Jump to content

JS/Agent.PHC Infection?


Go to solution Solved by JamesR,

Recommended Posts

  • ESET Insiders

I have an end user who keeps going to this site and it is popping up alerts with an infection.

httpx://aerofoodsintl.com

VirusTotal says BitDefender and G-data classify it as Malware but ESET does not.

Is this site infected?

Thanks!

Link to comment
Share on other sites

  • Trooper changed the title to JS/Agent.PHC Infection?
Posted (edited)
25 minutes ago, Trooper said:

ESET does not.

It does for me. Notice the message count;

Eset_Alert.png.937eca0dbd0c5d6d9370e1e9a6241e75.png

Notice the hash is different for each detection;

Eset_Log.thumb.png.79b108a8a54bcc6d7b6f8adb9b9626d5.png

Edited by itman
Link to comment
Share on other sites

  • ESET Staff
  • Solution

I tested accessing the site and can confirm we are already detecting and blocking multiple parts of the site.  Please remember that testing detections on VirusTotal can be misleading as it can be behind on updates, or not scan things in the same way they would be scanned on a live environment.

image.png

Link to comment
Share on other sites

  • Administrators

It is strange that it wasn't intercepted by the HTTPS scanner on your machines. The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case:

image.png

As for a VirusTotal check, you can't compare apples with oranges. You have probably checked the site agains url blacklists but in this case it's a legit site that was compromised so you'd need to scan an actual file that contains the threat, e.g:

https://www.virustotal.com/gui/file/28dc8a2fcc91f0856c11d35825e354f0c944d21296fc5a8d5094c7095a6a2e5a

 

Link to comment
Share on other sites

Posted (edited)
13 hours ago, Marcos said:

The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case:

Refer to my posted screen shot. Each detection has an unique hash. Appears to me the script has polymorphic capabilities; e.g. script embedded in a .exe, etc..

Edited by itman
Link to comment
Share on other sites

@Marcos, I do have Browser Security & Privacy option disabled. Don't see how that should affect HTTP/S scanning.

Link to comment
Share on other sites

  • Administrators

The HTTPS scanner works independently of the Browser Security & Privacy feature so disabling it should have no effect on detection by the HTTPS scanner.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...