False positive for Adblock?

Discussion in 'ESET NOD32 Antivirus' started by spiketoo, Jan 16, 2012.

Thread Status:
Not open for further replies.
  1. spiketoo

    spiketoo Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    7
    False positive for Adblock? ( JS/Redirector.B virus )

    Getting thread alerts for the first time with todays DB update for Adblock +. False positives perhaps?

    Anyone else?
     
  2. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    +1 for me.
    Running the Easylist + EasyPrivacy subscriptions.

    Detects patterns.ini, cache.js, elemhide.css files and their backups as JS/Redirector.B.
     
  3. MWarner

    MWarner Registered Member

    Joined:
    Jul 31, 2011
    Posts:
    6
    +1 for me as well. Submitted .ini files to Eset as false positive. Hopefully fixed in the next definitions update.
     
  4. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
  5. kairii

    kairii Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    76
    I'm getting the same detections for those files as well with update 6799 with ESET Security Suite V5.
     
  6. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    It's being looked into, looks like a FP
     
  7. Dukey

    Dukey Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    England
    Yep same issue here with 6799.
     
  8. jozsadaniel

    jozsadaniel Registered Member

    Joined:
    Jul 27, 2007
    Posts:
    2
    I also confirm this,
    Running NOD v5, 6799
    I am getting this on both Firefox and Chrome AdBlock Plus extensions.

    Thanks.
     
  9. ScHAmPi

    ScHAmPi Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    Belgium
    Same here.
     
  10. HopkinsProg

    HopkinsProg Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    2
    Location:
    Virginia
    I too am getting false positives triggered on the Adblock Plus pattern.ini file in Firefox across several hundred computers at our organization.

    Running NOD32 Antivirus 4 Business Edition (4.2.71.2; db 6799).
     
  11. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    PS. Virscan.org is using definitions 6794 so it's been around since at least then.
     
  12. Klipper

    Klipper Registered Member

    Joined:
    Nov 28, 2011
    Posts:
    7
    Location:
    Netherlands
    Getting these JS/Redirector.B too in Thunderbird.

    Why is Eset trying to disable the most populair Adblocker? Is this a commercial attack?
     
  13. mightyguppy

    mightyguppy Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    1
    Location:
    sweden
    Same here, its definitely false positive!

    Fix soon please!
     
  14. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    Fixed in db update 6800.
     
  15. braindedd

    braindedd Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    16
    Confirmed fixed in 6800.
     
  16. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    6799 did the same to me too:

    Number of infected objects: 102
    Everyone of them were an adblockplus: cache.js, patterns.ini-temp, or elemhide* file

    Edit Update: LOL, right after I deleted all those files 6800 got pushed to my computer. Oh well, I guess I will have to reinstall ADBlock Plus again.
     
    Last edited: Jan 16, 2012
  17. CalibanComputing

    CalibanComputing Registered Member

    Joined:
    Jan 16, 2012
    Posts:
    3
    Location:
    Canada
    Same thing here, and it caused some excitement this morning. :rolleyes: I'm scanning with the latest signature db (6800) and it appears to have corrected the false positive.
     
  18. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Question: Try entering 'JS/Redirector' (w/o quotes) as a search item. The search function is atop our window. Why are there are no hits when the string JS/Redirector is in our post?
     
  19. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,133
    Location:
    New England
    Of course, now that you have entered it in your post, that term is searchable.

    However, the reason that just "JS/Redirector" did not get any hits previously is because of the two occurrences above, they were actually "JS/Redirector.B" - the ".B" connected to the end of the word makes it a different word. vBulletin search is not like Google. It doesn't have complex coding to figure out that these are similar even with the "dot variant" on it. But, a wildcard search would have worked:

    JS/Redirector*


    Note that each time you include the term you can't find in a post, that adds it to the vBulletin search index, and then your next search finds that post.
     
  20. Supersnake

    Supersnake Registered Member

    Joined:
    Jul 12, 2003
    Posts:
    121
    Aha, thank you LowWaterMark :)
    Obviously I became spoiled by browser search engines like Google.
    Will make use of the * as a wildcard operator from now on. Thanks for clarifying it all so well.
     
  21. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Sixty eight instances found running an on demand scan
    Some were flagged against ad block plus, others where in system restore archive. This was a labour intensive clean-up.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.