Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache [Resolved]



  • Could you, kindly please, take a look at details in two posts about it
    https://www.wilderssecurity.com/threads/former-opera-ceo-launches-vivaldi-a-new-browser-for-power-users.372796/page-43#post-2851737.

    How to handle it now? Just got four files flagged as I was loging in 🙂

    ModEdit: fixed link, added word cache in title


  • Moderator

    Thanks for reaching us out. Please start your own topic on Vivaldi forum and let us know about the your issue




  • Moderator

    The user is supposed to start a topic and explain his issue, not send a link. Anyway, you are more experienced on this area, I see no reason to edit steve reply.



  • @lamarca
    On Windows10-1809 I just downloaded Vivaldi 2.7.1628.30 from Vivaldi site.
    Towards the end of installation WindowsDefender issued an alert about "Adware:JS/InjectorAd.A" in default cache for "f_000007" file and quarantined it. It appears that files f...1 through 6 did get installed. This surprised me very much since old Opera was always clean and I assumed that Vivaldi is harmless as well.

    It's really trouble. Everytime I run that newest Vivaldi, Defender alerts and quarantines a file from default\cache. It's new cache, so cleaning cache via CCLeaner was no help. Nor was cleaning from within Vivaldi History. I even get alerts for almost every article on a newspaper page. And four alerts as I was logging in here.

    A kind user over at Wilders suggested that it might be an issue with the installer rather than update from within Vivaldi. That hasn't occured to me since I have used previous version 1 and 2 installers several times. This one surprised me.

    Apologies for the incorrect link and not posting it here in the first place.


  • Moderator

    @ovivu Thanks for the feedback. Honestly, I am not sure if it's Vivaldi related. Let another moderator have a look.
    If the error at the of install can be reproduced, please report a bug



  • @lamarca
    The error persists now through every use.
    Some files are quarantined, some are removed. I have a ton of them by now. 11 Quarantine, 8 Removed.
    Typical Windows Event View - where just f_... file number changes:

    [quote]Log Name: Microsoft-Windows-Windows Defender/Operational
    Source: Microsoft-Windows-Windows Defender
    Date: 8/28/2019 09:45:31 PM
    Event ID: 1116
    Task Category: None
    Level: Warning
    Keywords:
    User: SYSTEM
    Computer: eThinkW10
    Description:
    Windows Defender Antivirus has detected malware or other potentially unwanted software.
    For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Adware:JS/InjectorAd.A&threatid=258409&enterprise=0
    Name: Adware:JS/InjectorAd.A
    ID: 258409
    Severity: High
    Category: Adware
    Path: file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000c8; file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000cc
    Detection Origin: Local machine
    Detection Type: Concrete
    Detection Source: Real-Time Protection
    User: ETHINKW10\iegd10
    Process Name: C:\Program Files (x86)\Vivaldi\Application\vivaldi.exe
    Signature Version: AV: 1.299.3063.0, AS: 1.299.3063.0, NIS: 1.299.3063.0
    Engine Version: AM: 1.1.16200.1, NIS: 1.1.16200.1[/quote]


  • Moderator

    It seems the issue lies on your setup.


  • Moderator

    Windows Defender Antivirus found something in Vivaldi cache folder.
    Maybe you got it as a drive-by-download. You have been visiting webpages which try to inject adware by Javascript.
    Or its is a false detection from Defender.


  • Moderator

    @Gwen-Dragon Hey! I follow you, it's false/positive.


  • Moderator

    @ovivu To be clear: Your Vivaldi doe not contain any virus.
    You visit websites with malicious ads, use a adblocker extension to stop these sites trying to add adware. Or you have installed a extension which injects ad in websites in a malicious way.



  • Some particular reason you're using the 32-bit version of Vivaldi on a 64-bit system?

    I'm guessing it might think the update notifier is an ad, though conversely new Opera has run into issues where they are hosting their installer on external sites and some have been modified. If there is some way to make sure the user is downloading from Vivaldi's servers (or if V isn't using external hosting for the installer) then we could rule that out.



  • @lamarca
    Can you suggest what in setup I should look for

    @Gwen-Dragon

    • No drive-by-download.
    • I haven't used Windows10 for about 3 weeks and before shutting it down all caches have been wiped. I came back, downloaded the newest installer and immediately at the end of installing, when Vivaldi opened, the cache got filled with 7 or 8 items. See my original post.
    • Subsequently, the only places I visited was Wilders and here and the alerts persist, reporting different file numbers, as the cache is filling I suppose.
    • Defender FP is a possibility.

    @sgunhouse,

    • I don't know why 32-bit Vivaldi on 64-bit box. Loooong ago when I first installed Vivaldi from Vivaldi website, that's what I got. Currently the green download button didn't give me any choice.
    • I NEVER download from any other site than the official.
    • I don't know if the installer got redirected to another hosting site. The firewall I use logged the connection to downloads.vivaldi.com. I have no way of knowing what happens after that connection is made.
    • Update notifier: Notify of updates checkbox is OFF, retained from the previous version.


  • If you go here (that's the page you get if you click on Download above) and scroll down, you'll see links for all versions of Vivaldi.

    However ... do you have any extensions? If that wasn't your first install then it shouldn't be Vivaldi itself.



  • Things to try (no order):

    • Close Vivaldi and clear out your cache folder manually.
    • Disable all extension, enable one by one to see if problem returns.
    • Check URL vivaldi://serviceworker-internals for any unrecognised registrations.
    • Copy out one of the cache files and upload to virustotal.com to check if Defender gives false positive.

    It's not Vivaldi itself, the "Process Name" in Defender log is just the process who wrote the infected file in cache. Most likely from a visited site or malicious extension.



  • try sending the suspect files to https://www.virustotal.com and let the site scan them, and report back the results pages (it will give a link)


  • Ambassador

    Windows Defender in recent times has improved a lot, becoming a very valid AV. But its biggest flaw is that it acts something overprotective with applications outside the store, leading to false positives, which I think will be the case. No panic


  • Moderator

    @ovivu said in Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache:

    Can you suggest what in setup I should look for

    Sorry. I can not.
    In my point of view, it's not Vivaldi related. The other forum (windows defender) is right place to figure it out what's causing those warnings.



  • @iAN-CooG
    That's impossible since I can't predict the file names and which of several that Vivaldi builds might be suspicious. Defender quarantines immediately. Postfactum I can read their alert detail but it's too late by then. Even if I knew where they hide those files, they might be encrypted and made inoperable.
    Installer itself was clean on VT.



  • @sgunhouse
    Thanks. Sorry for being stupid and not scrolling down. When this sad adventure ends I'll likely ditch the 32-bit version, clean it all out and install 64-bit. Though I have a hunch it won't make any difference - Defender is stubborn. But it might run better.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.