Jump to content

gonzo

Honorary Members
 View Profile  See their activity

  • Posts

    5,921

  • Joined

  • Last visited

  • Days Won

    31

 Content Type 

Posts posted by gonzo

    False positive at toolsforworkingwood.com

    in Website Blocking

    Posted

    I do not see any attempt to go to the web site AFTER the databases have been updated.  The following is from your log:

    {"@timestamp": "2022-02-05T00:11:14.709Z", "session": "1644019871363", "message": "RDB: 26 databases loaded", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:14.731Z", "session": "1644019871363", "message": "GUG: Invalid - No stored user_group - will determine", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:14.745Z", "session": "1644019871363", "message": "HFO: Protection layers are  active", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:14.762Z", "session": "1644019871363", "message": "UW: Updated old user to having being welcomed", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:54.773Z", "session": "1644019871363", "message": "ANY: Just matched 'toolsforworkingwood.com' in database: mbgc.db.riskware.2", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:54.773Z", "session": "1644019871363", "message": "OM: (PAGE_BLOCK) malware (riskware) match found on     https://toolsforworkingwood.com/ for https://toolsforworkingwood.com/. ", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:54.777Z", "session": "1644019871363", "message": "ENV: {'browser':'Firefox 96.0','version':'2.3.15','build':'Build 420'}", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:11:54.778Z", "session": "1644019871363", "message": "OM: Malware (malware) detection on     https://toolsforworkingwood.com/. Redirecting to block page.", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:12:01.355Z", "session": "1644019871363", "message": "OM: (PAGE_BLOCK) malware (riskware) match found on     https://toolsforworkingwood.com/ for https://toolsforworkingwood.com/. ", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:12:01.356Z", "session": "1644019871363", "message": "ENV: {'browser':'Firefox 96.0','version':'2.3.15','build':'Build 420'}", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:12:01.356Z", "session": "1644019871363", "message": "OM: Malware (malware) detection on     https://toolsforworkingwood.com/. Redirecting to block page.", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:12:12.662Z", "session": "1644019871363", "message": "UPD: 26/26 databases updated,{'mbgc.db.ads.2':'2.0.202202031053','mbgc.db.adware.2':'2.0.202202032203','mbgc.db.compromised.2':'2.0.202202010041','mbgc.db.exploit.2':'2.0.202202041005','mbgc.db.fraud.2':'2.0.202202042035','mbgc.db.hijack.2':'2.0.202202032203','mbgc.db.malvertising.2':'2.0.202202021233','mbgc.db.malware.2':'2.0.202202042351','mbgc.db.pharma.2':'2.0.202202010041','mbgc.db.phishing.2':'2.0.202202042212','mbgc.db.pup.2':'2.0.202202010041','mbgc.db.ransomware.2':'2.0.202202042212','mbgc.db.reputation.2':'2.0.202202042351','mbgc.db.riskware.2':'2.0.202202042122','mbgc.db.spam.2':'2.0.202202030607','mbgc.db.spyware.2':'2.0.202202041005','mbgc.db.trojan.2':'2.0.202202042212','mbgc.db.whitelist.ads.2':'2.0.202201160820','mbgc.db.whitelist.malware.2':'2.0.202201241203','mbgc.db.whitelist.scams.2':'2.0.202202042303','mbgc.db.worm.2':'2.0.202201312353','mbgc.db.malware.partial.urls.2':'2.0.202201240827','mbgc.db.malware.patterns.2':'2.0.202201240827','mbgc.db.malware.urls.2':'2.0.202202042351','mbgc.db.whitelist.scams.patterns.2':'2.0.202201240827','mbgc.db.whitelist.tracker.2':'2.0.202202020528'}", "level": "INFO"}
    {"@timestamp": "2022-02-05T00:12:15.935Z", "session": "1644019871363", "message": "RDB: 26 databases loaded", "level": "INFO"}

    The detection (red) occurs prior to databases being updated (highlighted in green) and available for use.  You are rushing it!  I am trying to get beyond that "formative" point so that we can determine how it is working consistently, rather than the initial phase.  I only saw issues here myself if I went to your website IMMEDIATELY after doing a factory reset (not allowing time for databases to update). Once they updated, there were no issues. That is true for both Firefox and Chrome versions of Browser Guard.

