False Positive Website

[mavi]

Hi,

I am a user of animecrazy.net, and dramacrazy.net, and since the last
signature update I've noticed that any video iframes show up as a
false positive, JS/TrojanDownloader.Iframe.NKE trojan.

Like for instance:
-dramacrazy.net/korean-drama/city-hunter-episode-2/ speedy
joe(satsukai.com) mirrors use iframes to show, and I've tried to identify with
multiple virus scanners, and only yours shows this false positive.

If you watch the same video on the actual satsukai.com site
-satsukai.com/get_video.php?video=17762

Nothing shows up, meaning it's not the actual page.

Another non iframe mirror:
-dramacrazy.net/korean-drama/city-hunter-episode-2/146491
see no virus

Or for instance try this:
-dramacrazy.net/korean-drama/city-hunter-episode-19/163500
same issue using another iframe site.

If you check the actual Iframe
page in a new tab, no virus.

If you try the actual site with a non iframe mirror, it shows no virus so I'm ruling out ads, comprimised pages, etc. But
when you try a page with an video that comes through an iframe it
calls it a virus.

No files are downloaded from that site. No viruses come from it. It's
just a video player in an iframe.

Here's an image of the eset popup i get.


http://img69.imageshack.us/img69/5350/unled1iy.png

I need this to be fixed as it's not a virus and is on every page i
view except the other mirrors, and getting quite annoying fast.

Thanks!

[NoobStick]

Hello mavi
If you think there is a " False Positive Website" you can always report it to Eset using the guide in this link : http://kb.eset.com/esetkb/index?page...=1312054995198

Best Regards

NoobStick

[toxinon12345]

I saw similar detections in the ScrInject signature

anyway a frame with a minimal size is always suspicious

[mavi]

Quote:

Originally Posted by toxinon12345

I saw similar detections in the ScrInject signature

anyway a frame with a minimal size is always suspicious

But the frame size is 700x400.

[siljaline]

An apparent iframe exploit, as NoobStick noted, submit the false postive to ESET for analysis.

[no_idea]

Please keep in mind, that a massive iFrame Injection is going on right now and that nod32 just might have saved your a**

http://blog.armorize.com/2011/07/wil...n-ongoing.html

[piranha]

do you understand what is a false positive ?

a same file could be ok in another website or mirror but it dont means it is a false positive. Can just means that the another website or mirror is NOT infected !!!

submit website and/or file to Eset, if it is a false alert and the video or file is really ok, they will correct this in a next virus db update

[SweX]

FYI. mavi is talking about the same site at Malwarebytes Forum as well, see what they answered here:
http://forums.malwarebytes.org/index...howtopic=87729

[siljaline]

Thank you for this, Swex

Quote:

Originally Posted by SweX

FYI. mavi is talking about the same site at Malwarebytes Forum as well, see what they answered here:
http://forums.malwarebytes.org/index...howtopic=87729

[mavi]

This is the very reason why I don't use malware bytes, they veer too far on the edge of false positives. I know plenty of good sites that are on ecatel, that are anime sites.

With that said, this iframe issue affects pretty much any site that serves media through an iframe. It's too major of an issue to continue as is.

Peace out, hope it gets resolved soon.

[danieln]

In order to fix the problem cease usage of the obfuscation. You can find detail explanation here:
http://blog.eset.com/2011/05/17/obfu...-a-tangled-web

[SweX]

Quote:

Originally Posted by siljaline

Thank you for this, Swex

You're welcome mate

[siljaline]

Thank you for this, danieln

Quote:

Originally Posted by danieln

In order to fix the problem cease usage of the obfuscation. You can find detail explanation here:
http://blog.eset.com/2011/05/17/obfu...-a-tangled-web

[mavi]

Quote:

Originally Posted by danieln

In order to fix the problem cease usage of the obfuscation. You can find detail explanation here:
http://blog.eset.com/2011/05/17/obfu...-a-tangled-web

Is that the problem? Can't you guys just whitelist the three sites (AnimeCrazy.Net/DramaCrazy.Net) as they are virus free but are just running into the obfuscated issue?