Quttera actually downloads whatever it can from a scanned web site versus Sucuri only scanning the web site.

Sucuri also shows domain is additionally blacklisted by McAfee: https://sitecheck.sucuri.net/results/https/maxwellstagingsite.com

Not appreciated is Eset now allows unrestricted access to this domain and noted URL.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

Since it's blacklisted it isn't just Eset that the problem lies with. Isn't that what Smartscreen and Chrome Safe Browsing are supposed to block as well?

 

Link to comment
Share on other sites

33 minutes ago, NewbyUser said:

Isn't that what Smartscreen and Chrome Safe Browsing are supposed to block as well?

SmartScreen in Edge didn't block access to the website. I don't use Chrome but doubtful it would be blocked by it.

Assumed is Quttera, URLhaus, Sucrui, McAfee and possibly others blacklisted the site for content shown on the web site; deceptive, misleading, its downloads, etc.. Appears Eset doesn't care since it didn't even give it a PUA detection.

Link to comment
Share on other sites

  • ESET Insiders

Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. The Google Chrome, Safari, Firefox, Vivaldi, and GNOME Web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.

Link to comment
Share on other sites

19 minutes ago, NewbyUser said:

Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content.

Note that none of that criteria apparently applies to this domain. 

Yes, I forgot that Firefox also uses Chrome Safe Browsing and no detection by FF is being shown for the domain in question.

Link to comment
Share on other sites

  • ESET Insiders

Curious why this isn't detected by the Mac version. Windows malware is still supposed to be detected afaik.

Screen Shot 2021-08-18 at 9.46.07 PM.png

Link to comment
Share on other sites

  • Administrators
2 hours ago, NewbyUser said:

Curious why this isn't detected by the Mac version. Windows malware is still supposed to be detected afaik.

It's not not Windows but Javascript malware. On Mac ESET does not perform SSL filtering, ie. the content of https websites is not scanned.

Link to comment
Share on other sites

  • ESET Insiders

Wasn’t questioning the detection. Commenting that it’s appearing quite frequently 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...