Sponsored by..

Monday, 31 December 2007

Js/snz.a - likely false positive in eTrust / Vet Anti-Virus

It appears that CA's eTrust Anti-Virus product (also known as Vet Anti-Virus, often bundled with other security applications such as ZoneAlarm) is coming up with a false positive for js/snz.a for several complex javascript applications.

As far as I can tell, the javascript uses complex encoding but is not malware. These javascript elements are widely used on the web. As far as I can tell, they are not harmful in any way and this is a mis-identification by eTrust / Vet.

The signature that has the problem is 31.3.5417 dated 31/12/07

Some of the Javascript files that seem to trigger an alert are named:

  • jquery.js
  • mootools.js
  • ifx.js
  • show_ads.js
  • relevancead.js
  • submodal.js
  • iutil.js
  • ifxslide.js
There may be other javascript apps that show the same problem - of course, filenames are arbitary and can be absolutely anything at all.

If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx

Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.

You can submit suspect files to CA here for analysis, that may well help them to fix the problem.

Follow up: this problem has now been fixed. It turns out that the javascript had been compressed using this packer tool which itself is harmless, but it does appear that the packer has been used for malicious javascript applications in the past as well as legitimate ones. Perhaps the lesson is.. don't pack or obfuscate your javascript!

29 comments:

Richard said...

I have had this a couple of times this morning. Hopefully CA will resolve shortly!

Jan said...

thank you very much for this summary of the issue. Quite hard to gather information today - it seems that most of the it-guys are already out for party...

Tim said...

Funny... nothing like coming in to work in the morning, sipping a fresh cup of coffee and all of a sudden get these rash of pop-ups stating "The JS/Snz.A was detected in blah blah blah". I didn't need my coffee to wake me up today! :-)
Thanks for posting this information. Cheers everyone and happy new year!

Randy said...

Yea same it ust started this morning i was wondering what it is

Michael said...

Thanks for posting this! We compress Coolmenus406.js and mootips.js, both showed as "infected" by CA Enterprise Anti-Virus. Yet I'm sure they're not.

Randy said...

and yes happy new year and party hard

UpsieDaisy said...

Immediately following an update for my CA security software, I received eight notices of an infection: JS/SNZ.A

Ciboulette said...

I also received 28 alerts this morning. All files have been deleted by ZoneAlarm.

At the same time I received these alerts I also received a lot of warning messages from 'Poker Academy Pro 2'.

Robbie said...

Yup, I'm a sysadmin for a decent size network and this morning my inbox greeted me with 283 new infection notifications! I hope CA fixes this by wednesday before people actually come back to work and really start using their machines again!

Stewart said...

I had four of these alerts this morning, too: I found the tip really helpful, so thanks.

Interesting to note that when I clicked on the link for JS/Snz.A in the CA Anti-Virus alert message box, I got a "no search results found" from the CA website! I got even more concerned when I couldn't Google it, either...

I've contacted ca but have yet to get a response.

I agree with tim: you don't need caffeine to get you going when this sort of thing happens!!

Let's hope CA sort this soon.

Travis said...

Thank you for the timely entry. Most users are just getting to work in AZ. I've been here a while and just now started to get a couple of these.

Rick said...

I dont want to be a pain, but the times posted on your comments are for this afternoon, it is now 09:19 am here in IA.

Matt said...

Thanks a lot! I'm seeing this all over the place this morning.

Bob said...

You may want to add Dean Edwards' compliance patch for Microsoft browsers ie7-standard-p.js.

bargainholic said...

stewart expressed my situation well, and thanks for posting the link to let ca know.

eric cumbee said...

We use Etrust ITM on about 500 computers here at work. we have talked to CA and they confirm it is a false positive. They are hoping to have a update out by 2pm est.

Kristen said...

Looks like I may not even be able to finish testing my new site (which uses jquery) until this update comes in. On IE, the file is stripped, so none of the stuff I'm testing will work.

Bogdan said...

Same here ... over 100 PCs.
A temporary fix, not secure !!!, was to Disable Realtime ...

PiperBob said...

Thanks Eric, that is nice to know. This could be good or bad for CA with the publicity they will be getting today. This year I was just getting comfortable with CA Internet Security Suite after using it a few years ago and dropped it because it was too slow and not catching all the bad guys. Since I have installed it again the beginning of last year, I have had no problems until now. Would you know it would be internal. IE does it all the time. :)

bjstarmans said...

I just spoke to CA and this is indeed a false positive. They hope to have a new signature for download to correct the problem in the afternoon of 31 December.

Tom Graham said...

Opened a ticket with CA earlier today and they have now posted a signature update (31.3.5419) which includes a bug fix for this (Js/snz.a) false positive.
download the signature update and you should be good to go.
Tom

DAHstra said...

Thanks for this information! The funky thing is, clicking INFO in CA produces a page of theirs that says no results. DUH.

Peace

Orwall said...

It seems a script inside the WOT.jar archive (/skin/include/mooscript.js) also "contains this trojan". This crashed my WOT add-on in Firefox today (www.mywot.com). With the latest update (vet engine .5419) the problem indeed disappears.

Let the party start and the best in 08.

mighty890 said...

I used to work heavily with eTrust AV. Just shortly into 2008 (yes, it already is, here in NZ) I got this false positive. I like to think of it as eTrust's way of wishing me a Happy New Year ;)

jfb1066 said...

Thanks for the info, I have been having problems all day. it also seems to be restricting access to certain web pages. Hopefully CA will fix quickly!

Greg said...

Apparently CA has fixed this false positive recently. Updated and issue was resolved.

GH

eric cumbee said...

I think it fixed the problem on our end as well. our systems in the office that got pushed the new update are no longer testing positive. we still are getting some alert emails trickling in, but it takes some time for all of our workstations to get the update. if we are still getting alerts on 2nd i will worry

Sheltimom3 said...

My CA showed it yesterday morning too!

Sheltimom3 said...

My CA showed it yesterday too and deleted it!