John999 3 Posted December 21, 2022 Share Posted December 21, 2022 I wonder why EAV blocks some URL's (with a Java Script warning or trojan) but those URL's, when checked thru VirusTotal, show that "ESET" find clean. I am talking, for example, about these two (the first is a p*rn site) https://watchmdh.to/ hxxp://depositfiles.com/ The ESET "engine" inside VirusTotal is different? Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 4,694 Posted December 21, 2022 Administrators Solution Share Posted December 21, 2022 That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious. John999 1 Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted December 22, 2022 Share Posted December 22, 2022 12 hours ago, Marcos said: That's because on VirusTotal you check if a website is blacklisted by AV vendors while AVs scan the actual html code to determine if it's malicious. That could be, however from 91 vendors none detected the sites as malicious. Hard to be lieve that ESET is so special to be the only one detecting something...... Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted December 22, 2022 Administrators Share Posted December 22, 2022 There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements: John999 1 Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted December 22, 2022 Share Posted December 22, 2022 1 hour ago, Marcos said: There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements: I am not an expert, so I searched the internet: "Obfuscation can be used to hide the business logic from outside world and also obfuscation will reduce the size of the file drastically so data transfer between server and client will be fast." Also : "A research that analyzed over 10,000 samples of diverse malicious software written in JavaScript concluded that roughly 26% of it is obfuscated to evade detection and analysis." This doesn't mean that every obfuscated JS is malicious. An user getting this pop up will go to search on Virus Total , only to find ZERO detection , including from ESET. So, what is the user supposed to do???? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted December 22, 2022 Administrators Share Posted December 22, 2022 28 minutes ago, rotaru said: This doesn't mean that every obfuscated JS is malicious. I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs. Above I also wrote: ... is most likely responsible for pop-up advertisements Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted December 22, 2022 Share Posted December 22, 2022 11 hours ago, Marcos said: I agree. There is probably no AV that detects every obfuscated JS, otherwise they would have tons of FPs. Above I also wrote: ... is most likely responsible for pop-up advertisements So, again, what is a regular user supposed to do? ESET says is malicious , Virus Total has ZERO detection from 91 vendors. Quote Link to comment Share on other sites More sharing options...
John999 3 Posted December 23, 2022 Author Share Posted December 23, 2022 From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted December 23, 2022 Administrators Share Posted December 23, 2022 1 hour ago, John999 said: From Marcos reply I understood that is VirusTotal that gives a misleading information, since URLS's are not "scanned" but only compared to vendor's blacklists, and blacklisting is not a real time task. Correct. I'd only add that blacklisting a url takes only about 5 minutes until it takes effect in VirusTotal. In this case the url is not blacklisted but the JavaScript is detected when the actual html code is scanned. Scanning a URL at VirusTotal doesn't scan actual html content on the website unlike Quttera does and only compares the url with vendors' url blacklists. John999 1 Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted December 23, 2022 Share Posted December 23, 2022 42 minutes ago, Marcos said: but the JavaScript is detected when the actual html code is scanned 43 minutes ago, Marcos said: the actual html code is scanned Again , scanning the URL for "obfuscated JS" adds ZERO value to malware detection, so why is implemented by ESET???? Quote Link to comment Share on other sites More sharing options...
LesRMed 16 Posted December 23, 2022 Share Posted December 23, 2022 Because it can be used for malicious reasons. Better safe than sorry. Chas4 1 Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted December 23, 2022 Share Posted December 23, 2022 This statement needs further clarification; On 12/22/2022 at 3:33 AM, Marcos said: There's an obfuscated JS on the website which is detected and is most likely responsible for pop-up advertisements Browsers have options to block pop-ups. Pop-up ads although a nuisance are not necessarily malicious. Browsers have extension/add-ons that will block ads. Whether JavaScript code being processed by a browser is obfuscated per se is immaterial. It is only material if the JavaScript code after being de-obfuscated is determined to contain malicious code. Therefore in this instance, did the JavaScript code contain malware or perform activities that are suspicious enough to warrant blocking of the URL? rotaru and John999 2 Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted December 23, 2022 Share Posted December 23, 2022 On 12/21/2022 at 12:44 PM, John999 said: I am talking, for example, about these two (the first is a p*rn site) https://watchmdh.to/ hxxp://depositfiles.com/ Also of note is I have Firefox set to use HTTPS connection by default. Eset does not block access to https://depositfiles.com/. John999 and rotaru 2 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted March 22 Administrators Share Posted March 22 1 hour ago, John999 said: May I ask Marcos to tell me what is exactly the problem with depositfiles.com? I don't know what detection you got. I got an alert about JS/Adware.Agent.AU when clicking an ad on their website. The detection is correct. John999 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.