Solved Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache [Resolved]
-
@ovivu said in Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache:
Can you suggest what in setup I should look for
Sorry. I can not.
In my point of view, it's not Vivaldi related. The other forum (windows defender) is right place to figure it out what's causing those warnings. -
@iAN-CooG
That's impossible since I can't predict the file names and which of several that Vivaldi builds might be suspicious. Defender quarantines immediately. Postfactum I can read their alert detail but it's too late by then. Even if I knew where they hide those files, they might be encrypted and made inoperable.
Installer itself was clean on VT. -
@sgunhouse
Thanks. Sorry for being stupid and not scrolling down. When this sad adventure ends I'll likely ditch the 32-bit version, clean it all out and install 64-bit. Though I have a hunch it won't make any difference - Defender is stubborn. But it might run better. -
Topic moved.
-
@Pathduck
I'll do the steps you suggest.
I only use 2 extensions: AdblockPlus and Scriptsafe.
URL check - is beyond my abilities. Don't know how to do it nor what to look for.
Not sure why you suggest to upload to VT one cache file since what stays in that directory is clean by Defender's thinking. The others went to quarantine.
Regarding Process Name - I understand. BUT I did not visit any sites and don't have malicious extension far as I know. Remember, this was installed over a clened out cache. -
Defender is notorious for false positives, but this seems to be an issue with temporary internet files, not the program files.
It also seems to vary from PC to PC which is not very useful or reliable.First I would disable Defender runtime scanning and make sure Vivaldi installs properly.
Clear the cache data in Vivaldi or use a cleaner tool to clear it.
Do a boot-time scan with Defender https://www.thewindowsclub.com/offline-scan-using-windows-defender
Switch Defender runtime scanning back on.If you still see warnings, I would say you probably have some malware running.
Don't bother doing another scan with Defender. It hasn't helped so far.
Switch off runtime scanning and scan with a decent standalone, such as MalwareBytes, Sophos HitmanPro or Avira PC Cleaner.
If you want to try a multi-engine standalone, then try OPSWAT Metadefender client or Herdprotect (available at Majorgeeks). -
I agree with others that this is almost-certainly a false positive. I have never had this problem with Windows Defender, but my Windows machine at work (the only Windows computer I have access to that isn't airgapped) uses Immunet as one of its AVs, and Immunet constantly reports viruses in those particular files (the file is always in the Vivaldi cache, and has the name "f_nnnnnn" where "nnnnnn" appears to be a hexadecimal number).
I always assumed this was a false-positive on the blocklists for UBlock origin. I figure that a simple pattern-match virus signature, designed to catch a malicious URL, would be triggered by any file that contained it, including a blocklist.
If you're getting it on a clean install of Vivaldi, I suspect it's not UBlock origin, but actually Vivaldi's own internal blocklists for blocking ads on abusive websites (see the "privacy" section of Vivaldi's settings). Either way it's 99%-probably a false positive, because the blocklists obviously have to contain the nasty URL to block! Clearly Windows Defender and Vivaldi agree on a particular malicious URL, and Windows Defender doesn't realise that Vivaldi's record of it is something to block, not something to visit.
As others have said, Windows Defender has quite a high false-positive rate, and also is overzealous with any executable that hasn't come from the Windows store (I wonder if this is by design, much like when msn famously sent broken versions of its web pages to any browser that included the word "opera" in its reported UA string. If you are curious about this humorous piece of computing history, search the net for "Opera Bork edition"). Another example of overzealous behaviour is that WD's "controlled folder access" feature blocks LibreOffice and even MS's own xcopy from accessing its protected folders.
-
I wonder if any "false positives" - if it actually is that - might be related to Chromium keeping cache files in Gzip format (maybe if they were delivered that way, as most web servers are doing these days).
It would mean they would look nearly "random", and increase the chance of an over-zealous AV finding patterns which might indicate malware.
Then again, I think Chromium (and most browsers) have been doing this for a long time now, so it's nothing new...
