Thread detected when visiting "listenonrepeat.com"

[Deathinition]

Hello!

I'm not sure if I am correct here... Anyways, I love this software, OpenSource FTW.
And I also love the website "listenonrepeat.com" which simply lets you loop a youtube video without it buffering again from the start.

Upon opening the site, Immunet detects a thread which he immediately quarantines. It's a file called for example "f_002777" and whatever. And it's detected as "Clam.Html.Exploit.CVE_2017_11796-6336854-3". I dont know if it's a false detection or something, maybe someone can bring some light into this.

Thanks in advance

[Rob.T]

Hi Dethinition, I can't reproduce your detection on Win10x64 using internet explorer & Immunet 7.0.0.11362 ,  Can you tell us what operation system, browser, and version of Immunet you're  seeing the detction on?

 

 

 

 

[Deathinition]

Of course @Rob.Turner, I'm sorry i didn't mention it.

I use Win10x64 and it happened with Chrome Version 77.0.3865.120, guess that's the current one.
And my Immunet version is 7.0.0.11362 too, so it's probably a browser thing.

Thanks again

[zombunny2]

@Deathinition as I scrolled down this thread I knew you were using either Chromium or a Chromium-based browser. Are you, by any chance, also using either UBlock Origin or Nano Adblocker in it? I repeatedly get this detection from my Immunet install. The filename of the detection is always "f_" followed by a hexadecimal number, and it is always in my Vivaldi (another chromium-based browser) cache folder. In my case, it is a false-positive on one of the blocklists used by UBlock origin. Some of ClamAV and Immunet's signatures trigger on certain malicious web links in text files. UBlock's blocklists are text files filled with, amongst other things, fragments of malicious links (after all, UBlock needs to know what to block). Immunet, unfortunately can't distinguish between "my evil malware site dot com" as a place to go, contained within an evil script, and "my evil malware site dot com" as a place *not* to go, contained within a blocklist! It just sees the link and has to take the cautious approach. I get this same detection if I do a manual scan of my /home directory with ClamAV on GNU/Linux (the OS where I spend >99% of my time).

In Vivaldi, there's also a built-in feature that blocks certain really aggressive malvertising features. Most browsers also use the Google safe-browsing database as well. Both of these features of course contain lists of web sites for the browser to avoid - and as a result, both of these features have also triggered this detection in my copy of Immunet before now. But most of the time (almost every time I get this detection), it's UBlock origin updating its filter lists. I can even repeatedly trigger the exact same detection by manuallly forcing UBo to update its blocklists.

[Rob.T]

Thanks for all the info  Deathinition - I I only tried reproducing with IE on Win 7&10 x32; so ll take a try with Chrome, vivaldi, UBlock Origin and Nano Adblocker and Vivaldi.

   I Think briefly tried Vivaldi  5 or 8 years ago right after it's initial release.  To soo actually, it  unusable at the time.   Am interested to see how far it's come.

[Rob.T]

Successfully reproduced  with Chrome on Win7x64 & Win10x64  today - Thanks again  Deathinition, you rock!    Hopefully we'll have the FP  fixed  by Monday.

 

On another note,  that's for introducing me to  listenonrepeat .  Am learning to play a guitar and  it' s going to be really handy.