doubleclick.net causing HTML/ScrInject.B.Gen virus alerts

Discussion in 'ESET NOD32 Antivirus' started by Geosoft, Jan 30, 2012.

Thread Status:
Not open for further replies.
  1. Geosoft

    Geosoft Registered Member

    Joined:
    Jan 7, 2009
    Posts:
    270
    Location:
    Toronto, Ontario, Canada
    Any known issues with 6840? A lot of computers on my network is complaining about HTML/ScrInject.B.Gen virus, where most of the URL is coming from doubleclick.net, and a small handful of others.
     
  2. jard

    jard Registered Member

    Joined:
    Jan 30, 2012
    Posts:
    1
    Location:
    United States
    I'm seeing the same problem with 6840.
     
  3. clutch

    clutch Registered Member

    Joined:
    Oct 10, 2008
    Posts:
    19
    We're getting them too. No adverse affects that we can see....and all are on what looks to be advertising sites too. I wonder if an ad hosting company that hosts all these sites got hit.
     
  4. etciv

    etciv Registered Member

    Joined:
    Jan 30, 2012
    Posts:
    1
    Location:
    US
    We are getting them as well at our site with 100+ users.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    it was an advertising domain that was blocked. A new update addressing the FP is being prepared and will be released shortly.
     
  6. clutch

    clutch Registered Member

    Joined:
    Oct 10, 2008
    Posts:
    19
    Looks like 6841 has been released. Pushing out to my clients now.
     
  7. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588

    Awesome. Let us know if there's any continued FP activity
     
  8. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Could it be that this FP was caused by "Antivirus and antispyware scanner module: 1337 (20120130)" and not by defs 6840?

    Just being curious here ;)
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    If it was caused by defs 6840, you would expect to see it here mentioned:
    http://www.eset.eu/podpora/aktualizacia-6840?lng=en

     
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    • @ FanJ

    I have Antivirus and antispyware scanner module: 1337 (20120130) module installed under non pre-release, no issues reported from the users that report to me through other channels.

    I hope it was a true false-positive and has been rectified for now.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Siljaline,

    The whole point of my two previous postings in this thread was:
    If defs update 6840 was causing this FP "HTML/ScrInject.B.Gen",
    then you would expect it mentioned in the list here .
    But it is not mentioned there.
    So did that list not mention everything? Lets assume that that list was correct. I suppose we get correct info on those lists.
    Was "HTML/ScrInject.B.Gen" mentioned in a previous other list? As far as I can see with my bad eyes: no.
    So the only conclusion can be that it was the recent "Antivirus and antispyware scanner module: 1337 (20120130)" that was causing this.
    Or am I missing something?

    PS:
    And yes, this was with pre-releases updates not enabled on NOD32 4.2.71.2, on XP-home SP3.
    And no, I got no warnings from this FP: I block doubleclick.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The virus signature update 6480 does not list HTML/ScrInject.B.Gen per se. It was blocked a ESET's Virus Labs for reasons as we are aware to be a confirmed false-positve, which has been corrected.

    The updated module component:
    Antivirus and antispyware scanner module: 1337 (20120130) was likely unrelated. The module change was not logged
     
  13. TomFace

    TomFace Registered Member

    Joined:
    Jan 8, 2011
    Posts:
    77
    Location:
    USA
    I too have one quarantine item (2 detected threats) related to this HTML/ScrInject.B.Gen virus-so in plain language, is this real or false and should it be deleted from quarantine or what should I do? I currently have version 6843 and have run a scan after detection which was clean.
     
    Last edited: Jan 31, 2012
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the files are not detected with the latest version you can leave them out of quarantine.
     
  15. TomFace

    TomFace Registered Member

    Joined:
    Jan 8, 2011
    Posts:
    77
    Location:
    USA
    OK-Marcos, thank you for the prompt reply. I am a simple man, not an expert.
     
    Last edited: Jan 31, 2012
  16. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hey silj,

    OK.
    I was considering that possibilty when I wrote "Lets assume that that list was correct. I suppose we get correct info on those lists."
    So, if defs update 6840 was causing this, we might come to a conclusion about those lists :ouch:

    Anyway, glad to see that it seems to have been fixed quickly. :)

    BTW, the "Antivirus and antispyware scanner module" was updated to: 1338 (20120131)
     
  17. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    ESET didn't remain '1337' for very long. ;)
     
  18. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Hmmm... since I am no longer logging, these, my version no longer allows me to report them

     
Thread Status:
Not open for further replies.