For the last few days the SOA shield log has been reporting numerous instances of HTML:script-inf when a particular user attempts to access an Office 365 page. Here’s a typical site that gets flagged; there are many, many of them:

https://r1.res.office365.com/owa/prem/16.1340.13.2059829/scripts/jquery.owa.bundle.mouse.js

That particular one just displays a jquery script in plain language for me.

There are others that resolve to a MS Office 365 login page.

I don’t get any kind of avast! pop-up when I visit any of these, but they are somehow getting triggered on the user’s machine.

I seriously doubt that there really are threats in MS Office 365, but I suppose I could be wrong.

Using EndPoint Protection 8.0.1607 on Windows 7 Ultimate SP1, with definitions version 160524-1. The SOA is 1.3.3.35 running on Windows 7 Ultimate.

Any thoughts?

Thanks.

There seems to be something fishy on the user’s machine.

I am not able to reproduce the detection myself, so I need you (or whoever gets the detection) to help me.

What I need here is the exact file that is triggering the detections. We will take advantage that all files that are tested are temporarily stored in c:\Windows\Temp_avast_, until Avast decides what to do with them. We need to set up Avast to “Ask” when it encounters something, so we have time to extract the detected file from the location above.

Follow these steps to retrieve the file:

1. Set Avast to “ask”. Avast → Settings → Active protection → Webshield - Customize → Actions → Virus → Ask (please witness my excellent image-editing skills in the pic below)

http://i.imgur.com/ftrQObd.png

2. Go to the page that triggers the warning and let Avast pop up. Do not close the popup!
3. Go to c:\Windows\Temp_avast_. Select the file that is the most recent. This is the file that is triggering the warning, and that we actually need. When you scan this file with Avast, the same detection name should appear.
4. Attach the file to your post here (only if you are sure it doesn’t contain any sensitive data) OR you can zip the file with a password and attach the zipped file here and send me the password via PM.

If Avast somehow deleted your file and you have to trigger the detection again, either restart the shields or your PC.
Thank you all for your help!
Honza

There really is something wrong on that server.
I’m not getting any alert but the JavaScript does show as plain text.

Windows 10 (Aniversery), Opera 39.0.2256.48
Browser identification : Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 OPR/39.0.2256.48
AVG avg 16.101.7752
(Yes, avast is history for me)

Then maybe you should start helping on the AVG Forum ???

are they not one and the same soon?

Highly doubt that. Avast is the purchaser.
The point here is that if you aren’t using the product and there are always updates to the product, you can’t
really keep up with the changes.

Deepends on the issue you assist with, if not avast program related it should not be a problem