-
@Pathduck If an antivirus reports a virus in a file made with gz/zip/rar/etcetc (any known archive, in other words) without even unpacking it first, should be deleted immediately.
I would assume they at least check for the header to understand the file format first. -
@iAN-CooG Aye, but we're talking about Windoze Defenestrator here :face_with_stuck-out_tongue_winking_eye:
-
@Dr-Flay and @Pathduck,
As I said in the thread title and in my first post, it is about cache.-
I sent several recovered from quarantine files to Virus Total. Adware pushers detected by: Comodo, GData, Microsoft, ZoneAlarm, ESET-NOD32, Kaspersky, Tencent.
Curiously, for me, analysis results all refered to the name of the first file I submitted. Most likely because it was the same junkware.
https://www.virustotal.com/gui/file/7ef9eace63866122127e01844d36d926037b14b1c3d6e16e1057834ef1475077/details -
VT said it is a text file. Sure enough. Filealyzer saw hostname: freevideodownloader. OUCH!!!. It is related to extension, even though I said I only have AdBlockPlus and ScriptSafe. Vivaldi kept caching a useless, old (installed a year ago or more) extension which I forgot to remove and forgot I have it as one of the three icons.
-
With that crapware gone, all is quiet. Confirmed by EEK and ESETonline scans.
-
-
@ovivu Case solved then. At least now we know it was a user error, not on Vivaldi side. You can't blame Vivaldi if you install known adware-filled extensions.
Take more care next time. -
@iAN-CooG said in Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache:
@ovivu Case solved then. At least now we know it was a user error, not on Vivaldi side. You can't blame Vivaldi if you install known adware-filled extensions.
Take more care next time.- I reviewed what I wrote it this thread. At no point I blamed Vivaldi. I simply asked a question.
- You can call it user error, if you wish. If it's clean one day and not clean the next day, it's hardly a user error me thinks.
- The bad extension lived in Vivaldi for a year or two, unused. It was after I upgraded to 2.7 that Defender started complaining. Possibly a different way of caching or a timing coincidence with some Defender updates which are frequent.
- Yes, case is solved.
RESOLVED
-
@ovivu said in Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache:
Yes, case is solved.
Good new. Could you please tag as resolved.
click on the 3 dots >> edit โ add the word resolved at the bottomEdited: Image
-
@iAN-CooG Be kind. You can congratulate the user on the solution without scolding.
@ovivu Excellent that you found it. From this side, we can't tell what's on a user's machine of course, but we can be pretty sure Vivaldi downloaded directly from the site is not infected. So we just try to encourage users to dig around, unless we recognize a specific symptom from some known crapware.
-
I'm supposed to enter tag saying Resolved. I have no clue what it means to enter tag. And where am I to do it? I wrote in RESOLVED into my most recent post but I gather that's not what this forum means as shown in @lamarca post above.
-
@ovivu Ah. If you seek to edit your original post, (the one you started the thread with) then below and to the left of the text box you will see place where you can enter tags. Also, you are able to edit the title of the post to add [Resolved] if you want to do that. I usually do both.
EDIT: As of a few minutes ago (five hours after I posted this) the community manager disabled tags for users for the time being, so only Mods can apply them. I will tag this thread for you.
-
Thank you, @Ayespy
Question for the future - can we add "resolved" to the title or not? I ask just in case I post again. -
@ovivu Yes. That's still possible.
-
Hi, I just solved the same problem with the Windows Defender Alert Adware:JS/InjectorAd.A, too.
I just wanted to share my way of solving it in case somebody needs. First I tried Malware Scans with no result. Then
- I emptied the cache of vivaldi (all the files starting with "f_000")
- then vivaldi was out of date therefore, so I updated vivaldi
- then I disabled my extensions (apps) in vivaldi, turned them on one by one and found out it was the extension "Video Downloader professional" that caused the problem. I turned it off and the alert never came again!
All the best for you.