topic Re: JS/Trojan.redirector.cay false postive? in General Topics

JS/Trojan.redirector.cay false postive?

MGoodnow — Tue, 21 Feb 2012 18:06:15 GMT

Hello,

Starting from what appears to be right after pattern update 683-936 was committed - we began receiving a very substantial amount of alerts from multiple internal "victims" for this Trojan. I am still investigating this internally. Has anyone else had a large amount of activity on this signature starting recently? Looking to verify if this is a false positive or not. Other AV protection layers are not reporting this type of activity. Thanks.

Name:	JS/Trojan.redirector.cay
ID:	250007
Severity:
Description:	This signature detected JS/Trojan.redirector.cay

Re: JS/Trojan.redirector.cay false postive?

mmorfoot — Tue, 21 Feb 2012 19:44:00 GMT

I am seeing this as well. I thought maybe it was a single website, but from the looks of it, I think it just may be a false positive. I have identified the source IP's as being owned by a company called AppNexus (at least this is our case). I'm still investigating myself.

Re: JS/Trojan.redirector.cay false postive?

MGoodnow — Tue, 21 Feb 2012 20:34:32 GMT

Thank you for the update from your end as well. I updated to the latest version a few minutes ago and no change. Events still showing up.

Antivirus version

684-937 (2012/02/20)

Re: JS/Trojan.redirector.cay false postive?

n.flanagan — Wed, 22 Feb 2012 14:47:33 GMT

We also have a lot of these. The ones I have examined are from adnxs.com, which appears to be an advertising site. Brightcloud categorizes it as Trustworthy.

We also seem to have URL filtering categorizing a lot of advertisers like atdmt.com and doubleclick.net as malware sites.

Neil Flanagan

Re: JS/Trojan.redirector.cay false postive?

u10723 — Wed, 22 Feb 2012 15:50:58 GMT

We are also seeing a high number of these. Have the latest and greatest defenitions as well.

Re: JS/Trojan.redirector.cay false postive?

mlane — Wed, 22 Feb 2012 16:56:01 GMT

I was seeing the exact same problems. Multiple blocks of JS/Trojan.redirector.cay as threat, and atdmt.com and doubleclick.net are blocked as malware-sites. Google Maps and Mapquest will not work.

I received an email that it was indeed a false positive on JS/Trojan.redirector.cay and that it would be corrected in the next update.

Re: JS/Trojan.redirector.cay false postive?

tettema — Wed, 22 Feb 2012 17:01:05 GMT

This signature is a confirmed false positive. It has been removed for tomorrow's AV content release.

Re: JS/Trojan.redirector.cay false postive?

Retired Member — Thu, 23 Feb 2012 01:37:18 GMT

I want to update the AV manually later. Can you provide which AV version have fixed this issue?

Re: JS/Trojan.redirector.cay false postive?

Retired Member — Fri, 24 Feb 2012 04:24:22 GMT

Anyone can help to confirm which AV version have fixed the "JS/Trojan.redirector.cay false positive" issue?

We have opened a tech support case with case no. 00066795 to get the AV version number. The funny thing is the engineer still asking me for pcap. If the signature is removed I cannot get packet capture based on threat id in threat logs. :smileyconfused:

Re: JS/Trojan.redirector.cay false postive?

skrall — Sat, 25 Feb 2012 01:27:55 GMT

Content version 686-XXX has the fix.

When we get a report of a false positive we usually ask for the following.

show system info

-- To see all currently installed software.

Threat logs that you believe to be a false positive.

Traffic logs for the IP address identified in the Threat log.

If the firewall is configured to save a PCAP of the packet that triggered the threat we ask for this as well.

If the threat was triggered by a URL or a file download, we would like this information to try and reproduce internally.

Thanks,

Steve Krall