false postives at Ecoustics.com

I have encountered problems when reading certain reviews posted at the Ecoustics.com website. In particular, whenever I try to read any review that comes to Ecoustics from "Secrets of Home Theater and High Fidelity" magazine ( http://www.hometheaterhifi.com ), I am bomarded with JS/TrojanDropper.Tivso.gen and TrojanDownloader.Tivso.gen messages, and I am unable to read the review.

I am pretty sure this is a false positive, because I uploaded copies of the webpages to Jotti's and VirusTotal, and they came out clean with all the other scanners. Also, if I look at the reviews directly from http://www.hometheaterhifi.com , they are fine. It seems to be the combination of the Hometheaterhifi.com review embedded within the Ecoustics.com webpage that causes the problem.

In accordance with forum policy, I have not posted a link to one of these reviews (though I will do so at a moderator's request). I have submitted a quarantined sample to Eset for review, with a link in the description. If anyone could look into this, that would be great.

 

Because it has something to do with a support/analysis request, you may post a non-clickable link (hxxp://).

 

Thanks, Brian! Here are a couple of non-clickable links. I have problems with the first link, but not the second. See if anyone else has the same problem...

hxxp://www.ecoustics.com/secrets/volume_13_3/arcam-solo-8-2006.html
hxxp://www.hometheaterhifi.com/volume_13_3/arcam-solo-8-2006.html

 

Yeah NOD32 lights up like a Christmas tree

Will have to wait for Marcos to come along and analyse it.

Cheers

 

And here's a virustotal scan of the file. As you can see, only NOD32 detects it.
Guess we'll have to wait for Marcos

And I also forgot you already did that, my bad

 

mmm.... I've seen the fireworks too. It's an heuristic detection as I see (.gen) and I think it will be fixed soon.

 

Don't be so sure , pykko !
I have seen lots of examples (real and screenshots from VirusTotal) with real malware which only NOD32 (or NOD32 + few others) detect . This can be just one example .

By the way , already submitted to ESET labs and Support !

 

it has been fixed. NO warning here.

EDIT: It seems not. ON the first page I still get the warning.

 

Buddy , as I said , they are already submitted and they will decide if it is real threat Will inform you if I receive any reply

 

It seems to be triggered because the first 19 characters are <html><head><title> and there is .com before the </title> tag.

Looks like a probable FP IMHO since nothing else in the document causes detection but it is not my place here to say that it is or isn't actually safe.

Cheers

 

That's OK. I was just thinking, "Maybe I should have put up some screenshots," but then you did them all for me. Thanks!