2 Replies Latest reply on Dec 23, 2013 5:44 AM by lrock

    JS/Exploit Blacole.le VirusScan Signature False Positives

    x0rg

      Product Versions:

      VSE: 8.8.0.975

      DAT versions during detections: 7291, 7292, 7293

       

      McAfee Representatives:

       

      I wasn't sure where to submit this as I cannot upload files due to policy where I work. However, we have had a string of detections with the aforementioned signature in the past 3 days, yet when we review the web traffic of the user they are on generally trusted sites such as washingtonpost.com, cnn.com subdomains etc. The only pattern I have noticed is that they seem to be flagging on resource loads from a page that involve the same parent domain (Giving a level of trust as opposed ot most breached sites loading foreign scripts).

       

      When reviewing the linked information on the detection I noted the following update notes:

       

      -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------------------------------------------

       

      Also this detection uses the following recent injection techniques in order to make a connection to randomly generated malicious domain.

       

      <!--0c0896-->

      <!--/0c0896-->

      Whenever the user visits a compromised website containing this malicious JavaScript, it redirects the browser to malicious site with help of iframe.

       

      Also this detection uses the following recent injection techniques in  order to make a connection to randomly generated malicious domain.

       

      "[0c0896]"

      "[0c0896]"

       

      Whenever the user visits a compromised website  containing this malicious JavaScript, it redirects the browser to  malicious site with help of iframe.

       

      -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -----------------------------------------------------------

       

       

      These appear to be overly broad detector descriptions although I cannot of course view the actual signature's pattern detection to say for sure. We have found no indicator of compromise attempts and our SNORT rules on our IDPS solutions that have some similarly styled, by the descriptions I have above, have not flagged any of the content in the time ranges that the antivirus is detecting on these sites.

       

      Given the range of different domains having detections on them and the lack of correlating evidence I believe that this is causing some false positive detections of legitimate iframe and/or javascript usage in an html page. Were it in my power, I would request that a McAfee engineer review the signature for quality if at all possible as while it is not negatively effecting our business currently this could be disruptive to home users or other businesses. I apologize that I cannot give more information on these and do hope that someone else has had this issue whom can provide evidence under their policies.

       

       

      Reference: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=2456635

       

      Thank you for your time!