NOD32 Blocking of Malicious Javascript

When I initially purchased a license for NOD32 (Preconfigured with BlackSpears Recommended Settings) I tested it at EICAR. Sometimes I would get a splash page from NOD32 and sometimes I would only get something like "Page Not Found", etc. Basically I would not be allowed access to any file at EICAR.

I frequently look at discount/deals type websites. Almost all of the time there are no files to download. However, yesterday they had WinRAR 3.51 with free license. I filled out the form. They sent an E-Mail with the download link. When I clicked on the E-Mail link my BlueCoat Web Protection Filter denied access. I was stubborn and temporarily bypassed the Filter. There was tab for a link to the free license. When I move the mouse over the tab it was labeled as Java script. I repeatedly clicked on the link and there was not response. Is this link not working be what NOD32 does in that case to prevent infection?

I looked at forum posts for that website. Only one person reported that the actual download file had a Trojan in it. The following is what one person out of 100+ posted:

--------------------------------------------------------------------------

I followed the instructions and links from the email I received.

As soon as I installed the program, Symantec Anti-virus found Trojan.Dropper in the file: Default.sfx in the WinRar folder.

Here's Symantec's page re: this trojan:
http://www.symantec.com/security_res...082718-3007-99

It's a low-level threat, but the fact that I've downloaded any kind of threat really bugs me.

Anyone else run into this?
-------------------------------------------------------------------------

 

It sounds more like you have a Javascript issue than anything else. When you click on the "Smilies" in this forum, do they work?

Cheers

 

I've often wondered, sometimes out loud, how people get infected all the time.

I no longer wonder.

 

Default.sfx is not a trojan, never was never will be.
In previous versions of WinRAR the file was packed using UPX (archives too) but they removed it since most AV-vendors didn't bother fixing their False/Positive. The new version (3.51) only TheHacker is detecting it as: Aplicacion/NetCat.

And if you do not want to have Javascript enabled all the time, I suggest you download Firefox + NoScript extension.

 

TheKid7,

Try submitting the suspicious file to http://www.virustotal.com or http://virusscan.jotti.org . These are two online services that will run the suspicious file through several different virus scanners. It could be that the 100+ posters were correct, and the 1 poster had found a false positive.