====
.fromCharCode
.charCodeAt
nodeValue
for
0,0,0,0,0,0
Math.min
====
I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much).
I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0.
Matt.
I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much).
I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0.Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus.
> > Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus.
> This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source.
Even better: it turns out that if you put the string "google" anywhere
in the file matching CryptedGen, it no longer matches the heuristic. I
imagine that it would pick up the string from the class metadata for
those not using -XdisableClassMetadata.
So this is a virus:
"for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0"
And this is not:
"google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0"
The easiest solution for us seems to be putting the string "Google Web
Toolkit" in a comment in our header.
Matt.
This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :)
I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :)
I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :)Given their approach, that seems likely to get that exact source added to a whitelist :).
I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was "you'll have to submit your code again every time it changes". He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than "use the false positive form again". Gah.
> I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was "you'll have to submit your code again every time it changes". He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than "use the false positive form again". Gah.
>
> Are you a customer or know someone who is? If so, perhaps calling customer support with "I am going to stop using this because of bogus false positives" would get a better response.
Unfortunately not. I first heard about this company's anti-virus through some of our users (who are basically anonymous commenters on our Chrome extension page). I ran the heuristic tests against a trial version that I downloaded.
If anyone on this list is an Avira customer and wants to try contacting tech-support to help add some pressure, their USA toll-free number is: +1 888 880 2925.
cc'd dflorey, t.broyer and fatompa as three people who mentioned these false positives before and appear to be Avira customers (or know someone who is).
Matt.