Jump to content

Help. Stop "Threat Found" from a safe site.


Recommended Posts

A site I have been going to for years in the past 6 or so months continually keeps popping up a Threat Found. It says it is a HTML/ScrInject. No, it's not. I have excluded the site from detection in List of Allowed Sites and List of Addresses excluded from content scan in Advanced Settings. And it STILL pops up. I am honestly really sick of this. The site is safe! I have been going there for years. Is there no way to stop this from happening ? I get no option to "Exclude from Detection" in the pop up check box's. It is greyed out. Why? I have to Ignore Threat over and over. 

Please help. 

Link to comment
Share on other sites

Being as I haven still been going there for many months since the pop-up started and I still have no virus etc is on my PC. That's how I know it's not valid. 

Why am I not able to Exclude it from detection if I want? Don't I kind of have a right to choose if I want this warning disabled for a particular site if I want? I find it strange that even though I have excluded the site from detection in List of Allowed Sites and List of Addresses excluded from content scan in Advanced Settings the warning still keeps popping up. I want it ignored for that site. 

Link to comment
Share on other sites

Twice asked for url of website so we can check it out. How do you know the site hasn’t been compromised.

Link to comment
Share on other sites

Posted (edited)

A) My purpose was to find a way to stop the pop up threat from popping up. As I mentioned, even though I excluded the site from detection in List of Allowed Sites and List of Addresses excluded from content scan in Advanced Settings the warning still keeps popping up. I also have no option in the check boxes when the Threat pops up to Exclude from Detection. If it was ignored properly, this wouldn't be popping up. So, there is something wrong with your settings and I want to know how to get it ignored. 

B) I cannot post the link to the site here, because you would take the link down since it is "sensitive content". 

It is also not only that site, but a sister site as well that is doing the same thing. The issue is not even always on the main page, but when I go into deeper content. Then the warning continually pops up. I want the warning ignored. I already did the steps to have it Excluded, but it still pops up. Again, I feel I should have control of when or if something pops up for specific sites. All I want is an answer in how to properly stop any site I want from popping up a warning. If or if not anything is "actually" a threat or not. And, if there really was a "threat", my PC would have been screwed up long ago. 

Edited by Ravenous
Link to comment
Share on other sites

If there is a warning then the site is likely compromised. Why not disable Eset altogether and take the risk as clearly you do not want anyone ne to investigate. If it were sensitive information it wouldn’t be in the public domain. Your choice.

Link to comment
Share on other sites

Posted (edited)
28 minutes ago, MrWrighty said:

If there is a warning then the site is likely compromised. Why not disable Eset altogether and take the risk as clearly you do not want anyone ne to investigate. If it were sensitive information it wouldn’t be in the public domain. Your choice.

Had you really read my op you would see that it's been many months of the pop-up. Yet, my PC is virus or problem free. Scans bring up nothing. It is common for anti-virus programs to flag things as a threat when they are fine. And, had you really read my OP you would know that I want the ability to ignore a warning that persists even though I have done the steps to get the warning ignored/disabled. My op never once says anything about investigating the site, I want to know how to get the warning ignored even though I have done the steps that should have it ignored already in the first place. Clearly something is not working right in settings. I have used Nod32 for 15+ years, and this has never happened. Excluding something or a site has always worked, it's not working properly right now. 

Most forums or help locations don't allow you to post links to to**ent sites, or even bring the word up. That is why I am not posting the site. 

Edited by Ravenous
Link to comment
Share on other sites

  • Administrators
1 minute ago, Ravenous said:

Most forums or help locations don't allow you to post links to to**ent sites, or even bring the word up. That is why I am not posting the site. 

An ESET moderator has explicitly asked you to post the website url. Without that we won't be able to comment on the detection.

Link to comment
Share on other sites

2 minutes ago, Marcos said:

An ESET moderator has explicitly asked you to post the website url. Without that we won't be able to comment on the detection.

Ok. And if I get banned or my post removed then now I have proof it was ok.

Here is a link: hxxp://uniondht.org/forum/41-rpg.html

 

Link to comment
Share on other sites

  • Administrators

The obfuscated javascript is JS/Adware.ClickAdu, the detection is correct, it's NOT a false positive. There are several different detections and blocks of this script so the easiest thing to avoid detections and block would be by disabling protocol filtering or http/https scanning which we cannot obviously recommend for security reasons.

Link to comment
Share on other sites

4 hours ago, Marcos said:

the detection is correct, it's NOT a false positive

As per Virus Total right now, only one vendor from 92 detected the above link as "malicious"

And it is not ESET.

Virus Total.jpg

Edited by rotaru
Link to comment
Share on other sites

5 hours ago, Marcos said:

The obfuscated javascript is JS/Adware.ClickAdu, the detection is correct, it's NOT a false positive. There are several different detections and blocks of this script so the easiest thing to avoid detections and block would be by disabling protocol filtering or http/https scanning which we cannot obviously recommend for security reasons.

It is not a threat though. If this was really some bad threat my PC would have found viruses long ago. There is nothing there. Months and months of nothing, zero things found in scans. Yet this still pops up and I still have to click Ignore Threat. 

As I asked in my OP, and the entire reason for my post, why isn't NOd32 letting me permanently ignore this warning from this site? Why is the option to exclude it greyed out so I cant click the check box? Why is it that me excluding the site from detection in List of Allowed Sites and List of Addresses still having it pop up? This was the entire reason of my post. I want it ignored permanently. The site is not a threat. You guys keep replying with something I did not ask. 

Link to comment
Share on other sites

  • Administrators

As it's been already said, you can pause protection and possibly also disable scanning of advanced browser scripts to take the risk and allow the javascript to run undetected.

