ESET Insiders BDeep 7 Posted June 3, 2016 ESET Insiders Share Posted June 3, 2016 (edited) We have a custom inline script that obscures a mail to address but ESET and some other endpoint products are knocking it down. The code is: <script type="text/javascript"> <!-- var s=" =b!ujumf>#Fnbjm!Tbsbi#!isfg>#nbjmup;tbsbiAtbsbitjohjoh/dpn#?Tbsbi=0b?"; m=""; for (i=0; i<s.length; i++) m+=String.fromCharCode(s.charCodeAt(i)-1); document.write(m); //--> </script> Because we are purposely trying to utilize this javascript, how can we whitelist this? Machine details of the threat are below: [redacted] COMPUTER DESCRIPTION John Ball THREAT NAME JS/Kryptik.AD THREAT TYPE trojan SEVERITY Warning OCCURRED 2016 Jun 2 08:30:18 THREAT HANDLED Yes RESTART NEEDED No ACTION TAKEN cleaned by deleting ACTION ERROR OBJECT TYPE file OBJECT URI [redacted]/test.html CIRCUMSTANCES Event occurred on a newly created file. SCANNER Real-time file system protection ENGINE VERSION 13585 (20160602) PROCESS NAME C:\Windows\notepad.exe USER NAME [redacted] Edited June 3, 2016 by BDeep Link to comment Share on other sites More sharing options...
ESET Insiders rekun 43 Posted June 3, 2016 ESET Insiders Share Posted June 3, 2016 Submit it as a false positive here hxxp://support.eset.com/kb141/?locale=en_US Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted June 5, 2016 Administrators Share Posted June 5, 2016 Use an image for instance instead of obfuscation methods similar to what malware authors use. Link to comment Share on other sites More sharing options...
Recommended Posts