False positive for Adblock?

Discussion in 'ESET NOD32 Antivirus' started by spiketoo, Jan 16, 2012.

Thread Status:
Not open for further replies.
  1. spiketoo

    spiketoo Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    7
    False positive for Adblock? ( JS/Redirector.B virus )

    Getting thread alerts for the first time with todays DB update for Adblock +. False positives perhaps?

    Anyone else?
     
  2. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    +1 for me.
    Running the Easylist + EasyPrivacy subscriptions.

    Detects patterns.ini, cache.js, elemhide.css files and their backups as JS/Redirector.B.
     
  3. MWarner

    MWarner Registered Member

    Joined:
    Jul 31, 2011
    Posts:
    6
    +1 for me as well. Submitted .ini files to Eset as false positive. Hopefully fixed in the next definitions update.
     
  4. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
  5. kairii

    kairii Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    76
    I'm getting the same detections for those files as well with update 6799 with ESET Security Suite V5.
     
  6. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    It's being looked into, looks like a FP
     
  7. Dukey

    Dukey Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    England
    Yep same issue here with 6799.
     
  8. jozsadaniel

    jozsadaniel Registered Member

    Joined:
    Jul 27, 2007
    Posts:
    2
    I also confirm this,
    Running NOD v5, 6799
    I am getting this on both Firefox and Chrome AdBlock Plus extensions.

    Thanks.
     
  9. ScHAmPi

    ScHAmPi Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    Belgium
    Same here.
     
  10. HopkinsProg

    HopkinsProg Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    2
    Location:
    Virginia
    I too am getting false positives triggered on the Adblock Plus pattern.ini file in Firefox across several hundred computers at our organization.

    Running NOD32 Antivirus 4 Business Edition (4.2.71.2; db 6799).
     
  11. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    PS. Virscan.org is using definitions 6794 so it's been around since at least then.
     
  12. Klipper

    Klipper Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    7
    Location:
    Netherlands
    Getting these JS/Redirector.B too in Thunderbird.

    Why is Eset trying to disable the most populair Adblocker? Is this a commercial attack?
     
  13. mightyguppy

    mightyguppy Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    sweden
    Same here, its definitely false positive!

    Fix soon please!
     
  14. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Fixed in db update 6800.
     
  15. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    Confirmed fixed in 6800.
     
  16. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    6799 did the same to me too:

    Number of infected objects: 102
    Everyone of them were an adblockplus: cache.js, patterns.ini-temp, or elemhide* file

    Edit Update: LOL, right after I deleted all those files 6800 got pushed to my computer. Oh well, I guess I will have to reinstall ADBlock Plus again.
     
    Last edited: Jan 16, 2012
  17. CalibanComputing

    CalibanComputing Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    3
    Location:
    Canada
    Same thing here, and it caused some excitement this morning. :rolleyes: I'm scanning with the latest signature db (6800) and it appears to have corrected the false positive.
     
  18. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Question: Try entering 'JS/Redirector' (w/o quotes) as a search item. The search function is atop our window. Why are there are no hits when the string JS/Redirector is in our post?
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Of course, now that you have entered it in your post, that term is searchable.

    However, the reason that just "JS/Redirector" did not get any hits previously is because of the two occurrences above, they were actually "JS/Redirector.B" - the ".B" connected to the end of the word makes it a different word. vBulletin search is not like Google. It doesn't have complex coding to figure out that these are similar even with the "dot variant" on it. But, a wildcard search would have worked:

    JS/Redirector*


    Note that each time you include the term you can't find in a post, that adds it to the vBulletin search index, and then your next search finds that post.
     
  20. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Aha, thank you LowWaterMark :)
    Obviously I became spoiled by browser search engines like Google.
    Will make use of the * as a wildcard operator from now on. Thanks for clarifying it all so well.
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Sixty eight instances found running an on demand scan
    Some were flagged against ad block plus, others where in system restore archive. This was a labour intensive clean-up.
     
Thread Status:
Not open for further replies.