Saved settings and jffs get blocked by Chrome & Windows security

[alan6854321]

I just made some changes to my config and went to save the settings & jffs and Chrome blocked them.
It said "Insecure download blocked" under the downloads tabs.

I was able to click on 'Keep' which saved the Settings file but Backup_jffs.tar then got blocked by Windows defender as a "Severe threat: Trojan:Script/Wacatac.B!ml".

I could go into Windows Threat protection and allow it, but what's going on?

 

[Viktor Jaep]

I just made some changes to my config and went to save the settings & jffs and Chrome blocked them.
It said "Insecure download blocked" under the downloads tabs.

I was able to click on 'Keep' which saved the Settings file but Backup_jffs.tar then got blocked by Windows defender as a "Severe threat: Trojan:Script/Wacatac.B!ml".

I could go into Windows Threat protection and allow it, but what's going on?

Have you done any cursory scans through your /jffs folders to look for anything that might be out of place or not belong? Do you have any open ports on your WAN side? And you're sure your local machine is virus-free, correct? Could be a false positive, but I'd be wary and just do your due diligence just to make sure.

 

[alan6854321]

Have you done any cursory scans through your /jffs folders to look for anything that might be out of place or not belong? Do you have any open ports on your WAN side? And you're sure your local machine is virus-free, correct? Could be a false positive, but I'd be wary and just do your due diligence just to make sure.

Haven't done any scans on jffs, cursory or otherwise. Wouldn't know how.
The only open port is for OpenVPN
But, let's face it, if there's something dodgy installed on the router, Windows defender trying to stop it is a bit late. That ship has sailed!

Backup_jffs.tar is just that - a tar of the jffs partition,
What would happen if BACKUPMON saved a virus to your NAS?

 

[Viktor Jaep]

Haven't done any scans on jffs, cursory or otherwise. Wouldn't know how.
The only open port is for OpenVPN
But, let's face it, if there's something dodgy installed on the router, Windows defender trying to stop it is a bit late. That ship has sailed!

It would take some cursory directory searching using an SSH tool like PuTTY, and opening various files in NANO to see what kind of contents they have... but you'd need to know what is normal, and what isn't as this stuff always tried to blend in. Agreed... if there's anything on there, that ship has sailed.

Backup_jffs.tar is just that - a tar of the jffs partition,

You could look at it with Windows, extract it to a folder, and run a scan against it with Defender or other tools... see if it can detect what file it's got a problem with? If it's legit, then you could figure out where that file lives on your router and remove it. You could try posting the offending file to virustotal.com to see what it thinks about it?

What would happen if BACKUPMON saved a virus to your NAS?

BACKUPMON wouldn't care... it just compresses everything sitting on your router into a .tar and copies it over onto your NAS. But at least you'd be able to look through the archives without the fear of getting infected for offline scanning.

 

[Morris]

Have https://www.virustotal.com/gui/home/upload take a look at your JFFS backup.

My guess is it's a false positive yet it's best to check.

Good luck!

 

[BeKozGaming]

I just made some changes to my config and went to save the settings & jffs and Chrome blocked them.
It said "Insecure download blocked" under the downloads tabs.

I was able to click on 'Keep' which saved the Settings file but Backup_jffs.tar then got blocked by Windows defender as a "Severe threat: Trojan:Script/Wacatac.B!ml".

I could go into Windows Threat protection and allow it, but what's going on?

Hi @alan6854321 ,

Have you been able to arrive at a conclusion with this topic? I am running into the same thing and posted about it today:
- [RT-AC88U][386.12_4] "backup_jffs.tar Failed - Virus detected" Error trying to Save Backup JFFS partition

 

[alan6854321]

No real conclusion.
I'm assuming a false positive.

It's just odd that two things happened at the same time - Chrome blocking the download and the Windows virus detection.

It seems Chrome had recently started blocking certain file types - e.g. ".tar".
See here ...

Google Chrome blocks some downloads - Google Chrome Help

Chrome automatically blocks dangerous downloads and protects your device and accounts from malware or viruses. Download warnings in Chrome help you: Avoid unwanted changes to your browser, compute

support.google.com

 

[MartyMacGyver]

I hit the same exact issue - then I momentarily disabled AV, downloaded the tar, uploaded it to Virustotal, and zero viruses were detected.

VirusTotal

VirusTotal

www.virustotal.com

(For good measure I did a Windows Update check, got the very very latest virus defs, and had the same problem.)

I extracted the tar to a directory and scanned it and... nothing. Even the tar itself is fine according to Windows. Whatever is going on, it's strictly happening between Chrome and Windows Defender.

 

[Morris]

I think you are both confusing a virus detection with an unusual filetype download. AV definitions are not used for this. Simply permit the download and place your backup where you normally do.

 

[Tech9]

unusual filetype download

Google Chrome browser also asks for confirmation about saving Asuswrt generated configuration files. Seen as unusual download indeed.

 

[MartyMacGyver]

I think you are both confusing a virus detection with an unusual filetype download. AV definitions are not used for this. Simply permit the download and place your backup where you normally do.

There was no confusion: Windows Security flagged and logged the download as having `Trojan:Script/Wacatac.B!ml` before blocking and removing it.

 

[Viktor Jaep]

There was no confusion: Windows Security flagged and logged the download as having `Trojan:Script/Wacatac.B!ml` before blocking and removing it.

So there was an infection? Not just a false positive?

 

[Morris]

So there was an infection? Not just a false positive?

Possibly. If one of them can send the file up to https://www.virustotal.com/gui/home/upload that will provide more info

 

[alan6854321]

Possibly. If one of them can send the file up to https://www.virustotal.com/gui/home/upload that will provide more info

Already done, as per post #8