Virus found in Chat Support

Yesterday I downloaded SupportBoard v.3.5.1. but package came with a trojan-virus (Script-Ulthar.A!ml) detected first by Google Chrome during the downloading process and then by Windows Defender when I scanned my desktop; this issue was reported to the author who denied responsibility. Below is the report (apparently the file infected in the zip was supportboard/js/admin.js):

file: C: … \OneDrive\codecanyon-4KEYxfLr-support-board-chat-and-help-desk.zip->supportboard 3.5.1.zip->supportboard/js/admin.js

webfile: file: C: … \OneDrive\codecanyon-4KEYxfLr-support-board-chat-and-help-desk.zip|https://marketplace-downloads.customer.envatousercontent.com/files/397214953/Support%20Board%20-%20PHP.zip?response-content-disposition=attachment%3B+filename%3Dcodecanyon-4KEYxfLr-support-board-chat-and-help-desk.zip&Expires=1655930580&Signature=ioxhRmKIz2zXRMAM969Ns8tVKbumODm1J7DtH1lHco2w4Q3hF2CkrbjdGJubTniLrkjAYCX7UlMt0Cx39aqaB9jwpW~ZHC-4pUlIjIyOcwfZ0SgaWOQeo9h~KPIrqrOMwIp6w5RTbFFo2dUW5eUhHpW4mzWiRNayO~gM93oWvRsE3hiT9P5yWBVyF5TqVpq0da-vWXJ62X3qG2OQbm~VyT6IVM8sr783DLUd2nWzKzBp1Fvqr4jWe60ZMn4Cvtw8luwoDEccsoNM6xQdqRBe0uwgpXLr63-LKNm1GymWIIFAm7Bu143jjUQFX~IsT~GOHIDojltLbJmyHDDj4Pv-zT6-A31AcZuS3j-kCtqcaBHul9EZuDMzI-XJlRKNlOJtVjcctZBIn8jfIuNNWPCLqtvpAdz~xp-QX758HnG42OJyfw3H88vzW2-dHiIVu2XiDyTMxxczAWedDRcvteSnbOdw-6FtS6QiCJDnryRQXSnKHzX2l3b8C9k4p5P13rxTrIbi1aEZNi83K~vTJ~fp-DzU~aRK7vJU5ejYP7UI08kRCqjSrXvIpFKyoiijXxwRVWmYEEb8gwfHEPmfa4MZGNR9G~QFjUDMHq83xAbI51Z-~FSEvWHcd558q1ec0eOWJnXKDipXnKjAHtnTDaogqSfztJtTvo~HxooZm-bkn0o_&Key-Pair-Id=APKAJRP2AVKNFZOM4BLQ|pid:11852,ProcessStart:133004035837159510

Hi @gibarra,

Windows Defender is notorious for false positives. What it claimed it found in your case was a “trojan downloader” in the form of a JavaScript file, rather than a trojan itself.

for security don’t open the theme file – instead, head over to virustotal.com and upload the zip file. They will scan it against all the top antiviruses and you can determine if it’s a false positive or not. if it is infected, delete the zip file and send the virustotal results to envato support by opening a Help ticket .

Thanks

1 Like

The !ml at the end of the trojan name means the detection is a best guess by a “machine learning” algorithm, rather than an actual known trojan. Paired with the file extension of the alleged trojan (.js) makes this a clear false positive, and it’s safe to ignore. I see these all the time, they’re quite annoying and in the cases I’ve seen are also never correct.

For a more technical explanation: The JS file will only execute in the context of a web browser. It’s not impossible for a JS file to act as a trojan within a web browser, but this would require a “zero-day” exploit for your browser, worth tens if not hundreds of millions of dollars, and would be patched immediately upon discovery. It’s not something you will find in a random theme.

2 Likes

Many thanks for your quick reply. I will re-check again and meanwhile I will consider this as a false-positive warning.

Many thanks for your quick response, I will check with the online tool pointed out. As I mentioned below, I will consider this alert as a false-positive case.