[Possible false positive - hxxp:\\ 142.0.204.220 part 2]

Morning - MWB Detection reported a blocked website as follows </142.0.204.220/> on port 54552 launched from msedge.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. This was reported on a previous post on 16-Dec-2020; the IP address was to be reviewed as per JPopovich's response

[Possible false positive - hxxp:\\outbyte.com]

Morning - MWB Detection reported a blocked website as follows </outbyte.com/> on port 56589 launched from firefox.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\ssionsupre.fun]

Morning - MWB Detection reported a blocked website as follows </ssionsupre.fun/> on ports ranging between 49276-62671 launched from firefox.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\5.189.217.48]

Morning - MWB Detection reported a blocked website as follows </5.189.217.48/> on port 58429 launched from AvastBrowser.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\coin-birds.com]

Morning - MWB Detection reported a blocked website as follows </coin-birds.com/> on port 50182 launched from msedge.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positives - few sites hxxp:\\ 34.230.127.91]

Kevin - thanks for this feedback.

We're using EPP Cloud, so the first set of steps will need to be scheduled from the management console.

I will try and get those logs to you later today.

The person is doing video editing/rendering using free online tools on certain sites; those sites however have pop-up ads and it is these that are being blocked by MWB end point protection.

[Possible false positives - few sites hxxp:\\ 34.230.127.91]

Morning - MWB Detection gave a blocked website result for the following sites:

1. </34.230.127.91/> on port 56230 launched from AvastBrowser.exe - VirusTotal results for a scan of the IP address returned "Clean" for all engines.
2. </199.80.54.74/> on port 57938 launched from msedge.exe - VirusTotal results for a scan of the IP address returned 1 engine registered a "malware" result.
3. </192.243.59.20/> on port 62961 launched from msedge.exe - VirusTotal results for a scan of the IP address returned 1 engine registered a "suspicious" result
4. </gz06x5tqlj.com/> launched from msedge.exe - VirusTotal results for a scan of the IP address returned 1 engine registered a "malware" result / 1 engine registered a "suspicious" result

See images attached.

[Possible false positive - hxxp:\\ 142.0.204.220]

Morning - MWB Detection reported a blocked website as follows </142.0.204.220/> on port 51208 launched from msedge.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.
 

[Possible false positive - hxxp:\\ 64.58.113.244]

Morning - MWB Detection reported a blocked website as follows </64.58.113.244/> on port 64114 launched from msedge.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\ www.rlclabellers.com.mialias.net]

Morning - MWB Detection reported a blocked website as follows </www.rlclabellers.com.mialias.net/> on port 52155.

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\ 108.167.146.28]

Morning - MWB Detection reported a blocked website as follows </108.167.146.28/> on port 55062 launched from msedge.exe

VirusTotal results for a scan of the IP address returned "Clean" for all engines. See image attached.

[Possible false positive - hxxp:\\digilander.libero.it]

The following site came up as a blocked web site.

/<digilander.libero.it>/

Virus Total engines return a "clean" result when the URL is scanned

[Possible false positive - hxxp:\\clicknupload.co]

Morning - the following site came up as a blocked site; VirusTotal scans of the IP address returned "Clean" from all engines

</clicknupload.co/>

Regards,

Mark.

[Possible false positive - hxxp:\\142.0.197.108]

Afternoon - the following site came up as a blocked site initiated from Microsoft Edge; VirusTotal scans of the IP address returned "Clean" from all engines

</142.0.197.108/> outbound port 55427

Regards,

Mark.

[Possible false positive - hxxp:\\freedownloadpsd.com]

Morning - the following site came up as a blocked site; VirusTotal scans of the IP address returned "Clean" from all engines

</freedownloadpsd.com/>

Regards,

Mark.

[Possible false positive - hxxp:\\mmmkids.com]

Morning - the following site came up as a blocked site; VirusTotal scans of the IP address returned "Clean" from all engines

</mmmkids.com/>

Regards,

Mark.

[Possible false positive - hxxp:\\ 142.0.204.220]

Afternoon - the following site came up as a blocked site; VirusTotal scans of the IP address returned "Clean" from all engines

</142.0.204.220/> outbound port 65217

Regards,

Mark.

[Possible false positive - hxxp:\\ www.shopcourts.com]

Afternoon - the following site came up as a blocked site; VirusTotal scans of the URL returned "Clean" from all engines

</www.shopcourts.com/>

Regards,

Mark.

[Possible false positive - hxxp:\\fp-afd.azurefd.net]

Hi - we're using the Cloud Endpoint protection.

The following is taken from the two endpoints that received the blocked website notice; are they at the most current versions/database?

The EPP update differed for the two units.

If not can one manually run an update of the DB for the Cloud EP?

Engine Version:	1.2.0.793
Last Refreshed:	07/21/2020 8:49:25 AM

Asset Manager:	1.2.0.330
Endpoint Protection:	1.2.0.831
Endpoint Protection Protection Update:	1.0.17190 / 1.0.17170
Component Package Version:	1.0.651

 

[Possible false positive - hxxp:\\fp-afd.azurefd.net]

Morning - the following site came up as a blocked site; VirusTotal scans of the URL returned "Clean" from all engines

</ fp-afd.azurefd.net /> Regards Mark

[Possible false positive - hxxp:\\www.lubychina.com]

Morning - the following sites came up as blocked sites; VirusTotal scans of the URL returned "Clean" from all engines

</lubychina.com/> </airtechusa.com/>    Regards Mark

[Possible false positives - hxxp:\\pl15364254.passtechusa.com]

Received blocked website notices for </pl15364254.passtechusa.com/> and </www.hiprofitnetworks.com/>
VirusTotal scan returned one hit for "Spam" from Spamhaus engine for ESET the first site above (passtechusa); and "Clean / No engines detected this URL" for the second one (hiprofitnetworks).
Would like to know if these are valid blocks or not.

The EP protection report is attached.

 

[Possible false positive - hxxp:\\errortools.com]

Thanks TeMerc - so the block is valid. MWB keeping us safe from even those on the fringes.

[Possible false positive - hxxp:\\errortools.com]

Morning - received blocked website notification for the site in the subject line. Attached is a screen shot of the EP protection report.

I'd like to know if it's a false-positive.

VirusTotal scan for the URL returned one hit from ESET as "Suspicious".

[Possible false positive - hxxp:\\logon.live.com]

Thanks Zynthesist,

I'm assuming that the DB version is equal to the Endpoint Protection Update.

I checked two other endpoints that experienced the same "blocked site" notices on the previous day. Their Endpoint Protection Update is now at 1.0.14775, and no further "blocked site" notices were received.

I'm waiting on the scheduled tasks to "Check for Protection Updates" and "Refresh Assets" to be executed.