Alerts from Windows Defender about "Adware:JS/InjectorAd.A" in Vivaldi's cache [Resolved]
Could you, kindly please, take a look at details in two posts about it
How to handle it now? Just got four files flagged as I was loging in
ModEdit: fixed link, added word cache in title
Thanks for reaching us out. Please start your own topic on Vivaldi forum and let us know about the your issue
The user is supposed to start a topic and explain his issue, not send a link. Anyway, you are more experienced on this area, I see no reason to edit steve reply.
On Windows10-1809 I just downloaded Vivaldi 2.7.1628.30 from Vivaldi site.
Towards the end of installation WindowsDefender issued an alert about "Adware:JS/InjectorAd.A" in default cache for "f_000007" file and quarantined it. It appears that files f...1 through 6 did get installed. This surprised me very much since old Opera was always clean and I assumed that Vivaldi is harmless as well.
It's really trouble. Everytime I run that newest Vivaldi, Defender alerts and quarantines a file from default\cache. It's new cache, so cleaning cache via CCLeaner was no help. Nor was cleaning from within Vivaldi History. I even get alerts for almost every article on a newspaper page. And four alerts as I was logging in here.
A kind user over at Wilders suggested that it might be an issue with the installer rather than update from within Vivaldi. That hasn't occured to me since I have used previous version 1 and 2 installers several times. This one surprised me.
Apologies for the incorrect link and not posting it here in the first place.
The error persists now through every use.
Some files are quarantined, some are removed. I have a ton of them by now. 11 Quarantine, 8 Removed.
Typical Windows Event View - where just f_... file number changes:
[quote]Log Name: Microsoft-Windows-Windows Defender/Operational
Source: Microsoft-Windows-Windows Defender
Date: 8/28/2019 09:45:31 PM
Event ID: 1116
Task Category: None
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
Path: file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000c8; file:_C:\Users\iegd10\AppData\Local\Vivaldi\User Data\Default\Cache\f_0000cc
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files (x86)\Vivaldi\Application\vivaldi.exe
Signature Version: AV: 1.299.3063.0, AS: 1.299.3063.0, NIS: 1.299.3063.0
Engine Version: AM: 1.1.16200.1, NIS: 1.1.16200.1[/quote]
It seems the issue lies on your setup.
@Gwen-Dragon Hey! I follow you, it's false/positive.
Some particular reason you're using the 32-bit version of Vivaldi on a 64-bit system?
I'm guessing it might think the update notifier is an ad, though conversely new Opera has run into issues where they are hosting their installer on external sites and some have been modified. If there is some way to make sure the user is downloading from Vivaldi's servers (or if V isn't using external hosting for the installer) then we could rule that out.
Can you suggest what in setup I should look for
- No drive-by-download.
- I haven't used Windows10 for about 3 weeks and before shutting it down all caches have been wiped. I came back, downloaded the newest installer and immediately at the end of installing, when Vivaldi opened, the cache got filled with 7 or 8 items. See my original post.
- Subsequently, the only places I visited was Wilders and here and the alerts persist, reporting different file numbers, as the cache is filling I suppose.
- Defender FP is a possibility.
- I don't know why 32-bit Vivaldi on 64-bit box. Loooong ago when I first installed Vivaldi from Vivaldi website, that's what I got. Currently the green download button didn't give me any choice.
- I NEVER download from any other site than the official.
- I don't know if the installer got redirected to another hosting site. The firewall I use logged the connection to downloads.vivaldi.com. I have no way of knowing what happens after that connection is made.
- Update notifier: Notify of updates checkbox is OFF, retained from the previous version.
If you go here (that's the page you get if you click on Download above) and scroll down, you'll see links for all versions of Vivaldi.
However ... do you have any extensions? If that wasn't your first install then it shouldn't be Vivaldi itself.
Pathduck last edited by
Things to try (no order):
- Close Vivaldi and clear out your cache folder manually.
- Disable all extension, enable one by one to see if problem returns.
- Check URL
vivaldi://serviceworker-internalsfor any unrecognised registrations.
- Copy out one of the cache files and upload to virustotal.com to check if Defender gives false positive.
It's not Vivaldi itself, the "Process Name" in Defender log is just the process who wrote the infected file in cache. Most likely from a visited site or malicious extension.
iAN CooG last edited by
try sending the suspect files to https://www.virustotal.com and let the site scan them, and report back the results pages (it will give a link)
Catweazle last edited by Catweazle
Windows Defender in recent times has improved a lot, becoming a very valid AV. But its biggest flaw is that it acts something overprotective with applications outside the store, leading to false positives, which I think will be the case. No panic
Can you suggest what in setup I should look for
Sorry. I can not.
In my point of view, it's not Vivaldi related. The other forum (windows defender) is right place to figure it out what's causing those warnings.
That's impossible since I can't predict the file names and which of several that Vivaldi builds might be suspicious. Defender quarantines immediately. Postfactum I can read their alert detail but it's too late by then. Even if I knew where they hide those files, they might be encrypted and made inoperable.
Installer itself was clean on VT.
Thanks. Sorry for being stupid and not scrolling down. When this sad adventure ends I'll likely ditch the 32-bit version, clean it all out and install 64-bit. Though I have a hunch it won't make any difference - Defender is stubborn. But it might run better.
I'll do the steps you suggest.
I only use 2 extensions: AdblockPlus and Scriptsafe.
URL check - is beyond my abilities. Don't know how to do it nor what to look for.
Not sure why you suggest to upload to VT one cache file since what stays in that directory is clean by Defender's thinking. The others went to quarantine.
Regarding Process Name - I understand. BUT I did not visit any sites and don't have malicious extension far as I know. Remember, this was installed over a clened out cache.