Jump to content

Customer reports ESET detection on site, unable to determine if false positive


Recommended Posts

 
The main website is https://hayscountytx.com/ reports fine. Deeper links trigger a detection of JS/Agent>QPA -  https://hayscountytx.com/courts/district-clerk/ 

Please advise as to how best confirm.

Thanks and regards.

Link to comment
Share on other sites

Actually, selecting any item in any of the service sections shown on your home web page will trigger the Eset detection;

Eset_Trojan.thumb.png.7ab3f55e356e1c1a4bd69c1ffd2018ac.png

Edited by itman
Link to comment
Share on other sites

That is not our website. It is a location frequented by one of our business customers that uses ESET Advanced on all their workstations and servers. They still need to be able to access the site, so we are trying to help them with the ESET detection issue. 

Why are the all the service sections triggering the  JS/Agent>QPA detection. It is actually malware or a false positive?

Link to comment
Share on other sites

If its believed this is a false positive detection, you can submit it to Eset per instructions given under the first topic given in the forum FAQ section.

I will say that Eset web site detection's are "right on spot" when it comes to detecting JavaScript based malware.

Also if the are using WordPress Plugin YOP Poll 6.3.2, it is vulnerable to cross-site scripting attack: https://www.acunetix.com/vulnerabilities/web/yop-poll-cross-site-scripting-6-3-2/ .

Edited by itman
Link to comment
Share on other sites

Thanks for the reply and clarification. 

We do not know if it is a false positive, however, so we are reticent to recommend the customer whitelist the website in order to regain access.

This is the primary reason I was reaching out to this forum - to see if there is anything more we can do to verify or confirm the ESET detection.

Can you advise how best to make a determination at this point? Are there any more detailed logs available for the detection that might point to specific JS files or functions?

Edited by Ziceman
Link to comment
Share on other sites

Thank you very much. 

Based on the suspect script referenced above, there is a high likelihood the site has been compromised / hacked, correct?

Should any other measures be recommended to analyze and repair the site content or should we just refer them to their website developer?

 

 

 

Link to comment
Share on other sites

52 minutes ago, Ziceman said:

Should any other measures be recommended to analyze and repair the site content or should we just refer them to their website developer?

The web site developer is the only one who can remove the malware. If he can't, it's his responsibility to engage a third party source that can do so.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...