Support » Plugin: Jetpack by WordPress.com » ClamAV says responsive-videos.min.js is malware

  • Starting today on our web servers, our malware scanner, which uses ClamAV and is powered by ConfigServer Exploit Scanner (CXS), is identifying responsive-videos.min.js as malware and quarantining it:

    ‘/home/example/public_html/wp-content/plugins/jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js’
    (quarantined to /home/quarantine/cxsuser/example/responsive-videos.min.js.1461097368_1) ClamAV detected virus = [Win.Trojan.Agent-1395367]

    https://wordpress.org/plugins/jetpack/

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    We’re looking into this now and believe it to be a false-positive from ClamAV.

    The virus described is a system level trojan which tricks you into manually downloading malware, which really isn’t possible from plugin on a site (it would have to exist and run on your local PC), and the file has not been changed since 3.9.6 was released (at which time it was clean). Meanwhile, the file itself is simply a display fix for responsive videos on a few select themes.

    In addition, responsive-videos.js (the source from which responsive-videos.min.js is minified) is not listed as infected.

    The false-positive has been reported to ClamAV, and we’re hoping for a quick resolution.

    From what we can tell so far, there is no cause for concern.

    Not only ClamAV but also AegisLab identifies this file as malware. Although not always.

    See:

    Maldetect is seeing it as malware now too. FYI

    James, once this is sorted out, would you be able to add the file again into a new version of Jetpack, so that when users update, responsive-videos.min.js is re-added? With our system, at least, the file is removed from the user’s directory and placed into a quarantine. So, even if ClamAV stops matching the file, the file is now missing from the user’s install and can’t be used, until the file is replaced.

    – Scott

    I contacted my host, iPage, about slow load times and they agreed to do a security scan. It also tells me that this exact same file is a Trojan.

    I deleted the file but was going to contact you to make sure I wouldn’t be missing anything in the long run. Found this thread and figured I’d chime in!

    M

    (@infolegal)

    Same thing on another hosting service – VPS.net combined with another antivirus solution (Panda Antivirus 2016). I’ve also deleted the file from the Jetpack folder, but obviously this is not the solution…

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    James, once this is sorted out, would you be able to add the file again into a new version of Jetpack, so that when users update, responsive-videos.min.js is re-added?

    At the very least, I’ll reply here to say that it’s safe to re-install.

    I’ll see what I can do about getting a new version pushed out too, but that’s up to the developers and whether or not they’re ready to include any other bug fixes.

    slow kid over here – but how do we reinstall?

    Thanks 🙂

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    You can delete and reinstall the plugin from the Plugins section of your site’s Dashboard.

    Hello,

    My web hosting provider has also reported same issue and website is either not getting open or taking too much time. even not able to navigate on admin page of WP website. Extract of communication is below. They have blocked port for security. Please guide

    Reason for the port block

    During our regular scans, we have found malicious files in your account which may be infected with malware.
    Here is the list of files our scanning has identified :

    /home/finanill/public_html/wp-content/plugins/jetpack/modules/theme-tools/responsive-videos/responsive-videos.min.js

    Please clean up files listed above using virus/malware scanners. If you feel the files are not required or not being used, then please delete them after taking a local backup onto your personal computer ”

    M

    (@infolegal)

    @rhk118
    you should update your plugin. Both Wordfence Security and Jetpack have updated their core files this morning (or about 10 hours ago at least), and Jetpack specifically mentioned the problem with the min.js file as being temporarily solved.

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    We have not heard back from ClamAV regarding our false-positive report, so have worked a temporary fix for this into Jetpack 4.0.2, released today.

    The fix basically replaces the content of responsive-videos.min.js (again, a perfectly safe file, but reported accidentally as a false-positive) with the content of responsive-videos.js.

    responsive-videos.min.js is simply a minified version of responsive-videos.js, so while there is no functionality difference, there will be a slight performance hit, but at least no false-positive reported by ClamAV.

    We intend to return responsive-videos.min.js to its normal minified form in a later release of Jetpack, after ClamAV corrects their false-positive of course.

    No update available

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    Are you already running Jetpack 4.0.2?

    One of Jetpack’s features is plugin auto-updates after all. 😉

    Plugin Contributor James Huff

    (@macmanx)

    Volunteer Moderator 🚀

    Just to sort of wrap this up, we haven’t heard back from ClamAV yet, but we did notice that today’s ClamAV virus definitions are no longer reporting against the responsive-videos.min.js file in Jetpack 3.9.6: https://virusscan.jotti.org/en-US/filescanjob/3toaljmv99

    You can test the file yourself with a copy of Jetpack 3.9.6 from https://wordpress.org/plugins/jetpack/developers/

    Please do use Jetpack 4.0.2 (or later) though, I just wanted to circle back and note that there was no risk and that it was definitely a false-positive from ClamAV. 🙂

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘ClamAV says responsive-videos.min.js is malware’ is closed to new replies.