     

     

    False positive at toolsforworkingwood.com

    in Website Blocking

    Posted

    While working on another forum issue, I noticed the block occurred before I updated databases after a factory reset.  One minute later, the block was gone.  Did you check immediately after doing the factory reset, or wait 30-60 seconds before doing it?  A factory reset dumps cache, dumps databases, then downloads databases again.  If you did it between the dump and the download, you would have received a block.  Once the download was complete, there should not have been a block.

    To make sure we have a stable footing, do this:

    • In your browser, navigate away from toolsforworkingwood.com in any and all tabs you have open for your browser.  This will prevent it from being part of the following steps.
    • Dump your browser cache
    • Do a factory reset in Browser Guard
    • When it is done, count to 25 (not scientific or silly...I want you to give it time to load updated databases)
    • Go to toolsforworkingwood.com and see what the result is.

    It should be better.  If not, please download Browser Guard logs and post them here.

    184.106.62.49

    in Firefox

    Posted

    Thank you for that.  I was hoping to see something that looked like this (from my own logs): 

    {"@timestamp": "2022-02-04T17:58:01.395Z", "session": "1643997419119", "message": "UPD: 26/26 databases updated,{'mbgc.db.ads.2':'2.0.202202031053','mbgc.db.adware.2':'2.0.202202032203','mbgc.db.compromised.2':'2.0.202202010041','mbgc.db.exploit.2':'2.0.202202041005','mbgc.db.fraud.2':'2.0.202202041406','mbgc.db.hijack.2':'2.0.202202032203','mbgc.db.malvertising.2':'2.0.202202021233','mbgc.db.malware.2':'2.0.202202041720','mbgc.db.pharma.2':'2.0.202202010041','mbgc.db.phishing.2':'2.0.202202041720','mbgc.db.pup.2':'2.0.202202010041','mbgc.db.ransomware.2':'2.0.202202032203','mbgc.db.reputation.2':'2.0.202202041720','mbgc.db.riskware.2':'2.0.202202041631','mbgc.db.spam.2':'2.0.202202030607','mbgc.db.spyware.2':'2.0.202202041005','mbgc.db.trojan.2':'2.0.202202041720','mbgc.db.whitelist.ads.2':'2.0.202201160820','mbgc.db.whitelist.malware.2':'2.0.202201241203','mbgc.db.whitelist.scams.2':'2.0.202202041720','mbgc.db.worm.2':'2.0.202201312353','mbgc.db.malware.partial.urls.2':'2.0.202201240827','mbgc.db.malware.patterns.2':'2.0.202201240827','mbgc.db.malware.urls.2':'2.0.202202041720','mbgc.db.whitelist.scams.patterns.2':'2.0.202201240827','mbgc.db.whitelist.tracker.2':'2.0.202202020528'}", "level": "INFO"}
{"@timestamp": "2022-02-04T17:58:13.117Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"}
{"@timestamp": "2022-02-04T18:17:00.026Z", "session": "1643997419119", "message": "UPD: 4/26 databases updated,{'mbgc.db.malware.2':'2.0.202202041808','mbgc.db.reputation.2':'2.0.202202041808','mbgc.db.riskware.2':'2.0.202202041808','mbgc.db.malware.urls.2':'2.0.202202041808'}", "level": "INFO"}
{"@timestamp": "2022-02-04T18:17:08.274Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"}

    Your log showed loading from cache.  Whether or not cache had been updated is unknown.  Directly next to the link you clicked to get the logs is a Factory Reset link.  Click that to dump cache and reset Browser Guard to its initial settings.  I just did that in Chrome to to determine that it almost immediately updated its databases.  See what that does for you.  Let me know after you get a chance to do that.

