Why does Kaspersky detect the HEUR: Trojan.Script.Generic Trojan on the site? (and possible remedy)
Good day. I have matured another article on security, or rather access to your sites, dear webmasters ... and let me tell you.
Maybe you have a website and you didn’t use jQuery type libraries, but decided to just rewind the spaghetti code on the site (even if I’m interested in sports). And then you probably don’t even expect such a “meanness” from your favorite Kaspersky Anti-Virus, especially if you don’t use it ... and your friend uses it. He will then see such a message on your site “object is infected with HEUR: Trojan.Script.Generic”:
In the meantime, other antiviruses are silent.
In order to tell you what the matter is, I have to give the code in javascript, so I will talk about it further.
I decided that I would play with the datalist to organize autocomplex without third-party libraries (such a miracle appeared in HTML5, but the trouble with Russian letters is true, sorry for offtopic).
Wrote the form code:
')
And afterwards I wrote, as it seemed to me, harmless code:
We get our trojan!
- Where is the trojan? You do not see? Oh, and I also do not see, and Kaspersky sees!
And he sees him here:
Then we remove this line and everything is in order - our script does not work, and the antivirus is calm.
So you need to dig into the request state interceptor - onreadystatechange .
Our medicine will be a separate function , let's call it updatePage , into which we will write an enumeration of the returned JSON array and assign it here in our state interceptor:
As a result, I rewrote the code so that Kaspersky Anti-Virus no longer bothers us:
PS I'm not saying that this is the only reason why a warning may appear in the form of such a message from a beloved anti-virus, because there may be cases of the existence of a truly “left-handed script” on your site.
The threat of "HEUR: Trojan.Script.Generic"
Maybe you have a website and you didn’t use jQuery type libraries, but decided to just rewind the spaghetti code on the site (even if I’m interested in sports). And then you probably don’t even expect such a “meanness” from your favorite Kaspersky Anti-Virus, especially if you don’t use it ... and your friend uses it. He will then see such a message on your site “object is infected with HEUR: Trojan.Script.Generic”:
In the meantime, other antiviruses are silent.
In order to tell you what the matter is, I have to give the code in javascript, so I will talk about it further.
I decided that I would play with the datalist to organize autocomplex without third-party libraries (such a miracle appeared in HTML5, but the trouble with Russian letters is true, sorry for offtopic).
Wrote the form code:
')
<form method="get" action="" > <input type="search" name="q" value="<?= $q; ?>" list="json-datalist" id="i_search" autocomplete="off" /> <input type="submit" value=" " /> </form> <datalist id="json-datalist"></datalist> And afterwards I wrote, as it seemed to me, harmless code:
// <datalist> <input> var dataList = document.getElementById('json-datalist'); var input = document.getElementById('i_search'); // XMLHttpRequest. var request = new XMLHttpRequest(); // . request.onreadystatechange = function(response) { if (request.readyState === 4) { if (request.status === 200) { var jsonOptions = JSON.parse(request.responseText); // Parse the JSON // JSON jsonOptions.forEach(function(item) { var option = document.createElement('option'); // json-. option.value = decodeURIComponent(unescape(item)); // <option> <datalist>. dataList.appendChild(option); }); input.placeholder = "Please type"; } else { // input.placeholder = "Couldn't load datalist"; } } }; // input.placeholder = "Loading options..."; // request.open('GET', URL_BASE+'/data.json', true); request.send(); We get our trojan!
- Where is the trojan? You do not see? Oh, and I also do not see, and Kaspersky sees!
And he sees him here:
request.open('GET', URL_BASE+'/data.json', true); Then we remove this line and everything is in order - our script does not work, and the antivirus is calm.
"Debriefing"
So you need to dig into the request state interceptor - onreadystatechange .
Our medicine will be a separate function , let's call it updatePage , into which we will write an enumeration of the returned JSON array and assign it here in our state interceptor:
request.onreadystatechange = updatePage; As a result, I rewrote the code so that Kaspersky Anti-Virus no longer bothers us:
var dataList = document.getElementById('json-datalist'); var input = document.getElementById('i_search'); var url = URL_BASE + '/data.json'; var request = null; if(window.XMLHttpRequest) request = new XMLHttpRequest(); else if (window.ActiveXObject) request = new ActiveXObject(Microsoft.XMLHTTP); function updatePage() { if (request.readyState == 4) if (request.status == 200) { var jsonOptions = JSON.parse(request.responseText); jsonOptions.forEach(function(item) { var option = document.createElement('option'); option.value = item; dataList.appendChild(option); }); input.placeholder = "Please type"; delete request; } else { input.placeholder = "Couldn't load datalist"; } } request = getXmlHttp(); request.open("GET", url, true); request.onreadystatechange = updatePage; request.send(null); PS I'm not saying that this is the only reason why a warning may appear in the form of such a message from a beloved anti-virus, because there may be cases of the existence of a truly “left-handed script” on your site.
Source: https://habr.com/ru/post/254437/
All Articles