mansour iranmanesh 0 Posted Tuesday at 12:04 PM Share Posted Tuesday at 12:04 PM Hello, have a good day I have a problem and I am facing the following error in my antivirus a threat (js/agent.rrl) was found google chrome tried to access a website (jahancablearka.com) This site is for me, but since today Anti Veserus gets stuck on all js files and blocks them Thank you for guiding me Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,165 Posted Tuesday at 12:27 PM Administrators Share Posted Tuesday at 12:27 PM You've probably made a typo since jahancablearka.com domain doesn't exist. Quote Link to comment Share on other sites More sharing options...
mansour iranmanesh 0 Posted Tuesday at 12:53 PM Author Share Posted Tuesday at 12:53 PM Quote Link to comment Share on other sites More sharing options...
itman 1,720 Posted Tuesday at 01:18 PM Share Posted Tuesday at 01:18 PM (edited) This is a strange one. The web site exists as noted here: https://www.robtex.com/dns-lookup/jahancablearka.com . However, it won't resolve in browser (Firefox) nor is it accessible at sucuri.com. My guess is this web site is being geographically restricted to access within Iran only. Edited Tuesday at 01:18 PM by itman Quote Link to comment Share on other sites More sharing options...
itman 1,720 Posted Tuesday at 01:48 PM Share Posted Tuesday at 01:48 PM Is this a HTTP only web site? The HTTP web site was accessed at VirusTotal and scans clean: https://www.virustotal.com/gui/url/3feead69cac521e96ce4d6c363be92c3055d583b43760874f9be1ccd255edeb3 . Even after disabling HTTPS always option in Firefox, it still will only attempt access via HTTPS which fails. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,165 Posted Tuesday at 02:00 PM Administrators Share Posted Tuesday at 02:00 PM 12 minutes ago, itman said: The HTTP web site was accessed at VirusTotal and scans clean: https://www.virustotal.com/gui/url/3feead69cac521e96ce4d6c363be92c3055d583b43760874f9be1ccd255edeb3 . That only means VirtusTotal queried AV scanners to find out if the url is on their blacklists. It didn't attempt to access the site. Quote Link to comment Share on other sites More sharing options...
itman 1,720 Posted Tuesday at 02:41 PM Share Posted Tuesday at 02:41 PM (edited) 41 minutes ago, Marcos said: That only means VirtusTotal queried AV scanners to find out if the url is on their blacklists. It didn't attempt to access the site. Yes, I realize that. My point was VT was able to access the site under HTTP criteria. When I try to do so in Firefox, it will redirect to HTTPS even with HTTPS only disabled. Edited Tuesday at 02:43 PM by itman Quote Link to comment Share on other sites More sharing options...
itman 1,720 Posted Tuesday at 10:42 PM Share Posted Tuesday at 10:42 PM I also performed tracert and nslookup on this domain and both failed. As such, this is not a publicly registered domain. This also means since the domain cannot be accessed via the Internet, it's impossible to diagnosis the malicious script Eset is detecting. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,165 Posted yesterday at 06:03 AM Administrators Share Posted yesterday at 06:03 AM Surely it's not a false positive and the detected web page contains a malicious JS. Quote Link to comment Share on other sites More sharing options...
mansour iranmanesh 0 Posted yesterday at 06:33 AM Author Share Posted yesterday at 06:33 AM It blocks all my accesses and blocks all js files both on the website and in the site admin Do you have any suggestions? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,165 Posted yesterday at 06:34 AM Administrators Share Posted yesterday at 06:34 AM An administrator of the website should find and remove the malicious JavaScript. As for the screenshot of VT results, you are comparing apples with oranges, ie. url blacklists with malware detection in html/js files. You can supply logs collected with ESET Log Collector and I'll provide you with the exact malicious code that should be removed. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.