Jump to content

JS/Agent.PHC Infection?


Go to solution Solved by JamesR,

Recommended Posts

  • ESET Insiders

I have an end user who keeps going to this site and it is popping up alerts with an infection.

httpx://aerofoodsintl.com

VirusTotal says BitDefender and G-data classify it as Malware but ESET does not.

Is this site infected?

Thanks!

Link to comment
Share on other sites

  • Trooper changed the title to JS/Agent.PHC Infection?
Posted (edited)
25 minutes ago, Trooper said:

ESET does not.

It does for me. Notice the message count;

Eset_Alert.png.937eca0dbd0c5d6d9370e1e9a6241e75.png

Notice the hash is different for each detection;

Eset_Log.thumb.png.79b108a8a54bcc6d7b6f8adb9b9626d5.png

Edited by itman
Link to comment
Share on other sites

  • ESET Staff
  • Solution

I tested accessing the site and can confirm we are already detecting and blocking multiple parts of the site.  Please remember that testing detections on VirusTotal can be misleading as it can be behind on updates, or not scan things in the same way they would be scanned on a live environment.

image.png

Link to comment
Share on other sites

  • ESET Insiders

Thanks to you both I appreciate the help!

Link to comment
Share on other sites

  • Administrators

It is strange that it wasn't intercepted by the HTTPS scanner on your machines. The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case:

image.png

As for a VirusTotal check, you can't compare apples with oranges. You have probably checked the site agains url blacklists but in this case it's a legit site that was compromised so you'd need to scan an actual file that contains the threat, e.g:

https://www.virustotal.com/gui/file/28dc8a2fcc91f0856c11d35825e354f0c944d21296fc5a8d5094c7095a6a2e5a

 

Link to comment
Share on other sites

Posted (edited)
13 hours ago, Marcos said:

The JavaScript scanner should kick into action if network traffic scanning, SSL/TLS filtering or HTTPS scanning is off or if it's a new variant of the threat which doesn't seem to be the case:

Refer to my posted screen shot. Each detection has an unique hash. Appears to me the script has polymorphic capabilities; e.g. script embedded in a .exe, etc..

Edited by itman
Link to comment
Share on other sites

@Marcos, I do have Browser Security & Privacy option disabled. Don't see how that should affect HTTP/S scanning.

Link to comment
Share on other sites

  • Administrators

The HTTPS scanner works independently of the Browser Security & Privacy feature so disabling it should have no effect on detection by the HTTPS scanner.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...