Open func-dave opened 4 years ago
func-dave
commented
4 years ago Defender will catch this instantaneously after calling this link in a file in both Brackets and Notepad++. It will automatically delete the file you are working on and place it in quarantine. This is a major issue I'd say as any site that calls this is going to get flagged by anti-virus sw.
The code is obfuscated so I can't exactly say why or what is causing the issue.
tagliala
commented
4 years ago Hi!
Thanks for being part of the Font Awesome Community and thanks for reporting this.
I'm confident that this is a false positive. I've checked the integrity token (sha384-8iPTk2s/jMVj81dnzb/iFR2sdA7u06vHJyyLlAd4snFpCl/SnyUjRrbdJsw1pGIl) and it matches, so an attacker should also have compromised fontawesome.com to add custom code
@robmadole could you please take a deeper look here?
robmadole
commented
4 years ago Just took a look. The file has not been compromised and still matches the integrity hashes.
@100Worries is it possible that you have a DNS vulnerability?
func-dave
commented
4 years ago Hey all,
Thanks for prompt responses!
@robmadole Not sure, what would you recommend to check for this? Are any of the checks listed here legit for checking my domain? https://geekflare.com/dns-security-test/
I've gotten around the issue here on my end by setting my actual paid kit to use SVG rather than using the link above.
Edit: This was found working on a local file, wasn't hosted anywhere yet.
tagliala
commented
4 years ago Just tried to open the file locally with Windows Defender's latest definitions (1.319.527.0), no issues reported
robmadole
commented
4 years ago @100Worries this was a local file? Not the URL you provided?
func-dave
commented
4 years ago It was a local index.html file pointing to that URL above. I also checked the URL with VirusTotal's URL scanner above.
-Defender was able to find and quarantine a saved index file in Brackets. -Found again after the contents of the above html doc had been pasted into a notepad++ doc that hadn't been saved yet. i.e.
From Defender protection history: ...\AppData\Roaming\Notepad++\backup\new 1@2020-06-30_135046
OS Details: Windows 10 Pro Version 2004 Build 19041.329
Defender Details: Antimalware Client Version: 4.18.2005.5 Engine Version: 1.1.17200.2 Antivirus Version: 1.319.502.0 Antispyware Version: 1.319.502.0
robmadole
commented
4 years ago @100Worries we aren't detecting any tampering with this file. It looks like there is a newer version of Defender available. Can you update definitions and try again?
Title says it all, Windows Defender and Virus Total are reporting this as a Trojan: HTML/Phish!MSR =\
https://use.fontawesome.com/releases/v5.0.9/js/all.js
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:HTML/Phish!MSR&ThreatID=2147742934
https://www.virustotal.com/gui/url/f624f1f8ac2b38104cf40143d546ed01f5c6890464a80f5d945337e196e88265/detection