JS/Agent.OZD false positive?

[Eagle Rocket 0]

On our staging server https://maxwellstagingsite.com/StagingGreen/ I keep getting ESET Smart Security results that there is a JS/Agent.OZD trojan, but on Sucuri it comes back as clean. 

I'm having trouble finding this malicious code. Where can I get error reports of the specific file location so I can remove it?

Thanks!

[Marcos 5,070]

The detection is correct. However, it looks like the website has already been cleaned.

[itman 1,659]

The domain is blacklisted by Quttera and also URLhaus: https://quttera.com/detailed_report/maxwellstagingsite.com .

Note that a blacklisting status is as severe malware status as it gets.

-EDIT- Also, Quttera actually downloads whatever it can from a scanned web site versus Sucuri only scanning the web site.

Sucuri also shows domain is additionally blacklisted by McAfee: https://sitecheck.sucuri.net/results/https/maxwellstagingsite.com

Not appreciated is Eset now allows unrestricted access to this domain and noted URL.

Edited August 18, 2021 by itman

[NewbyUser 72]

Since it's blacklisted it isn't just Eset that the problem lies with. Isn't that what Smartscreen and Chrome Safe Browsing are supposed to block as well?

 

[itman 1,659]

33 minutes ago, NewbyUser said:

Isn't that what Smartscreen and Chrome Safe Browsing are supposed to block as well?

SmartScreen in Edge didn't block access to the website. I don't use Chrome but doubtful it would be blocked by it.

Assumed is Quttera, URLhaus, Sucrui, McAfee and possibly others blacklisted the site for content shown on the web site; deceptive, misleading, its downloads, etc.. Appears Eset doesn't care since it didn't even give it a PUA detection.

[NewbyUser 72]

Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. The Google Chrome, Safari, Firefox, Vivaldi, and GNOME Web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats.

[itman 1,659]

19 minutes ago, NewbyUser said:

Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content.

Note that none of that criteria apparently applies to this domain. 

Yes, I forgot that Firefox also uses Chrome Safe Browsing and no detection by FF is being shown for the domain in question.

[NewbyUser 72]

Suddenly this detection is appearing everywhere.

[NewbyUser 72]

Curious why this isn't detected by the Mac version. Windows malware is still supposed to be detected afaik.

[Marcos 5,070]

2 hours ago, NewbyUser said:

Curious why this isn't detected by the Mac version. Windows malware is still supposed to be detected afaik.

It's not not Windows but Javascript malware. On Mac ESET does not perform SSL filtering, ie. the content of https websites is not scanned.

[NewbyUser 72]

Thanks @Marcos  

[itman 1,659]

11 hours ago, NewbyUser said:

Suddenly this detection is appearing everywhere.

Web site is definitely infected: https://sitecheck.sucuri.net/results/extremetech.com

[Marcos 5,070]

11 minutes ago, itman said:

Web site is definitely infected: https://sitecheck.sucuri.net/results/extremetech.com

Undoubtedly infected:

[NewbyUser 72]

Wasn’t questioning the detection. Commenting that it’s appearing quite frequently