False warnings with Joomla mootools-core.js.

  • 1
  • Problem
  • Updated 3 years ago
  • Solved
I have three sites built using Joomla. Two of those sites are the most recent version and fully patched. However, all Trend Micro Toolbar (I use Chrome) flags a specific java script file on all three as being dangerous and blocks the website.

./media/system/js/mootools-core.js

When I first received this error, I thought that I had really be compromised and infected. However, after receiving this same error an all three sites, I started to think that this is a false alarm. Also, I check my webmaster tools on Google, and Google said there is no issue with any of my sites.

It appears to me, that the latest update from Trend Micro must have included this file is causing the issue. How can I tell that this is really an issue, and not a false flag? If it is a false flag, how can I remove the file from the list? I don't want to put a blanket exception in the exception list, because what if my sites do get compromised I would like to keep have a true warning, not a false one. How can I resolve this issue?

Thank you.
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb

Posted 3 years ago

  • 1
Photo of TM_Percy

TM_Percy

  • 460 Points 250 badge 2x thumb
You can file a reclassification request of the file or the site so that we can analyze if the file is a false alarm or not. You may refer to the link below for the instructions on how to reclassify the file or the site.

https://esupport.trendmicro.com/en-us/home/pages/technical-support/maximum-security-10/1096819.aspx

As noted on the link, it usually takes 2 to 7 business days to finish the reclassification request.
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Thank you very much for this information.  I tried finding information on how to submit a ticket, or some other similar support, in this case reclassification, but was not able to on the Trend Micro site.  Very difficult to find anything.  It took me an extremely long time just to find this forum.

Daryl
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Follow up.

I submitted a reclassification as you suggested.  I tested all three sites using the "Is it Safe" feature, and all three came back with a safe rating.  I submitted a reclassification request and  explained what the issue is, and hopefully someone will take a look, and unblock my sites.

Thank you.

Daryl
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Hello,

I received a reply from the Site Safety Center for two of my three sites.  They said that they the sites are still "Marked Safe".  

That did not resolve my issue, because the issue is within Trend Micro.   It is falsely flagging a single file as being dangerous.

None of my sites are infected, its a false reporting on on script,"./media/system/js/mootools-core.js".  Perhaps I didn't explain the issue well enough, or more likely, no one is actually reading the comments that I made when I asked for a reconsideration.  


 


Sure, I can add an exception rule to the settings, or turn off the option that is flagging this script, but I would rather the false reporting be corrected by Trend Micro.   I can put a band aid my end, but what about the visitors who come to my sites?  What if they're using Trend Micro Maximum Security?  They'll get that error and think that my sites are all infected.

The reconsideration option is not an option.  How can I get this resolved?

Thank you.

Daryl Rose
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Apologies for the late reply. We understand that when you access three websites built with Joomla, you're getting a warning on a specific *.js file. To resolve, we suggest disabling a setting in Trend Micro Security's Web Threats protection --> Uncheck "Prevent Internet Explorer, Firefox, and Chrome from running malicious scripts on infected websites"

Here's a support document to perform this setting change for your reference:
Configuring the Web Threats setting of Trend Micro Security

This setting is designed to block dangerous software injected by hackers into legitimate websites, i.e. prevents execution of some malicious *.js (JavaScript) files on legitimate websites, if the website has been compromised. This setting is on by default, and we recommend keeping it on. However, if it is causing interference with some websites' scripts, it can be disabled with some increase of security risk.

Please let me know if this solves your issue. Thank you.

Trend Micro Home Users Community
Photo of Steve Chen

Steve Chen

  • 98 Points 75 badge 2x thumb
Hi Daryl,

This is Steve and I'm leading the new community service team. I noticed your request is to somehow mark the mootools-core.js JavaScript as safe by our URL filtering engine, and that my team hasn't directly addressed this request, including the latest reply.

Please let me escalate this to our URL filtering team. Sorry about this, and as soon as I get updates, we'll update you soon.

Steve
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Hi Daryl, we have started investigation of this issue with the web filtering team. Could you provide the web page URLs that you're encountering the *.js blocking? We're not able to see much in the http://fsff.org website (says it's coming soon). Having these URLs will help the team troubleshoot further. If some URLs are still not for public release, you can optionally send the URLs using a new private post, or we can switch this topic to private from our end. Thank you.

Trend Micro Home Users Community
Photo of anb

anb

  • 100 Points 100 badge 2x thumb
I am getting the same "Dangerous Page" warning issue pointing to a js file.

Mine are Wordpress sites using the Bridge and Central themes by Qode.
Other sites using other themes do not seem to be affected.

I have submitted 2 of 4 sites affected to be reclassified, they return a 'safe' result and a follow-up email replay that they are safe.
Yet the warning remains.

I am very keen to have this rectified.

Steve / Claudia - can I PM you the sites in question?
(Edited)
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
We've created a new private conversation for your issue to ensure your concerns are addressed in the most timely manner by our support team.

Please reference the new conversation here: JavaScript blocking warning
(Edited)
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Hi Daryl, 

Quick Update: We were informed by our product development team that the JavaScript blocking message is confirmed to be false positive. They're working on a fix now and that'll be available before end of June. We'll update you here in this post as soon as the fix is ready. Very sorry about the inconveniences caused and I hope we did not interfere with your website development work too much. Thanks.

Claudia

Trend Micro Home Users Community 
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb

Claudia,

Sorry for not replying sooner,  I've been away for several weeks, and just now saw your reply.

