Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache [Resolved]

ovivu

Could you, kindly please, take a look at details in two posts about it
https://www.wilderssecurity.com/threads/former-opera-ceo-launches-vivaldi-a-new-browser-for-power-users.372796/page-43#post-2851737.

How to handle it now? Just got four files flagged as I was loging in

ModEdit: fixed link, added word cache in title

lamarca

Thanks for reaching us out. Please start your own topic on Vivaldi forum and let us know about the your issue

sgunhouse

Correct link is https://www.wilderssecurity.com/threads/former-opera-ceo-launches-vivaldi-a-new-browser-for-power-users.372796/page-43#post-2851737

lamarca

The user is supposed to start a topic and explain his issue, not send a link. Anyway, you are more experienced on this area, I see no reason to edit steve reply.

ovivu

@lamarca
On Windows10-1809 I just downloaded Vivaldi 2.7.1628.30 from Vivaldi site.
Towards the end of installation WindowsDefender issued an alert about "Adware:JS/InjectorAd.A" in default cache for "f_000007" file and quarantined it. It appears that files f...1 through 6 did get installed. This surprised me very much since old Opera was always clean and I assumed that Vivaldi is harmless as well.

It's really trouble. Everytime I run that newest Vivaldi, Defender alerts and quarantines a file from default\cache. It's new cache, so cleaning cache via CCLeaner was no help. Nor was cleaning from within Vivaldi History. I even get alerts for almost every article on a newspaper page. And four alerts as I was logging in here.

A kind user over at Wilders suggested that it might be an issue with the installer rather than update from within Vivaldi. That hasn't occured to me since I have used previous version 1 and 2 installers several times. This one surprised me.

Apologies for the incorrect link and not posting it here in the first place.

lamarca

@ovivu Thanks for the feedback. Honestly, I am not sure if it's Vivaldi related. Let another moderator have a look.
If the error at the of install can be reproduced, please report a bug

ovivu

@lamarca
The error persists now through every use.
Some files are quarantined, some are removed. I have a ton of them by now. 11 Quarantine, 8 Removed.
Typical Windows Event View - where just f_... file number changes:

[quote]Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 8/28/2019 09:45:31 PM
Event ID: 1116
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: eThinkW10
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Adware:JS/InjectorAd.A&threatid=258409&enterprise=0
Name: Adware:JS/InjectorAd.A
ID: 258409
Severity: High
Category: Adware
Path: file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000c8; file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000cc
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
User: ETHINKW10\iegd10
Process Name: C:\Program Files (x86)\Vivaldi\Application\vivaldi.exe
Signature Version: AV: 1.299.3063.0, AS: 1.299.3063.0, NIS: 1.299.3063.0
Engine Version: AM: 1.1.16200.1, NIS: 1.1.16200.1[/quote]

lamarca

It seems the issue lies on your setup.

lamarca

@Gwen-Dragon Hey! I follow you, it's false/positive.

sgunhouse

Some particular reason you're using the 32-bit version of Vivaldi on a 64-bit system?

I'm guessing it might think the update notifier is an ad, though conversely new Opera has run into issues where they are hosting their installer on external sites and some have been modified. If there is some way to make sure the user is downloading from Vivaldi's servers (or if V isn't using external hosting for the installer) then we could rule that out.

ovivu

@lamarca
Can you suggest what in setup I should look for

@Gwen-Dragon

• No drive-by-download.
• I haven't used Windows10 for about 3 weeks and before shutting it down all caches have been wiped. I came back, downloaded the newest installer and immediately at the end of installing, when Vivaldi opened, the cache got filled with 7 or 8 items. See my original post.
• Subsequently, the only places I visited was Wilders and here and the alerts persist, reporting different file numbers, as the cache is filling I suppose.
• Defender FP is a possibility.

@sgunhouse,

• I don't know why 32-bit Vivaldi on 64-bit box. Loooong ago when I first installed Vivaldi from Vivaldi website, that's what I got. Currently the green download button didn't give me any choice.
• I NEVER download from any other site than the official.
• I don't know if the installer got redirected to another hosting site. The firewall I use logged the connection to downloads.vivaldi.com. I have no way of knowing what happens after that connection is made.
• Update notifier: Notify of updates checkbox is OFF, retained from the previous version.

sgunhouse

If you go here (that's the page you get if you click on Download above) and scroll down, you'll see links for all versions of Vivaldi.

However ... do you have any extensions? If that wasn't your first install then it shouldn't be Vivaldi itself.

Pathduck

Things to try (no order):

• Close Vivaldi and clear out your cache folder manually.
• Disable all extension, enable one by one to see if problem returns.
• Check URL vivaldi://serviceworker-internals for any unrecognised registrations.
• Copy out one of the cache files and upload to virustotal.com to check if Defender gives false positive.

It's not Vivaldi itself, the "Process Name" in Defender log is just the process who wrote the infected file in cache. Most likely from a visited site or malicious extension.

iAN CooG

try sending the suspect files to https://www.virustotal.com and let the site scan them, and report back the results pages (it will give a link)

Catweazle

Windows Defender in recent times has improved a lot, becoming a very valid AV. But its biggest flaw is that it acts something overprotective with applications outside the store, leading to false positives, which I think will be the case. No panic

lamarca

@ovivu said in Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache:

Can you suggest what in setup I should look for

Sorry. I can not.
In my point of view, it's not Vivaldi related. The other forum (windows defender) is right place to figure it out what's causing those warnings.

ovivu

@iAN-CooG
That's impossible since I can't predict the file names and which of several that Vivaldi builds might be suspicious. Defender quarantines immediately. Postfactum I can read their alert detail but it's too late by then. Even if I knew where they hide those files, they might be encrypted and made inoperable.
Installer itself was clean on VT.

ovivu

@sgunhouse
Thanks. Sorry for being stupid and not scrolling down. When this sad adventure ends I'll likely ditch the 32-bit version, clean it all out and install 64-bit. Though I have a hunch it won't make any difference - Defender is stubborn. But it might run better.

lamarca

Topic moved.

ovivu

@Pathduck
I'll do the steps you suggest.
I only use 2 extensions: AdblockPlus and Scriptsafe.
URL check - is beyond my abilities. Don't know how to do it nor what to look for.
Not sure why you suggest to upload to VT one cache file since what stays in that directory is clean by Defender's thinking. The others went to quarantine.
Regarding Process Name - I understand. BUT I did not visit any sites and don't have malicious extension far as I know. Remember, this was installed over a clened out cache.