8 Replies Latest reply on Sep 3, 2009 2:55 PM by hopeless1

    5728 DAT False positive for JS/Exploit-Packed.c.gen

      After deploying today's dat 5728 I am receiving quite a few detections for JS/Exploit-Packed.c.gen as users browse the internet. After checking it appears the sites generating this alert are legitimate...the odds of ALL of these sites being hacked at roughly the same time seems unlikely, although possible.

      More than likely this is a false positive. The specific file that seems to be detected is polls-js-packed.js which appears to be an open'ish source WordPress plugin, so makes sense that many many sites are using the same script.

      Anyone else seeing this? www.metsblog.com is a site that you can use for testing.

      Submitted a sample to Avert already as well as notified Platinum support.

      JS/Exploit-Packed.c.gen was added in today's dat 5728: http://vil.nai.com/vil/content/v_218755.htm