gonzo
-
Posts
5,921 -
Joined
-
Last visited
-
Days Won
31
Content Type
Events
Profiles
Forums
Posts posted by gonzo
-
-
While working on another forum issue, I noticed the block occurred before I updated databases after a factory reset. One minute later, the block was gone. Did you check immediately after doing the factory reset, or wait 30-60 seconds before doing it? A factory reset dumps cache, dumps databases, then downloads databases again. If you did it between the dump and the download, you would have received a block. Once the download was complete, there should not have been a block.
To make sure we have a stable footing, do this:
- In your browser, navigate away from toolsforworkingwood.com in any and all tabs you have open for your browser. This will prevent it from being part of the following steps.
- Dump your browser cache
- Do a factory reset in Browser Guard
- When it is done, count to 25 (not scientific or silly...I want you to give it time to load updated databases)
- Go to toolsforworkingwood.com and see what the result is.
It should be better. If not, please download Browser Guard logs and post them here.
-
Thank you for that. I was hoping to see something that looked like this (from my own logs):
{"@timestamp": "2022-02-04T17:58:01.395Z", "session": "1643997419119", "message": "UPD: 26/26 databases updated,{'mbgc.db.ads.2':'2.0.202202031053','mbgc.db.adware.2':'2.0.202202032203','mbgc.db.compromised.2':'2.0.202202010041','mbgc.db.exploit.2':'2.0.202202041005','mbgc.db.fraud.2':'2.0.202202041406','mbgc.db.hijack.2':'2.0.202202032203','mbgc.db.malvertising.2':'2.0.202202021233','mbgc.db.malware.2':'2.0.202202041720','mbgc.db.pharma.2':'2.0.202202010041','mbgc.db.phishing.2':'2.0.202202041720','mbgc.db.pup.2':'2.0.202202010041','mbgc.db.ransomware.2':'2.0.202202032203','mbgc.db.reputation.2':'2.0.202202041720','mbgc.db.riskware.2':'2.0.202202041631','mbgc.db.spam.2':'2.0.202202030607','mbgc.db.spyware.2':'2.0.202202041005','mbgc.db.trojan.2':'2.0.202202041720','mbgc.db.whitelist.ads.2':'2.0.202201160820','mbgc.db.whitelist.malware.2':'2.0.202201241203','mbgc.db.whitelist.scams.2':'2.0.202202041720','mbgc.db.worm.2':'2.0.202201312353','mbgc.db.malware.partial.urls.2':'2.0.202201240827','mbgc.db.malware.patterns.2':'2.0.202201240827','mbgc.db.malware.urls.2':'2.0.202202041720','mbgc.db.whitelist.scams.patterns.2':'2.0.202201240827','mbgc.db.whitelist.tracker.2':'2.0.202202020528'}", "level": "INFO"} {"@timestamp": "2022-02-04T17:58:13.117Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"} {"@timestamp": "2022-02-04T18:17:00.026Z", "session": "1643997419119", "message": "UPD: 4/26 databases updated,{'mbgc.db.malware.2':'2.0.202202041808','mbgc.db.reputation.2':'2.0.202202041808','mbgc.db.riskware.2':'2.0.202202041808','mbgc.db.malware.urls.2':'2.0.202202041808'}", "level": "INFO"} {"@timestamp": "2022-02-04T18:17:08.274Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"}
Your log showed loading from cache. Whether or not cache had been updated is unknown. Directly next to the link you clicked to get the logs is a Factory Reset link. Click that to dump cache and reset Browser Guard to its initial settings. I just did that in Chrome to to determine that it almost immediately updated its databases. See what that does for you. Let me know after you get a chance to do that.
-
Could you send the log please? There was a phishing block that was unblocked yesterday. I am currently asking if there are any IP blocks or wildcard blocks still in existence (both are possibilities as far as block types go). In the log, I want to see database updates and integrations. You went straight to the detection and did not show the other items.
-
The site is accessible. If your results differ, please provide more information.
-
When Browser Guard is installed, it comes with databases that were current as of the date of the program version release. They require updating to become current as far as you are concerned. Database updates occur every 15-20 minutes, unless there is some form of disruption. When that happens, they are downloaded and then merged with existing databases. That takes a minute or less, and is the reason @Porthos said to leave the browser open. I violated that myself, causing me to get a detection in Edge and only Edge.
