5728 DAT False positive for JS/Exploit-Packed.c.gen
After deploying today's dat 5728 I am receiving quite a few detections for JS/Exploit-Packed.c.gen as users browse the internet. After checking it appears the sites generating this alert are legitimate...the odds of ALL of these sites being hacked at roughly the same time seems unlikely, although possible.
More than likely this is a false positive. The specific file that seems to be detected is polls-js-packed.js which appears to be an open'ish source WordPress plugin, so makes sense that many many sites are using the same script.
Anyone else seeing this? www.metsblog.com is a site that you can use for testing.
Submitted a sample to Avert already as well as notified Platinum support.
RE: 5728 DAT False positive for JS/Exploit-Packed.c.gen
I'm also seeing lots of these since DAT 5728 came out in the last few hours. All the ones I've looked at so far have been JS files in users Temp Internet Files and folders (too many file names to mention). I'm also thinking that this is more likely a false positive.