Does anyone know what is the problem with 3.xx and 4.xx version?
If you try to open mikrotik IP via web browser, there is activation of Kaspersky.

Kaspersky
Anti-Virus 2010
Access denied
The requested URL could not be retrieved

While trying to retrieve the URL:

http://xxx.xxx.0.102/

The following threat was encountered:

The requested object is INFECTED with the following viruses: Trojan-Dropper.JS.Agent.fk
Generated:
20:41:27
Kaspersky Anti-Virus 2010

If the router's web interface is public facing then the webserver running on it has been compromised. If you're running older routerOS versions then there's a good chance it's running a vulnerable web server or associated software.

It's happened with the webserver in Linksys routers in the past.

just a fail positive, I think

If the router's web interface is public facing then the webserver running on it has been compromised. If you're running older routerOS versions then there's a good chance it's running a vulnerable web server or associated software.

It's happened with the webserver in Linksys routers in the past.

this is not possible. we don't use webserver like other brands of routers. we have our own. it has no such (at least none that have been discovered by anyone) vulnerabilities.

this is not possible. we don't use webserver like other brands of routers. we have our own. it has no such (at least none that have been discovered by anyone) vulnerabilities.

So many approximations in this quick reply. :/
"Your own webserver", what does it means? Forked long time ago from other opensource software? Totally developped in-house from 0?
And yes, it is possible, that's what is so uncool with "blackbox" software, there is simply no communication about it, that's all.

developed from scratch, as most of RouterOS programs these days.

I have seen the same false positive from two different versions of Kaspersky in three different locations.

The difference is, I was not actively browsing to the web server on the router using a browser at the time, however various versions of Firefox have been running either actively or passively on the desktop.

Kaspersky updated on Feb. 03 around 12:04 am, and the first detection was at about 1:02 am the same morning.

Since that time, there have been random detections at different times and frequencies both on my own home network and at customer networks also using a Mikrotik router. All three of the locations are using the Mikrotik as a masquerading router for clients.

Is it possible that the neighbor protocol from the router is triggering this false positive?

The neighbor protocol is only enabled on the internal interfaces to help detect routers for setup purposes. So, as a test, I have disabled IP > Neighbors > Discovery Interfaces for all interfaces temporarily to see if that solves the problem temporarily.

Jon

Trojan-Dropper.JS.Agent.fk uses some IE bug to download and run some program. it has nothing to do with Neighbour Discovery

Hi guys
Unfortunately I do have the same issue here as well, after many attempts to get rid of this virus without affecting the work of the RouterOS, I eventually had to have one of My MikroTik replaced with it's backup server that was prepared few months ago, then the infected MikroTik was reinstalled with fresh copy of the OS, even the Hard Drive replaced with a new one but guess what? although the installation and configuration work was done Offline, the virus nevertheless remained there in the system, the thing that made me strongly believe that this virus was sent from my own laptop, and was never there before I connected the server to my laptop.

Therefore, it was useless to format and reinstall the RouterOs as long as I'm still using same infected PC, and Kaspersky was unable to discover the virus on my PC because it was just a passive file, came to life only on MikroTik when we called the web interface, and that is where Kaspersky discovered it.

so this is how it was sent to the server either through winbox port or FTP port or even the radius port, in this case the question should be how to prevent the RouterOS from receiving the virus through these ports? and how to remove the virus from the Mikrotik Server (RouterOS)?

Note: iNetSpec the timing is 100% correct I've checked with my kasper and it was the same.

what infected file do you mean? this is a false alarm, there is no infection. report to kaspersky that the scanner gives you false positive.

which version of RouterOS are you running when you get the Kaspersky warning? I just installed Kaspersky 2012 trial with latest updates, and it doesn't do anything for any of my routers.

edit: looks like only RouterOS v4 triggers the problem. Looking into it.

which version of RouterOS are you running when you get the Kaspersky warning? I just installed Kaspersky 2012 trial with latest updates, and it doesn't do anything for any of my routers.

edit: looks like only RouterOS v4 triggers the problem. Looking into it.

actually I am using the very old 2.9.27, and it was perfectly working until I was alarmed with virus infection I will also take your advice in consideration and I will, call the web interface from another PC that is installed with different antivirus. !
let's see what is coming out from the other virus programs

which file is infected? I Don't Know.

which file is infected? I Don't Know.

no files are infected. kaspersky reports false positive

Can everyone please report to kaspersky that this is a false positive, and there is no virus? We just did extensive testing, and kaspersky is simply wrong. False positives sometimes happen, they will fix this in their next update.