Download Browser Guard's logs and inspect them for the database download, the detection of salelytics.com that you are referring to, and the database update. If you do not see success for the database operations, or if you see the detection, send me the logs. You may also need to determine whether any other security/protection app has blocked the database update, or if there is a firewall issue.
-
I had no issues in Firefox or Chrome, then did have a block in Edge. I had some coffee, let the computer do the same, and now it is working in all browsers. Maybe the developer had something to do with it (back end tuning or something). It is working now.
ADDENDUM:
I see a detection in Edge's log 5 seconds after new databases were loaded, but the database update was not complete until 47 seconds after the detection. It failed at first, but not after the database update. I use Edge very rarely, so my Edge databases were downlevel.
-
The site has been whitelisted. Please allow 15-30 minutes for changes to take effect.
-
hxxp://starwars.super7store.com/sw/fckimages/file/fizibimumasojedoweworodem.pdf
This PDF is considered malicious and is the reason for the block.
-
Databases behind the scenes would cause bloat, or lookups for every redirect causes delays and networking costs (BG is a free product, so there is a balancing act there). I can get behind the idea of an on-demand scanner using a submission box. It serves the user, does not add bloat, and is not cost-prohibitive. A pop-up results window (rather than email) would prevent added infrastructure costs. Two other items that have not been mentioned, which I think are worthy.
- The report may be invalid by the time you receive it, due to website changes on target websites, links going up and down, round-robin redirectors, or malware that sneaks in (or gets snuffed).
- Adding more and more features to Browser Guard (the free web extension) would make it compete with our commercial product which protects against all protocols
I am often a devil's advocate. My own "good" ideas are often not safe when subjected to a second look. You have proposed a good enhancement. Keep it up!
-
It is a known issue (as you are aware), and I have not heard any rumblings about a fix. The best solution I can give you is to pick FDM or BG to be enabled when you are downloading, and disable the other for the duration. Not ideal, but it will allow you to do what you need to do.
-
The site has been whitelisted. Please allow 15-30 minutes for changes to take effect. Sorry for the inconvenience.
-
The scope of the request (and the hidden expectation) would likely be the downfall. Having the resources for the job onboard and available at all times would make Browser Guard a heavier load on most computers than the browser(s) BG is attached to. If the resources are there, the user would quickly get tired of clicking links and expect Browser Guard to do it automatically for them. If they got their wish, they would fall asleep waiting for Browser Guard to get done so they could finally see what they wanted to (assuming senility had not yet settled in). Besides that, the bad guys are really good at interpreting user behavior and modifying links on the fly via scripting. You would likely be cursing us and uninstalling it.
- 1
- 1
- 1
-
Thank you for the added information. The site has been whitelisted. Please allow 15-30 minutes for changes to take effect. Sorry for the inconvenience.
-
This is likely a Browser Guard reputation block, but I need to know the URL that is used to trigger the block. The blocked site is not accessible directly, so the path to get there is important.
-
The site has been whitelisted. Please allow 15-30 minutes for changes to take effect. Sorry for the inconvenience.
You should also be aware that anyone using McAfee protection will be blocked from accessing your website, as McAfee has blacklisted it.
-
The site has been whitelisted. Please allow 15-30 minutes for changes to take effect. Sorry for the inconvenience.
-
Glad its working better for you!
-
The block is being disabled. Please allow 2-4 hours for changes to take effect. Sorry for the inconvenience.
-
Multiple things going on there...
- Firefox is still using 2.3.15, while Chrome/Edge had severe download delay issues with 2.3.15. Chrome/Edge are on 2.3.16. We're out of sync. I'm trying to get an answer when two will again become one.
- Program versions are not affected by the "Check For Updates" button, only Threat Databases. Both check automatically multiple times per hour, but you can force a manual database check with that button.
- Cache is a wonderful thing, except for when its not. The tracker you just mentioned -- as well as all customer-specific subdomains -- are no longer blocked. If they still are blocked for you, dump your cache. That should fix the problem.
- 1
-
Try it now!
-
That is an active threat according to our Research team, and will remain blocked.
-
Try it now, and let me know if the situation has improved.
-
The site has been whitelisted. Please allow 15-30 minutes for changes to take effect. Sorry for the inconvenience.
