Author Topic: always messages "JS:Downloader-DEF [Trj]" blocked  (Read 5458 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #15 on: August 29, 2017, 04:36:01 PM »
Meanwhile I know from the German Avadas Forum (http://forum.avadas.de/threads/8095-st%C3%A4ndige-Meldung-Bedrohung-durch-quot-JS-Downloader-DEF-quot) that there are at least two other users with the same problem as mine
« Last Edit: August 29, 2017, 04:44:31 PM by jr1r22 »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #16 on: August 29, 2017, 04:38:41 PM »
There is also a post about it on the MAC forum.
https://forum.avast.com/index.php?topic=207906.0

avadas.de is NOT the  German avast forum/webboard.

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #17 on: August 29, 2017, 04:45:12 PM »
avadas.de is NOT the  German avast forum/webboard.

okay

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 827
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #18 on: August 29, 2017, 10:13:04 PM »
Logs say that your system is clean which means you don't have adware on your system which cause Avast to block mentioned JS. I'm still waiting for this VirusTotal scan finishes and until then we will not know for sure is it Avast false positive or not.

https://www.virustotal.com/#/file-analysis/MjE1ZjMwYWYzMTY1NWYxMmZlOTgxODcwODI2M2I2YjQ6MTUwNDAzNzIyNQ==

http://r.virscan.org/report/9ca20a9db021ed64aad9df7ebb3e1488

EDIT: As for targeting, Germany is targeted as far as I know.

EDIT2:
Buggy VT: https://www.virustotal.com/#/file/9e086ce4bbc3aa9e89823af5fa43c591ae152e261f35d035b64d135436b0b820/detection
« Last Edit: August 29, 2017, 11:35:09 PM by Sass Drake »

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #19 on: August 31, 2017, 10:13:45 AM »
Obviously the problem has been solved - no more alerts in this case since yesterday. Fine

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #20 on: August 31, 2017, 03:09:27 PM »
It is not exactly the same issue, but very similar one.

Few users of our site reported Avast alerts recently,
that  JS:Downloader-YT [Trj] has been detected.
For instance this page gave the alert http://video.meta.ua/9443596.video

I assume that an obfuscated javascript cause false positive, is there any method to whitelist javascripts?



Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #21 on: August 31, 2017, 03:13:40 PM »
avast doesn't alert there as the page doesn't even load.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #22 on: August 31, 2017, 03:19:31 PM »
avast doesn't alert there as the page doesn't even load.
Loading fine here   ;)

anyway  @metamaster  you should start your own topic



REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #23 on: August 31, 2017, 03:23:33 PM »
Well, the jascript, which is a media player,  is generated dynamically, so time to time it could have a signature that leads to detection.

So I am looking for a whitelisting method for the site scripts.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #24 on: August 31, 2017, 03:27:09 PM »
Quote
So I am looking for a whitelisting method for the site scripts.
How to report  >>  https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

and start your own topic ...


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #25 on: August 31, 2017, 04:08:38 PM »
@Eddy and others,

I get a message for this adware related detection JS:Downloader-YT [Trj] on -http://video.meta.ua/9443596 [gzip]

Probably those that do not detect have pup-detection disabled within avast free.  Detection was there from 2010.

DNS issues on site:
With this domain I find stealth name servers: found stealth name servers at some of your servers. All name servers returned by domain name servers should be listed at parent servers
-ns1.meta.ua at -ns4.top.net.ua
-ns1.meta.com.ua at -ns4.top.net.ua
-ns1.meta.ua at -ns5.top.net.ua
-ns1.meta.com.ua at -ns5.top.net.ua

No detections at the main domain address: http://toolbar.netcraft.com/site_report?url=http://video.meta.ua
Certificates installed in the wrong order.
Some certificates in the chain are installed in the wrong order. See details below. Reinstall the certificates in the proper order.
Add Trust External CA root and Tested certificate....

Warnings
RC4
Your server's encryption settings are vulnerable. This server uses the RC4 cipher algorithm which is not secure. More information.
Root installed on the server.
For best practices, remove the self-signed root from the server.

This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.

Similar detection as the one at hand here: https://www.scumware.org/report/194.0.131.28.html
XPL/Gen BE
Rank this week: Nº 702
Websites affected:   14
Users affected: 100 - 5,000
Affected Operating Systems: All Windows OS
excessive server info proliferation detected:  nginx 1.7.6  10 disallowed entries
| /cron /mui /api /script /logs /vpla /mediaplugin vulnerable to :wp-content/plugins/ad-injection
|_/uploader /ajax /feedpath TLS randomnes on http 1.1

Also consider: http://retire.insecurity.today/#!/scan/b61198803f57314e7c5cfbf2b2ef6e52e0ba5b70af374f10c56b4a54f4caf1bc

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #26 on: August 31, 2017, 04:27:08 PM »
@polonus, thank you for information.

But, as Pondus has suggested I would start a separate topic for further discussion.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33519
  • malware fighter
Re: always messages "JS:Downloader-DEF [Trj]" blocked
« Reply #27 on: August 31, 2017, 05:18:40 PM »
Hi metamaster,

No sweat, I'd follow you there then, certainly when Pondus  ;) suggested this.
Thanks again for putting the issue up and discussing it.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!