Windows Defender detecting Virus JS/Adrozek.A
-
tjall last edited by tjall
@Svarnoy60 said in Windows Defender detecting Virus JS/Adrozek.A:
Removed the SaveFrom.net video upload extension. The threats are gone.
Who has this extension?I had it, though I'm not sure it was it.
-
mouse last edited by
@burnout426 - i think this is it: https://addoncrop.com/en/
But what is the suspect link now? Someone sounded like we know what it is.
-
burnout426 Volunteer last edited by
@mouse said in Windows Defender detecting Virus JS/Adrozek.A:
@burnout426 - i think this is it: https://addoncrop.com/en/
The Youtube Downloader one? I checked it out and it doesn't seem like that's the culprit. It does contain some obfuscated strings in its apps/scripts/background.js file though, so I wouldn't totally trust it without looking more into it and decoding the string escapes.
-
burnout426 Volunteer last edited by
@Svarnoy60 said in Windows Defender detecting Virus JS/Adrozek.A:
Removed the SaveFrom.net video upload extension. The threats are gone.
Upload extension or download extension? As in, is it this one https://addons.opera.com/en/extensions/details/savefromnet-helper/?display=en?
I installed that one and don't get the problem. I looked at the source briefly, but there's a lot of code in there.
-
wanderlei last edited by
@tjall said in Windows Defender detecting Virus JS/Adrozek.A:
But, today it doesn't - the file exists.
Wtf, are you sure you guys don't have the file still?
Please try to search "c0ac6bec106548d2_0"Seems like the Microsoft AV likes the file now... :S
Same, not getting alerts from defender anymore but I searched and found the same file.
@Svarnoy60 said in Windows Defender detecting Virus JS/Adrozek.A:
Removed the SaveFrom.net video upload extension. The threats are gone.
Who has this extension?I have that extension.
The file has link to https://lookmeet.tv/ a russian site.
I will delete file and disable extension and see if it regenerates again.
-
mouse last edited by
@wanderlei - Perhaps "https://lookmeet.tv/" is not the culprit.
I have 44,450 files in my js folder. I found "https://lookmeet.tv/" in 20 of those files. Yet I had no Defender warnings since 9-8 @11:24AM (ie over 24 hrs). Either it's not the threat or else Microsoft turned off the warnings for that site. But I'm no expert in this stuff.
-
mouse last edited by
@wanderlei - So perhaps MS got wind of this nuisance from various sources and adjusted Defender's virus signatures.
-
burnout426 Volunteer last edited by
@mouse I reported the string in https://forums.opera.com/post/223970 as a false positive to the Defender time. I got notification that the issue was resolved. And, that string in Notepad++'s backup files (for documents you're editing) no longer triggers Defender after today's 9/9/2020 Virus and Thread Protection update. So, perhaps it's indeed sorted out.
-
jclinansmtih last edited by
@jclinansmtih Its been over 24 hours now with plenty of intensive Opera usage. No new threats. I have to hang my hat on that SaveFrom.net extension.
-
mouse last edited by
@burnout426 - Been busy offline. Just want to thank you and others for troubleshooting this sucker.
I don't know if this is related in any way, but years ago I used to send out emails to clients. It was getting blocked, so I had to convert the pdf file attachment to a simple text file.
Two years later, another one of my information files was getting blocked by clients with gmail accts. I created a gmail account and tested enough to determine gmail was content screening.
So I stripped off all file attachments. it was still being blocked! So I then started deleting sentences in the body of the email message, starting with suspect things like links. Then I searched for names and any inflammatory comments.
After 5 hours, I traced the string of text that gmail was rejecting. It was just a few innocuous words from a sentence. i can't remember the words, but I was shocked. The words were completely innocuous and ordinary. It contained now names of people or things. nothing.
I've learned a lot since then. Lots of reasons why ESPs would black list or gray list an ip address. But also, as the story reflects, how fickle and erratic that content screening can be.
So can it be possible that whatever is was that was triggering Defender alerts was something we wouldn't even consider suspect. Unless MS announces what it was, we may never know. Does that make sense?