ESET Insiders Trooper 67 Posted June 6 ESET Insiders Share Posted June 6 I have an end user who keeps going to this site and it is popping up alerts with an infection. httpx://aerofoodsintl.com VirusTotal says BitDefender and G-data classify it as Malware but ESET does not. Is this site infected? Thanks! Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 6 Share Posted June 6 (edited) 25 minutes ago, Trooper said: ESET does not. It does for me. Notice the message count; Notice the hash is different for each detection; Edited June 6 by itman Trooper 1 Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 58 Posted June 6 ESET Staff Solution Share Posted June 6 I tested accessing the site and can confirm we are already detecting and blocking multiple parts of the site. Please remember that testing detections on VirusTotal can be misleading as it can be behind on updates, or not scan things in the same way they would be scanned on a live environment. Trooper 1 Link to comment Share on other sites More sharing options...
ESET Insiders Trooper 67 Posted June 6 Author ESET Insiders Share Posted June 6 Thanks to you both I appreciate the help! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 6 Administrators Share Posted June 6 It is strange that it wasn't intercepted by the HTTPS scanner on your machines. The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case: As for a VirusTotal check, you can't compare apples with oranges. You have probably checked the site agains url blacklists but in this case it's a legit site that was compromised so you'd need to scan an actual file that contains the threat, e.g: https://www.virustotal.com/gui/file/28dc8a2fcc91f0856c11d35825e354f0c944d21296fc5a8d5094c7095a6a2e5a JamesR 1 Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 7 Share Posted June 7 (edited) 13 hours ago, Marcos said: The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case: Refer to my posted screen shot. Each detection has an unique hash. Appears to me the script has polymorphic capabilities; e.g. script embedded in a .exe, etc.. Edited June 7 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted June 7 Share Posted June 7 @Marcos, I do have Browser Security & Privacy option disabled. Don't see how that should affect HTTP/S scanning. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted June 7 Administrators Share Posted June 7 The HTTPS scanner works independently of the Browser Security & Privacy feature so disabling it should have no effect on detection by the HTTPS scanner. Link to comment Share on other sites More sharing options...
Recommended Posts