I have three sites that are being effected. 

http://usmcmta.org
http://filamomaha.org
http://fsff.org

I think that one are all three might be on a "white" list currently.  I was finally able to submit a ticket, and the person that I am working with told me a week or so ago that he would get them on a white list.  The usmcmta.org might be on that list, because I haven't been block recently.  However, the filamomaha.org was still being blocked as recently as yesterday.

Thank you.

Daryl

Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Thanks for the information, Daryl. I understand one of our engineers is working closely with you. I will also submit above URLs to product development team and will keep you in updated when the fix is released in our backend.

Thank you.

Trend Micro Home Users Community
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb

Claudia,

Thank you very much for the assistance. I really appreciate your help.  However, I am disappointed with the level of difficulty in getting this issue resolved.

I am an IT engineer, and when I work with a vendor of a particular product, I am used to being able to log into a support portal and submit a ticket to have the issue resolved.

I spent to much time trying to figure out how to open a case, or a trouble ticket, or even how to get in touch with someone at Trend Micro.  It took a while before I found this forum, and even longer for me to find an engineer to work with.  I finally was able to get an engineer because I opened a chat session.  I never did find a way to submit a ticket.  I assumed that I could log into my account and find a support portal there. But when I click on support, I get redirected to the general support page, then I have to dig to find support.  I can find plenty of ways to purchase product, to upgrade product, or just basic error and trouble shooting.  But finding actual support, is extremely difficult. 

Now that I've been able to get help, I am extremely frustrated by how long this has taken.  This has been going for over a month.  I have no idea how many of my users were effected, possibly none, but if there was even one that got blocked, that doesn't make me very happy.  I don't need to get a repetition from my user community that my sites are infected. 

Thank you for your help. I do appreciate it.

Daryl


Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Hi Daryl,

I'm sorry that finding our support portal and forum was hard and frustrating for you. I will report your feedback to our manager and make sure we make required improvements.

Regarding this unresolved JavaScript issue, I understand the negative impacts it could create for your users. We deeply apologize for the long turnaround time -- it's also taking longer than we expected. Our product development team is trying hard to fix this issue as soon as possible, and I am also keeping my eyes on this case for you. Once the solution released, I will get back to you immediately!

Thank you.

Claudia

Trend Micro Home Users Community
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Thank you Claudia,  I appreciate that.

Daryl
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Official Response
Hi Daryl,

Many apologies again for taking a long time to fix the JavaScript issue. We were informed by our product development team that the fix of this issue is included in the latest pattern file. Please follow the steps below to apply the update:

  1.  Remove related URLs from the Exception List. (if you've added them to the Exception List)
  2.  Right-click on the Trend Micro system tray icon.
  3.  Click Check for Program Updates, then The About Your Software windows will appear and will automatically check for available updates.

After update completed, please verify all websites which had blocking issues and please do let us know if the solution works for you. One challenge is that your website users using Trend Micro would have to do this also, but our software and patterns auto updates periodically, so hopefully their Trend Micro Security installs will be updated soon as well.

Thank you.
 
Trend Micro Home Users Community
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb

Hello Claudia,

Sorry for my late reply.  I will test and let you know if my sites are still vulnerable.

Thank you.

Daryl

Photo of TM_L

TM_L, Official Rep

  • 15,760 Points 10k badge 2x thumb
Hi Daryl,

Claudia is off. Please do let us know the test results!

Linda

Trend Micro Home Users Community
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Linda.

I have another problem. I finally figured out how to contact support via chat session (I was approaching this issue on two fronts).  The person that I was working with opened a ticket for me, SR1-1-1059688561.  I allowed that person to whitelist my three sites.  I didn't want my members to receive false warnings saying that my sites were infected.   Once the sites were whitelisted, he kept trying to close the ticket.  I pressed to keep it open until this was resolved, but he finally closed it.  He kept telling me that I could reopen it when I wanted to, but I don't know how.  I replied to the email that I received, to have him remove the sites from the white list, but I received a reply telling me that the ticket was closed.  So, now I don't know how to get in touch with this person to remove my sites from the whitelist.  How do I do this?

Thank you.

Daryl Rose
Photo of TM_L

TM_L, Official Rep

  • 15,760 Points 10k badge 2x thumb
Hi Daryl,
Let me talk to the Chat team and see if they can reopen it. Once reopened, you'll get an email from the engineer you chatted with, and can continue to make your whitelist related requests. Please stand by and I'll update you here when the SR is reopened.

Cheers,
Linda

Trend Micro Home Users Community
Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb

Thank you Linda.  I appreciate your help.

Daryl

Photo of darylrose1

darylrose1

  • 260 Points 250 badge 2x thumb
Hello Linda,

I just received a reply from the Trend Micro Support.  I was told that even if my websites are in the whitelist, they have a dedicated team that monitors sites for infection.  I was told that if in the future one of my sites are infected, being on the whitelist or not, the will flag it as being infected. 

I am happy with that, and I am happy that this has finally been resolved.  I am disappointed that it took so long, but things have been resolved, and we can now put this to bed.

Thank you for your assistance and for staying on top of this for me.

Daryl Rose
Photo of TM_Claudia

TM_Claudia

  • 10,882 Points 10k badge 2x thumb
Hi Daryl,

Thank you for the kindly reply! We are so glad to hear that you are happy with the service we provide and all things have been resolved. 

If you have other questions or encounter product issues in the future, please do not hesitate to contact us in this community. We will do our best to help you!

Trend Micro Home Users Community

This conversation is no longer open for comments or replies.