-
On 26 Jan 2022, we released Malwarebytes Anti-Ransomware Beta 10 version 0.9.19.73 with Component Update package version 1.1.451. The changelog for this build can be found below:
Performance/protective capability:
- This is a hotfix which corrects a service crash caused by heap corruption
False positive at toolsforworkingwood.com
in Website Blocking
Posted
I do not see any attempt to go to the web site AFTER the databases have been updated. The following is from your log:
{"@timestamp": "2022-02-05T00:11:14.709Z", "session": "1644019871363", "message": "RDB: 26 databases loaded", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:14.731Z", "session": "1644019871363", "message": "GUG: Invalid - No stored user_group - will determine", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:14.745Z", "session": "1644019871363", "message": "HFO: Protection layers are active", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:14.762Z", "session": "1644019871363", "message": "UW: Updated old user to having being welcomed", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:54.773Z", "session": "1644019871363", "message": "ANY: Just matched 'toolsforworkingwood.com' in database: mbgc.db.riskware.2", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:54.773Z", "session": "1644019871363", "message": "OM: (PAGE_BLOCK) malware (riskware) match found on https://toolsforworkingwood.com/ for https://toolsforworkingwood.com/. ", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:54.777Z", "session": "1644019871363", "message": "ENV: {'browser':'Firefox 96.0','version':'2.3.15','build':'Build 420'}", "level": "INFO"}
{"@timestamp": "2022-02-05T00:11:54.778Z", "session": "1644019871363", "message": "OM: Malware (malware) detection on https://toolsforworkingwood.com/. Redirecting to block page.", "level": "INFO"}
{"@timestamp": "2022-02-05T00:12:01.355Z", "session": "1644019871363", "message": "OM: (PAGE_BLOCK) malware (riskware) match found on https://toolsforworkingwood.com/ for https://toolsforworkingwood.com/. ", "level": "INFO"}
{"@timestamp": "2022-02-05T00:12:01.356Z", "session": "1644019871363", "message": "ENV: {'browser':'Firefox 96.0','version':'2.3.15','build':'Build 420'}", "level": "INFO"}
{"@timestamp": "2022-02-05T00:12:01.356Z", "session": "1644019871363", "message": "OM: Malware (malware) detection on https://toolsforworkingwood.com/. Redirecting to block page.", "level": "INFO"}
{"@timestamp": "2022-02-05T00:12:12.662Z", "session": "1644019871363", "message": "UPD: 26/26 databases updated,{'mbgc.db.ads.2':'2.0.202202031053','mbgc.db.adware.2':'2.0.202202032203','mbgc.db.compromised.2':'2.0.202202010041','mbgc.db.exploit.2':'2.0.202202041005','mbgc.db.fraud.2':'2.0.202202042035','mbgc.db.hijack.2':'2.0.202202032203','mbgc.db.malvertising.2':'2.0.202202021233','mbgc.db.malware.2':'2.0.202202042351','mbgc.db.pharma.2':'2.0.202202010041','mbgc.db.phishing.2':'2.0.202202042212','mbgc.db.pup.2':'2.0.202202010041','mbgc.db.ransomware.2':'2.0.202202042212','mbgc.db.reputation.2':'2.0.202202042351','mbgc.db.riskware.2':'2.0.202202042122','mbgc.db.spam.2':'2.0.202202030607','mbgc.db.spyware.2':'2.0.202202041005','mbgc.db.trojan.2':'2.0.202202042212','mbgc.db.whitelist.ads.2':'2.0.202201160820','mbgc.db.whitelist.malware.2':'2.0.202201241203','mbgc.db.whitelist.scams.2':'2.0.202202042303','mbgc.db.worm.2':'2.0.202201312353','mbgc.db.malware.partial.urls.2':'2.0.202201240827','mbgc.db.malware.patterns.2':'2.0.202201240827','mbgc.db.malware.urls.2':'2.0.202202042351','mbgc.db.whitelist.scams.patterns.2':'2.0.202201240827','mbgc.db.whitelist.tracker.2':'2.0.202202020528'}", "level": "INFO"}
{"@timestamp": "2022-02-05T00:12:15.935Z", "session": "1644019871363", "message": "RDB: 26 databases loaded", "level": "INFO"}
The detection (red) occurs prior to databases being updated (highlighted in green) and available for use. You are rushing it! I am trying to get beyond that "formative" point so that we can determine how it is working consistently, rather than the initial phase. I only saw issues here myself if I went to your website IMMEDIATELY after doing a factory reset (not allowing time for databases to update). Once they updated, there were no issues. That is true for both Firefox and Chrome versions of Browser Guard.