Jump to content

False positive?


Go to solution Solved by Marcos,

Recommended Posts

Version 7.0.325 (I can't upgrade any higher as the Cisco NAC client version we use does not accept V8 or V9). Current defs, Windows 7, Firefox.

 

While on WTOP.com (radio station news site in Washington, DC, USA), I am getting "address blocked" messages visiting any story link, example follows from log:

5/26/2016 12:13:21 PM hxxp://0smhezbyrqrjm51c30dkaasv6ralrn.eclampsialemontree.net/qIAk7pwY1w6BO7pOidseVNRVwCRF1NXFwBWgIPGUFYXWkQUVQNQFEBSxtYEVxWRE8WBwsKVF9XZENYFVsVUAFdUA9FSlBTVFZUVl8RSlBUHFsEFkMcQxFaY1wKYVcQSghXWRIJRgUcAU1RGkgXBlxMLQVKXkACFFdVBFUHA1FBT0FCSUIDGwhEVl4IAFgBGh8Bv8H46WupdsoijVHdsoijV8J Blocked by internal blacklist C:\Program Files\Mozilla Firefox\firefox.exe (domain/userid/IP address omitted.

 

What is the deal with eclampsialemontree.net? This started this morning. Not sure which recent definitions file is triggering this. WTOP.com has been notified as well. I also sent a sample to the lab as a possible false positive.

 

Edit: Same thing coming up on nydailynews.com.

Edited by knicks_fan
Link to comment
Share on other sites

  • Administrators

0smhezbyrqrjm51c30dkaasv6ralrn subdomain doesn't look legit. My understanding is that the website was compromised and has been serving exploits.

Link to comment
Share on other sites

Wonderful. I have sent a bunch of e-mails to WTOP.com and nothing has been done to block the domain. Perhaps you could try webmaster@wtop.com.

 

I can read the stories, and just ignore the messages, Marcos, or should I stay way until it is resolved one way or another?

Link to comment
Share on other sites

Still getting the address blocked messages this morning. Again e-mailed the two websites that are in question. That domain appears to serve many websites as indicated above.

 

Does ESET typically try to contact the domain in question to get them to fix what is wrong?

Edited by knicks_fan
Link to comment
Share on other sites

  • Administrators
  • Solution

Does ESET typically try to contact the domain in question to get them to fix what is wrong?

That would be impossible as we block thousands of urls on a daily basis.
Link to comment
Share on other sites

I too have been getting a lot of NOD32 popups about eclampsialemontree.net being blockied which is fine by me as I don't need the junk. Seeing the popups is a bit disconcerting but I hope NOD is just doing its job.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...