False positive - Cannot exclude from detection

[Sir George]

I use a Real Estate site, RealUp, for posting data. Nod 32 warns me there is a threat, which I am certain is a FP, because two other well respected AV programs do not detect anything and VirusTotal shows ESET as the only program rating the site as infected.

ESET doesn't seem to do much about the problem; I have submitted the file(s) for analysis and the site still pops up the warning insert window. Even more annoying is the fact that in "Advanced Options" the check box for "Exclude from detection" is dimmed out, not available as an option.

Does anyone know how to get ESET to respond or disable the warning popup?

Thanks in advance for any help.

[Marcos]

Please copy & paste the appropriate record from your ESET Threat log here.

[djackino]

ESET 5.0.95: In the last hour (since defs 7155), I am getting "address blocked" messages (on what appear to ad servers placing ads on webpage), and the following virus warnings:
5/21/2012 8:52:19 AM HTTP filter file http://ad.doubleclick.net/adj/N6344....1871589368360? HTML/ScrInject.B.Gen virus connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

5/21/2012 8:52:18 AM HTTP filter archive http://ad.doubleclick.net/adj/N6344....1871589368360? HTML/ScrInject.B.Gen virus connection terminated - quarantined TFSG\djackino Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

Both of the above files have been sent to ESET for analysis as possible False Positives. The website in question is an all news radio station in Washington, DC, USA (I will PM the actual URL as requested). I have never had any problems with this website, which I go to multiple times a day.

A full scan of the C: drive by ESET shows nothing infected, also ran Malware Bytes which also found nothing.

Spybot found one tracking cookie for ad.yieldmanager.com which I removed.

[Sir George]

Quote:

Originally Posted by Marcos

Please copy & paste the appropriate record from your ESET Threat log here.

As requested;
(begin log)
5/21/2012 6:21:59 AM Real-time file system protection file C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0GA9DDU\mlist_nty[1].htm JS/Kryptik.P trojan cleaned by deleting (after the next restart) - quarantined ROBERT\Robert Event occurred on a new file created by the application: C:\Program Files (x86)\Internet Explorer\iexplore.exe.
(end log)

Thanks for your help!

[Sir George]

OK, I submitted the log file and now I am right where I get when sending a file to ESET...no reply!

[Marcos]

JS/Kryptik.P is a correct detection, it's not FP. What website did you visit when the detection was triggered? (obfuscate the url to make it unclickable)

[Sir George]

Quote:

Originally Posted by Marcos

JS/Kryptik.P is a correct detection, it's not FP. What website did you visit when the detection was triggered? (obfuscate the url to make it unclickable)

The link I use that generates the message is for members only and requires a login. I don't know if you have the ability to override it, but here's the link;

http://wwwDOTrealupDOTcom/member/mlist_nty.asp

Additionally, as I mentioned in my prior post, VirusTotal shows Nod32 as the only AV program to list this as a virus/trojan.

[Marcos]

It seems that it's necessary to log in to trigger the detection. Nevertheless, I'm quite positive there must be a script utlizing the same kind of obfuscation as malware writers do to protect their creations from being scanned and detected by AV programs. The best would be if the owners of the website in question contacted ESET so that we could help them locate the problematic script.

[Sir George]

Quote:

Originally Posted by Marcos

It seems that it's necessary to log in to trigger the detection. Nevertheless, I'm quite positive there must be a script utlizing the same kind of obfuscation as malware writers do to protect their creations from being scanned and detected by AV programs. The best would be if the owners of the website in question contacted ESET so that we could help them locate the problematic script.

Thanks for the reply. Back to my original question, why is Nod32 AV preventing me from using the "Advanced Options" check box for "Exclude from detection"? Is there a way to either enable that option or a work around?

[Marcos]

You can exclude a particular file from scanning in the advanced setup. The option for excluding from detection in the alert window is only applicable for potentially unwanted applications for security reasons.