Link to comment
Share on other sites

I could access the web site w/o issue using Firefox:

Eset_Block.thumb.png.cc2b603ba17bbc0beddb327808dd7386.png

However, the uBlock Origin extension I use blocked 19 things on the web page. You might consider using that extension to safely access this web site.

Link to comment
Share on other sites

12 minutes ago, itman said:

I could access the web site w/o issue using Firefox:

Eset_Block.thumb.png.cc2b603ba17bbc0beddb327808dd7386.png

However, the uBlock Origin extension I use blocked 19 things on the web page. You might consider using that extension to safely access this web site.

I have access to the site. That was not my complaint. It's the continual pop up wanting from Nod32 of the "threat" even though I have the site excluded from detection in List of Allowed Sites and List of Addresses. 

I use Brave, Edge, and sometimes Chrome, not Firefox. Haven't touched FF in many many years. I use uMatrix extension. I got rather annoyed with uBlock, but maybe I'll give it another try on Brave. I still have it on Chrome, but getting it set up the way I like is a bit of a hassle. 

30 minutes ago, Marcos said:

As it's been already said, you can pause protection and possibly also disable scanning of advanced browser scripts to take the risk and allow the javascript to run undetected.

Really rather annoying to have to disable Nod32 every single time I go to the site. In my mind it should already be avoiding detection on the site since I excluded the site from detection in List of Allowed Sites and also List of Addresses. That is why I think Nod32 is not working as intended. 

Link to comment
Share on other sites

2 minutes ago, Ravenous said:

It's the continual pop up wanting from Nod32 of the "threat" even though I have the site excluded from detection in List of Allowed Sites and List of Addresses. 

Add http://uniondht.org/forum/41-rpg.html/* to "List of addresses excluded from context scan" and see if that works.

Again, any malware found will be ignored. As such if you get infected, don't ask Eset or anyone on the forum to help you remove the malware.

Link to comment
Share on other sites

  • Administrators
14 minutes ago, itman said:

Add http://uniondht.org/forum/41-rpg.html/* to "List of addresses excluded from context scan" and see if that works.

Again, any malware found will be ignored. As such if you get infected, don't ask Eset or anyone on the forum to help you remove the malware.

Excluding the generic HTML/ScrInject.B detection completely (on any website, in any file) would also be needed to prevent the detection from being triggered by real-time protection:

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
4/23/2022 9:16:28 PM;Real-time file system protection;file;C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\74cduzdv.default-release\cache2\entries\EA3BB3560DB150580C2595C2853DE9ED9F0DD2C1;HTML/ScrInject.B trojan;deleted;WIN10VM\Admin;Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe

This would eventually allow you to open the site without any alert and at the same time possibly allow an adware-related script to run from a dodgy site.

Link to comment
Share on other sites

On 4/23/2022 at 2:30 PM, itman said:

However, the uBlock Origin extension I use blocked 19 things on the web page.

To note how compromised this domain is when I accessed the web site initially, I didn't stay on it long. This time, I left the home page alone for a while. After a less than a minute, uBlock Origin blocked over 123 entities!

Link to comment
Share on other sites

  • Most Valued Members
On 4/23/2022 at 7:58 PM, Ravenous said:

I have access to the site. That was not my complaint. It's the continual pop up wanting from Nod32 of the "threat" even though I have the site excluded from detection in List of Allowed Sites and List of Addresses. 

I use Brave, Edge, and sometimes Chrome, not Firefox. Haven't touched FF in many many years. I use uMatrix extension. I got rather annoyed with uBlock, but maybe I'll give it another try on Brave. I still have it on Chrome, but getting it set up the way I like is a bit of a hassle. 

Really rather annoying to have to disable Nod32 every single time I go to the site. In my mind it should already be avoiding detection on the site since I excluded the site from detection in List of Allowed Sites and also List of Addresses. That is why I think Nod32 is not working as intended. 

I just want to add the fact you've not been infected is irrelevant.

If eset is finding a threat it is probably also stopping it from running. Disabling eset or putting an exception for the site would mean you where no longer getting that protection.

I'd also add that the age of a site is not relevant. Many popular sites have been hacked in the past, their popularity working as an advantage for the hackers. There was a big outcry a while back as popular sites where using things like coinhive to use visitors browsers to mine for crypto currency without the users being aware.

Websites can also be taken over. Often you'll find it may not be the site but content provided via third parties.

I think @itman suggestion is the best option if you want to continue to use the website. However if the site is risky it is risky, and whatever method you use there will be a risk. However using something that will stop the script from ever running is safer than putting an exception via eset that would put you at risk for future issues 

Link to comment
Share on other sites

On 4/23/2022 at 12:07 PM, itman said:

Add hxxp://uniondht.org/forum/41-rpg.html/* to "List of addresses excluded from context scan" and see if that works.

Again, any malware found will be ignored. As such if you get infected, don't ask Eset or anyone on the forum to help you remove the malware.

As I said, I have already excluded the site, in MANY versions of the site. The warning still persists

I put uBlock on Brave and the freakin warning STILL persists. Nothing I do will stop this stupid warning from popping up and I am sick of it. I stated in my OP I want the warning IGNORED. But, even though I have excluded it six ways from Sunday, it wont stop. 

In posts above they say there is a HTML/ScrInject.B on the site. And, as I have said many times now, if the site really were a threat then I would have been infected LONG ago. I have in fact turned off Node32 many times viewing it. No infection. I have gone there for months on end and ignored the threat. No infection. I have done this on multiple browsers. No infection.

So, clearly no one will tell me what I want to know. How to get this warning ignored in Nod32, even though I have excluded the site and many areas of the site from detection. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...