Avast may be having some bug in the detection of baidu search script

system · 2015-06-07T15:46:03.000Z

Look at thispost by me : https://forum.avast.com/index.php?topic=152740.msg1109812#msg1109812
For some of the search term, this is fixed.
But as of today, this harmless search result is still being detected
http://www.baidu.com/s?wd=口袋联盟&ie=utf-8&tn=SE_pshlhao0031_jxfww7s6 | {gzip}

wd=%E5%8F%A3%E8%A2%8B%E8%81%94%E7%9B%9F mean search word =“口袋联盟” (I clicked into ad link on accidient and it link to this android adware)
Avast must have a bug in dealing with very specific search term in baidu.
Same as before, the detection is “JS:ScriptPE-inf [trj]”
Weird enough it doesn’t block the search sometime.

It seam useless to report it, because it doesn’t fix the detection for all of the search term which have this problem.

Edit: LOL! It even detect on pure ‘?’.
Here is the weird detection avast is giving me:
URL: http://www.baidu.com/s?cl=3&wd=???&ie=utf-8 | {gzip}
Infection: JS:ScriptPE-inf [Trj]
Process: C:\Program Files\Internet Explorer\iexplore.exe

Eddy · 2015-06-07T15:57:16.000Z

I just checked and avast isn’t blocking/detecting anything.
My guess is that there is sometimes a add on the website/in the search results that is causing the problem.

A other possibility is that the TGF in China is causing the problem.
When it comes to Baidu and other Chinese websites, never “just” trust them.

system · 2015-06-07T16:03:22.000Z

I just checked and avast isn't blocking/detecting anything.

That's weird. It happen everytime here. I have a picture showing the detection which I just capture 1 minute ago.

DavidR · 2015-06-07T16:11:06.000Z

Well The | {gzip} bit at the end of the URL you gave is normally an indication that a compressed script file is being loaded along with the page/search and the alert indication JS:ScriptPE-inf [Trj] (the -inf, is usually associated with injected code), would tend to support that.

system · 2015-06-07T16:30:48.000Z

DavidR post:4:

Well The | {gzip} bit at the end of the URL you gave is normally an indication that a compressed script file is being loaded along with the page/search and the alert indication JS:ScriptPE-inf [Trj] (the -inf, is usually associated with injected code), would tend to support that.

I disagree.
baidu.com/s?wd=…
This is the file with the problem: s.htm
I have some past record of this detection in the avast virus chest. They all undetected now.
This IS the same script among every search term, there should be no different between every two of these.
For example, these two:

http://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&tn=baidu&wd=韩剧&rsv_pq=da8f02ef00005efa&rsv_t=6437RU%2BuNWflamv6CQVuACaQJZBj06LMzzByfCbd5DFj6%2FQllegclbYE6SA&rsv_enter=0
http://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&ch=&tn=baidu&bar=&wd=口袋联盟&rsv_pq=824589ca00005e70&rsv_t=5dadKtD3N2twpwySnkRdr3Dj0akgKUV31I8EltBkar89Ymd7wvUD5TxLxGs&rsv_enter=0

both are the same script, but 2 is detected while 1 is undetected.
The main problem is that most of the search term have no problem, but only sometime when specific search term is used, avast don’t like the script file.
s.htm is put in temporary internet file most of the time I search using baidu, that explain the | {gzip} part

Eddy · 2015-06-07T16:32:40.000Z

You are forgetting that it is a search.
Each time you search, the content of the page is different.

Announcements