Just to confirm my theory about the virus was initially located on my own Laptop then went to the Server please check with your Kasper this location if you are a Windows PC.
C:\$Recycle.Bin\S-1-5-21-2440861810-575044629-1317448430-1000\$RANLWYJ\Mozilla\Firefox\Profiles\iygw2c6s.default\Cache\2\F3\B5AA3d01

on that path I found the virus file, and now I will perform again the format and re installation from a clean PC fully scanned with Kasper & another antivirus program, then I will get back here.

I would like to thank normis for the info and concern, and I just need the approval of your assumption or else one.

thanks again

kaspersky found an infected file in your trash folder. this has nothing to do with the message about router webpage.

There are many side explanations to that:
- Your computer may be already infected.
- Hotspot files got infected.
- Web cache got poisoned.
- General network poisoning.

Is it reproducible on different computers?
Can you download a sample of the virus?

Just an update on my progress...

From the perspective of the Mikrotik and RouterOS, this is indeed a false positive. However, from the perspective of the anti-virus and a user, this is an actual event. The Kaspersky software is doing its job as far as it can tell. The problem is that some of the information is being obfuscated (possibly by masquerade rules), so the popup is misleading at best.

The changes I made to the IP > Neighbors did not have any effect, so have been returned to their original settings.

However, each and every time Mozilla Firefox is started, I get the same message from Kaspersky stating that the IP address of the router is infected. I was using Firefox 3.5.19 and have upgraded to 9.0.1. The same occurs after both restarting Firefox and then restarting the computer. I then cleared the cache, temporary files, and even did a "Computer Cleanup" process and restarted my computer. Each time Mozilla Firefox was started, a few seconds later I would get the same message from Kaspersky.

Finally, I restarted Firefox in "Safe Mode" without any Add-Ons running. Voila! No popup from Kaspersky!

I have not nailed down which add-on is triggering the event, however, it is NOT related to the Mikrotik at all, and it is possible that it is an actual event with a source that is currently unknown.

I think this is of concern if only because the users behind the Mikrotik firewall are seeing the notices that point to the router. From their point of view, their network has been compromised. I will continue to search for the real source of the problem.

Will update when I know more.

Cheers, Jon

Finally, I restarted Firefox in "Safe Mode" without any Add-Ons running. Voila! No popup from Kaspersky!

That's interesting, because Kaspersky shows the warning in all browsers, including ones that don't support addons.

Final Update...

Normis, you are correct about the browser. The problem does appear on all browsers when you are browsing directly to the web interface on the Mikrotik. With Firefox running the NoScript add-on, however, Kaspersky would issue the alert whenever Firefox started, and then randomly while Firefox was running. I'm sure it was a little disconcerting for the average Firefox user.

The temporary resolution was to either disable NoScript -or- disable the WWW server interface in the Mikrotik under IP > Services > Service List > www (neither is a good permanent solution). The first stopped the random alerts, and the second stopped ALL alerts.

With that, Kaspersky has solved the false positive problem in the last definition update which happened around 8pm CST on Feb 8, 2012.

I know my customers are happier without the little alerts, real or not.

With that, Kaspersky has solved the false positive problem in the last definition update which happened around 8pm CST on Feb 8, 2012.

great to hear this!

Final Update...

Normis, you are correct about the browser. The problem does appear on all browsers when you are browsing directly to the web interface on the Mikrotik. With Firefox running the NoScript add-on, however, Kaspersky would issue the alert whenever Firefox started, and then randomly while Firefox was running. I'm sure it was a little disconcerting for the average Firefox user.

The temporary resolution was to either disable NoScript -or- disable the WWW server interface in the Mikrotik under IP > Services > Service List > www (neither is a good permanent solution). The first stopped the random alerts, and the second stopped ALL alerts.

With that, Kaspersky has solved the false positive problem in the last definition update which happened around 8pm CST on Feb 8, 2012.

I know my customers are happier without the little alerts, real or not.

thank you for the good news iNetSpec, and thanks to all guys. it is much better now and no more compliant calls.