Threat Detection Library


JS/Agent indicates that Sophos has detected malicious JavaScript in an email message or in a file on disk.

The JavaScript is typically part of a malicious attachment, and the attackers frequently use social engineering tactics to convince the user to download and run their malicious JavaScript attachment on the local computer.

For example, the attackers may send an email message claiming the user owes money for a delivery and that the user should download and open the “invoice,” which is actually a malicious attachment with JavaScript. Sophos would detect that attachment as JS/Agent.

Another tactic attackers use is to have the malicious attachment file name spoof well-known legitimate JavaScript libraries, like jquery.js.

When malicious JavaScript is run locally, it can take actions on the local computer that it would not be able to do when run in a browser. For example, locally run malicious JavaScript could download external malicious content to the local file system and execute it. In some cases, attackers will use a malicious JavaScript attachment to download additional malware onto the user’s system.

You can find information on JS/Agent attacks on he Sophos X-Ops blog here.

If you believe this detection is incorrect, please report this file to Sophos Support via [link].

Send our lab samples for analysis.

Submit a Sample