Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3684
Views
10
Helpful
5
Replies

Remove JS:Adware.Lnkr.E

mradamorales
Level 1
Level 1

‎03-24-2021 11:38 AM

After a running running a full scan we still received email from Cisco AMP the computer is infected.... how i can remove it...

 

    • Event Type: Threat Detected
    • Computer: CDCMKTGHJPCL63
    • Hostname: CDCMKTGHJPCL63
    • IP: 192.168.1.186, 10.101.214.190
    • Detection: JS:Adware.Lnkr.E
    • File: e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
    • File path: \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
    • Detection SHA-256:041d08101884d7d0a91ce2b98cffd8a5ffca75941e4556ddbf5da7bb7f984ac2
    • By Application: chrome.exe
    • Application SHA-256:bb8b199f504db7e81cf32ce3c458d2a8533beac8dcefa5df024fa79fe132648a
    • Severity: Medium
    • Timestamp: 2021-03-24 15:54:27 +0000 UTC

 

1 person had this problem
Labels:
0 Helpful
5 Replies 5

ppreenja
Cisco Employee
Cisco Employee

‎03-25-2021 09:38 PM

Hi,

 

For the detected SHA-256 value, I don't see any detection on AMP.

Please check for the event details on the AMP console and share the screenshot so that I can suggest accordingly.

Also, please make sure that the email is a genuine email received from AMP.

 

Note: You can open a TAC case as well to investigate further.

 

Cheers,

Pratham

 

cheo.codda
Level 1
Level 1

‎07-13-2021 08:24 AM

I have this problem too, and it's been going on for some time. No one from Cisco can give me an answer. The SHA changes every few days and is never in VirusTotal. It would be nice if Cisco had a definition of what JS:Adware.Lnkr.E is specifically triggering on.

Preview file
254 KB
0 Helpful

TruthNotTruth
Level 1
Level 1
In response to cheo.codda

‎08-11-2021 05:40 AM

Imagine you were downloading something from the web, but arbitrarily decided to check the file's integrity only halfway through the download using the .tmp file for the download. A useless and  pointless exercise some might say, but every single time I see these (which is what lead me to searching the community) this is what looks to be happening. It guarantees the 'detection' hash is always unique and always useless, and of course the file will never exist at that location after the event - this is the nature of a temp file.

 

These don't usually appear to be user-initiated downloads in my experience, but rather a user visits some website that uses GZip compressed .JS files and AMP generates a meaningless false positive detection as a result. Curious what others may have done to remedy this as it seems the only solution would be to either exclude the threat category or use a path-based exclusion for 'C:\Users\*\AppData\Local\Temp\*.tmp'.

David Janulik
Cisco Employee
Cisco Employee

‎08-12-2021 12:58 AM

This is a temp file and it is harmless to delete out from the disk. Do not create any exclusion for the temp file, just keep your Internet browsing safe. I personally think the infection will no longer pops up if the temp directory is cleaned \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp

Cyber security escalation engineer
0 Helpful

ccodda
Level 1
Level 1
In response to David Janulik

‎08-12-2021 08:02 AM

Hey David,

Unfortunately, we've already tried that and it just kept coming up (different file & SHA of course). We removed everything in Temp, rebooted, and disabled all browser plugins. One user we even re-imaged his machine and it came back. Most likely sounds like what user 'TruthNotTruth' had to say about website drive-by. Can you provide what AMP/Secure EndPoint is flagging on these types of events?

 

Thanks,

Cheo

0 Helpful
Customers Also Viewed These Support Documents