False positive for Adblock?

Discussion in 'ESET NOD32 Antivirus' started by spiketoo, Jan 16, 2012.

Thread Status:
Not open for further replies.
  1. spiketoo

    spiketoo Registered Member

    False positive for Adblock? ( JS/Redirector.B virus )

    Getting thread alerts for the first time with todays DB update for Adblock +. False positives perhaps?

    Anyone else?
     
    spiketoo, Jan 16, 2012
    #1
  2. braindedd

    braindedd Registered Member

    +1 for me.
    Running the Easylist + EasyPrivacy subscriptions.

    Detects patterns.ini, cache.js, elemhide.css files and their backups as JS/Redirector.B.
     
    braindedd, Jan 16, 2012
    #2
  3. MWarner

    MWarner Registered Member

    +1 for me as well. Submitted .ini files to Eset as false positive. Hopefully fixed in the next definitions update.
     
    MWarner, Jan 16, 2012
    #3
  4. braindedd

    braindedd Registered Member

    braindedd, Jan 16, 2012
    #4
  5. kairii

    kairii Registered Member

    I'm getting the same detections for those files as well with update 6799 with ESET Security Suite V5.
     
    kairii, Jan 16, 2012
    #5
  6. dmaasland

    dmaasland Registered Member

    It's being looked into, looks like a FP
     
    dmaasland, Jan 16, 2012
    #6
  7. Dukey

    Dukey Registered Member

    Yep same issue here with 6799.
     
    Dukey, Jan 16, 2012
    #7
  8. jozsadaniel

    jozsadaniel Registered Member

    I also confirm this,
    Running NOD v5, 6799
    I am getting this on both Firefox and Chrome AdBlock Plus extensions.

    Thanks.
     
    jozsadaniel, Jan 16, 2012
    #8
  9. ScHAmPi

    ScHAmPi Registered Member

    Same here.
     
    ScHAmPi, Jan 16, 2012
    #9
  10. HopkinsProg

    HopkinsProg Registered Member

    I too am getting false positives triggered on the Adblock Plus pattern.ini file in Firefox across several hundred computers at our organization.

    Running NOD32 Antivirus 4 Business Edition (4.2.71.2; db 6799).
     
    HopkinsProg, Jan 16, 2012
    #10
  11. braindedd

    braindedd Registered Member

    PS. Virscan.org is using definitions 6794 so it's been around since at least then.
     
    braindedd, Jan 16, 2012
    #11
  12. Klipper

    Klipper Registered Member

    Getting these JS/Redirector.B too in Thunderbird.

    Why is Eset trying to disable the most populair Adblocker? Is this a commercial attack?
     
    Klipper, Jan 16, 2012
    #12
  13. mightyguppy

    mightyguppy Registered Member

    Same here, its definitely false positive!

    Fix soon please!
     
    mightyguppy, Jan 16, 2012
    #13
  14. stackz

    stackz Registered Member

    Fixed in db update 6800.
     
    stackz, Jan 16, 2012
    #14
  15. braindedd

    braindedd Registered Member

    Confirmed fixed in 6800.
     
    braindedd, Jan 16, 2012
    #15
  16. Supersnake

    Supersnake Registered Member

    6799 did the same to me too:

    Number of infected objects: 102
    Everyone of them were an adblockplus: cache.js, patterns.ini-temp, or elemhide* file

    Edit Update: LOL, right after I deleted all those files 6800 got pushed to my computer. Oh well, I guess I will have to reinstall ADBlock Plus again.
     
    Last edited: Jan 16, 2012
    Supersnake, Jan 16, 2012
    #16
  17. CalibanComputing

    CalibanComputing Registered Member

    Same thing here, and it caused some excitement this morning. :rolleyes: I'm scanning with the latest signature db (6800) and it appears to have corrected the false positive.
     
    CalibanComputing, Jan 16, 2012
    #17
  18. Supersnake

    Supersnake Registered Member

    Question: Try entering 'JS/Redirector' (w/o quotes) as a search item. The search function is atop our window. Why are there are no hits when the string JS/Redirector is in our post?
     
    Supersnake, Jan 16, 2012
    #18
  19. LowWaterMark

    LowWaterMark Administrator

    Of course, now that you have entered it in your post, that term is searchable.

    However, the reason that just "JS/Redirector" did not get any hits previously is because of the two occurrences above, they were actually "JS/Redirector.B" - the ".B" connected to the end of the word makes it a different word. vBulletin search is not like Google. It doesn't have complex coding to figure out that these are similar even with the "dot variant" on it. But, a wildcard search would have worked:

    JS/Redirector*


    Note that each time you include the term you can't find in a post, that adds it to the vBulletin search index, and then your next search finds that post.
     
    LowWaterMark, Jan 16, 2012
    #19
  20. Supersnake

    Supersnake Registered Member

    Aha, thank you LowWaterMark :)
    Obviously I became spoiled by browser search engines like Google.
    Will make use of the * as a wildcard operator from now on. Thanks for clarifying it all so well.
     
    Supersnake, Jan 16, 2012
    #20
  21. siljaline

    siljaline Registered Member

    Sixty eight instances found running an on demand scan
    Some were flagged against ad block plus, others where in system restore archive. This was a labour intensive clean-up.
     
    siljaline, Jan 16, 2012
    #21
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice