ESET Insiders BDeep 7 Posted June 3, 2016 ESET Insiders Posted June 3, 2016 (edited) We have a custom inline script that obscures a mail to address but ESET and some other endpoint products are knocking it down. The code is: <script type="text/javascript"> <!-- var s=" =b!ujumf>#Fnbjm!Tbsbi#!isfg>#nbjmup;tbsbiAtbsbitjohjoh/dpn#?Tbsbi=0b?"; m=""; for (i=0; i<s.length; i++) m+=String.fromCharCode(s.charCodeAt(i)-1); document.write(m); //--> </script> Because we are purposely trying to utilize this javascript, how can we whitelist this? Machine details of the threat are below: [redacted] COMPUTER DESCRIPTION John Ball THREAT NAME JS/Kryptik.AD THREAT TYPE trojan SEVERITY Warning OCCURRED 2016 Jun 2 08:30:18 THREAT HANDLED Yes RESTART NEEDED No ACTION TAKEN cleaned by deleting ACTION ERROR OBJECT TYPE file OBJECT URI [redacted]/test.html CIRCUMSTANCES Event occurred on a newly created file. SCANNER Real-time file system protection ENGINE VERSION 13585 (20160602) PROCESS NAME C:\Windows\notepad.exe USER NAME [redacted] Edited June 3, 2016 by BDeep
ESET Insiders rekun 43 Posted June 3, 2016 ESET Insiders Posted June 3, 2016 Submit it as a false positive here hxxp://support.eset.com/kb141/?locale=en_US
Administrators Marcos 5,461 Posted June 5, 2016 Administrators Posted June 5, 2016 Use an image for instance instead of obfuscation methods similar to what malware authors use.
Recommended Posts