     

     

    184.106.62.49

    in Firefox

    Posted

    Could you send the log please?  There was a phishing block that was unblocked yesterday. I am currently asking if there are any IP blocks or wildcard blocks still in existence (both are possibilities as far as block types go). In the log, I want to see database updates and integrations.  You went straight to the detection and did not show the other items.

    184.106.62.49

    in Firefox

    Posted

    When Browser Guard is installed, it comes with databases that were current as of the date of the program version release. They require updating to become current as far as you are concerned.  Database updates occur every 15-20 minutes, unless there is some form of disruption.  When that happens, they are downloaded and then merged with existing databases. That takes a minute or less, and is the reason @Porthos said to leave the browser open. I violated that myself, causing me to get a detection in Edge and only Edge.

    Download Browser Guard's logs and inspect them for the database download, the detection of salelytics.com that you are referring to, and the database update.  If you do not see success for the database operations, or if you see the detection, send me the logs.  You may also need to determine whether any other security/protection app has blocked the database update, or if there is a firewall issue.

    184.106.62.49

    in Firefox

    Posted · Edited by gonzo
    further analysis

    I had no issues in Firefox or Chrome, then did have a block in Edge.  I had some coffee, let the computer do the same, and now it is working in all browsers. Maybe the developer had something to do with it (back end tuning or something).  It is working now.

    ADDENDUM:

    I see a detection in Edge's log 5 seconds after new databases were loaded, but the database update was not complete until 47 seconds after the detection.  It failed at first, but not after the database update. I use Edge very rarely, so my Edge databases were downlevel.

    Feature Request: Link/URL Sanner

    in Chrome

    Posted

    Databases behind the scenes would cause bloat, or lookups for every redirect causes delays and networking costs (BG is a free product, so there is a balancing act there).  I can get behind the idea of an on-demand scanner using a submission box.  It serves the user, does not add bloat, and is not cost-prohibitive.  A pop-up results window (rather than email) would prevent added infrastructure costs.  Two other items that have not been mentioned, which I think are worthy.

    • The report may be invalid by the time you receive it, due to website changes on target websites, links going up and down, round-robin redirectors, or malware that sneaks in (or gets snuffed).
    • Adding more and more features to Browser Guard (the free web extension) would make it compete with our commercial product which protects against all protocols

    I am often a devil's advocate.  My own "good" ideas are often not safe when subjected to a second look.  You have proposed a good enhancement.  Keep it up!

    Feature Request: Link/URL Sanner

    in Chrome

    Posted

    The scope of the request (and the hidden expectation) would likely be the downfall.  Having the resources for the job onboard and available at all times would make Browser Guard a heavier load on most computers than the browser(s) BG is attached to.  If the resources are there, the user would quickly get tired of clicking links and expect Browser Guard to do it automatically for them.  If they got their wish, they would fall asleep waiting for Browser Guard to get done so they could finally see what they wanted to (assuming senility had not yet settled in).  Besides that, the bad guys are really good at interpreting user behavior and modifying links on the fly via scripting.  You would likely be cursing us and uninstalling it.

    • Like 1
    • Thanks 1
    • Sad 1

    Browser Guard Blocked counts wrong

    in Firefox

    Posted

    Multiple things going on there...

    • Firefox is still using 2.3.15, while Chrome/Edge had severe download delay issues with 2.3.15.  Chrome/Edge are on 2.3.16.  We're out of sync. I'm trying to get an answer when two will again become one.
    • Program versions are not affected by the "Check For Updates" button, only Threat Databases.  Both check automatically multiple times per hour, but you can force a manual database check with that button.
    • Cache is a wonderful thing, except for when its not.  The tracker you just mentioned -- as well as all customer-specific subdomains -- are no longer blocked.  If they still are blocked for you, dump your cache.  That should fix the problem.
    • Thanks 1
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.