Jump to content

AVG detects JS/AGENT but Malwarebytes says the file is clean. Why?


Recommended Posts

Try uploading the file to VirusTotal: http://www.virustotal.com/

If the file is a script file, then Malwarebytes will not detect it as it does not target it.

What does MBAM Target

MBAM does not target script files. That means MBAM will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
 
MBAM is not an anti virus application.  MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can futher the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
 
 
I hope this broadens your understanding of what MBAM can not do and why MBAM is an adjunct anti malware solution that is meant to complement a fully installed anti virus application and not replace it.
(above provided by @David H. Lipman)

Edited by Firefox
Link to post
Share on other sites

4 hours ago, Firefox said:

Try uploading the file to VirusTotal: http://www.virustotal.com/

If the file is a script file, then Malwarebytes will not detect it as it does not target it.

What does MBAM Target

MBAM does not target script files. That means MBAM will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
 
MBAM is not an anti virus application.  MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can futher the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
 
 
I hope this broadens your understanding of what MBAM can not do and why MBAM is an adjunct anti malware solution that is meant to complement a fully installed anti virus application and not replace it.
(above provided by @David H. Lipman)

 

 

I tried to upload the file to VirusTotal, but it says I dont have the permission to do so. I've changed the permission of the file and it still wont work. Any idea how I can get around this?

Link to post
Share on other sites

kurt2121:

The files are most likely held open by some program.  You can use the Microsoft Sysinternals utility, Process Explorer to find what program may be holding said File Handles open.  In Process Explorer...

Choose Find --> Find Handle or DLL.. and enter;  s[1].htm   ( or other names you see ) to determine what program has that file's File Handle open.

This detection name was not in the body of the post; JS/AGENT 

The detection name JS/AGENT  and is indicative of the file being a JavaScript and as Firefox has quoted me, MBAM does not target scripted malware and that is why MBAM does not detect the JavaScript in the HTML ( .HTM ) files you noted as being in the %TEMP% folder.  The name "AGENT" is relatively generic and is indicative that it is not not a major piece of malware but has constructs associated with malware or in this case may be using scripting process that may be used in a malicious fashion.  That however does not mean it is actually malicious.  Anything in the %TEMP% folder is by its nature "temporary" and can be deleted.

avbsod:

This is not the place to attach malware or possibly malicious files.

 

 

Link to post
Share on other sites

5 hours ago, David H. Lipman said:

kurt2121:

The files are most likely held open by some program.  You can use the Microsoft Sysinternals utility, Process Explorer to find what program may be holding said File Handles open.  In Process Explorer...

Choose Find --> Find Handle or DLL.. and enter;  s[1].htm   ( or other names you see ) to determine what program has that file's File Handle open.

This detection name was not in the body of the post; JS/AGENT 

The detection name JS/AGENT  and is indicative of the file being a JavaScript and as Firefox has quoted me, MBAM does not target scripted malware and that is why MBAM does not detect the JavaScript in the HTML ( .HTM ) files you noted as being in the %TEMP% folder.  The name "AGENT" is relatively generic and is indicative that it is not not a major piece of malware but has constructs associated with malware or in this case may be using scripting process that may be used in a malicious fashion.  That however does not mean it is actually malicious.  Anything in the %TEMP% folder is by its nature "temporary" and can be deleted.

avbsod:

This is not the place to attach malware or possibly malicious files.

 

 

The problem is this file is on an external hdd, so I don't know how or if I could even check that.  It wont boot up on my old laptop anymore, I have plugged it in to my other laptop when I look at it.

 

The file has not been deleted, would finding the SHA1 hash help in pinpointing exactly what it was? 

Link to post
Share on other sites

3 minutes ago, David H. Lipman said:

You left out the file is on an external hard drive.  An important fact.  If it/they were created via another system, you have to take Ownership of them and then assign access rights to the file.

Just delete it/them.

I did take ownsership, but it did not work. Anyway, I'll get rid of it when I figure out what it was first. Thanks for the info everyone

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.