Avast WEBforum

Other => Viruses and worms => Topic started by: tbd_appn on March 06, 2012, 05:19:51 PM

Title: potential false positive (JS:Agent-PV [Trj])
Post by: tbd_appn on March 06, 2012, 05:19:51 PM

Hello,

The below Javascript was flagged as JS:Agent-PV [Trj], however the provider of this JS is a trusted partner and we suspect this is a false positive. Is there any clarification that can be given here?

Many thanks.

Removed the actual code, here is a link (though this may rotate and change), and screenshot attached:

hxxp://www.kqzyfj.com/placeholder-5791062?target=_top&mouseover=N

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: Pondus on March 06, 2012, 05:23:27 PM

DO NOT post Potentially malware code in the forum as every one with a AV detecting this will get a warning when entering the forum


take a screenshot of the code and attach



VirusTotal - 2/43
https://www.virustotal.com/file/6b11f0e5bba1948abbbc3d9092812cf7c7ca580f55c1364f7864b2fd709887a5/analysis/1331051093/

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: polonus on March 06, 2012, 05:36:25 PM

As Pondus says remove script code immedeately or present it as an image link. If the malcode is not a FP,  it is a spyware TT-exploit, and especially dangerous when opened with Internet Explorer,

polonus

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: adfms on March 06, 2012, 06:11:23 PM

Here is a screenshot of the ad that comes up when it is wrapped in java script. This is a legitimate Verizon campaign from CJ.

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: spg SCOTT on March 06, 2012, 06:59:01 PM

Use this form to report a false positive directly to the virus lab:
http://www.avast.com/contact-form.php?loadStyles

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: polonus on March 06, 2012, 07:01:16 PM

Hi adfms,

Do as spg SCOTT proposes, also because of these risk scan results: http://zulu.zscaler.com/submission/show/2c1a6601f456d7cfe1bd44a7fd2d7419-1331033142
and this http://zulu.zscaler.com/submission/show/aca6e4edc6118539bf25e74eb17271a2-1331056998

polonus

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: Milos on March 07, 2012, 08:06:39 AM

Hello,
false positive will be fixed in next VPS update.

Milos

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: The Redneck Hippie on February 13, 2014, 04:16:50 PM

Bringing up a very old thread to say this has NOT been fixed.  I've already reported it via the "Contact Us" about false-positives form on this site. 

I just got this JS:Agent-PV [Trj] false-positive from this site:

http://www.alicepaul.org/      alicepaul.htm

To see it, take out the spaces in the above url, or just go to the main page and click on "Alice Paul" in the bar across the top. 

BTW, this is so annoying that I joined this forum just now just to report this. 

Title: Re: potential false positive (JS:Agent-PV [Trj])
Post by: polonus on February 13, 2014, 04:51:37 PM

This asp site certainly has some server security issues as you can view here: https://asafaweb.com/Scan?Url=www.alicepaul.org%2Falicepaul.htm
Custom errors are not correctly configured ; by default, excessive information about the server and frameworks used by an ASP.NET application are returned in the response headers. These headers can be used to help identify security flaws which may exist as a result of the choice of technology exposed in these headers; it doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a click-jacking attack.
Earlier malware from IP: http://support.clean-mx.de/clean-mx/viruses?id=8678620
A pinpoint evaluation was blocked by avast shield detection. JS:Agent-AYC[Trj],
If that was inserted into your JS files you must remove the code and search for the door which allowed the hacker to insert the code.
If you want to report a FP go here: www.avast.com/contact-form.php‎

polonus