NOD32 AV v4.2.71.2 Module HTTP filter - Threat Alert triggered

Discussion in 'ESET NOD32 Antivirus' started by dsi-ap, Jan 18, 2012.

Thread Status:
Not open for further replies.
  1. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    Hi All

    We have always had the HTTP filter module enabled on NOD as good last line of defence in case the firewall & then the proxy server does not block bad sites.

    Here is a typical alert we get:

    Code:
    18/01/2012 11:25:45 - Module HTTP filter - Threat Alert triggered on computer COMPUTER-NAME:  http://http-sy.ru/PAGEREMOVED.php?id=SESSIONIDREMOVED contains JS/Kryptik.GA trojan.
    Another site with false/positive results

    Code:
    17/01/2012 11:46:11 - Module HTTP filter - Threat Alert triggered on computer COMPUTER-NAME:  http://www.trappednerve.org/ contains HTML/ScrInject.B.Gen virus.
    VirusTotal.com reports these sites as clean....

    Its begining to seem the HTTP filter is reporting clean sites as infected and wonder if ESET are aware of this and what has been done or need to be done to resolved.

    This becomes a problem if one site is reported to be infected by ESET and several hundred users are trying to get to the site.
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    From my experience, scanning urls at VT rarely yield correct results because tje other products used for scanning rarely detect malware on sites where ESET does.
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Unfortunately that's my experience too. But when it comes to files it's great.

    To the OP....Scanning an URL on URLVoid, VirusTotal etc.. is great because it gives a hint about the site. But take the results with a grain of salt. And incase one think it's an FP just submit the URL to the vendor/s and if it indeed is an FP they will fix it.
     
    Last edited: Jan 21, 2012
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There's indeed a script loaded from a blocked domain that is deindexed by Google, too due to very frequent occurences of malware.
     
Thread Status:
Not open for further replies.