Greybeard1

Sites where Browser Guard blocked cookie dialog: shore.co.uk bes.co.uk Sorry, I can't remember what the third site was.

Thank you. I've re-created the issue and it was indeed Easylist that was blocking the cookie dialog. That allows me to use the site while maintaining other blocks, but it doesn't solve the problem that sites are blocked to users who aren't aware that it's Browser Guard that's doing it. Is there anywhere I can find out more about Easylist?

On three separate websites recently the site has been selectively unresponsive, and may appear to have a 'dark glass' layer over it. I've realised that this is because Browser Guard has hidden the Cookie popup, and some aspects of the site don't work until the cookie choice has been made. Turning off 'Ads/Trackers' in Browser Guard is the workaround for that site. Now that I'm aware of it, I can use the workaround, but I assume it's affecting other users. I'm using Firefox on Windows 10.

Thanks Porthos, I followed your advice, the database was reported as being up to date, v2.6.25, as in the screenshot. However, I restarted the browser and rechecked, and the site is no longer blocked. So I guess the update had been installed automatically but need a restart to run.

Tried to pay a club membership using Paypal, mozilla extension blocked it for heuristics. Screenshot attached. Sorry, I haven't been able to find out how to save a log of this. url of the block report: moz-extension://3f3a9d9c-a53a-4ebd-8703-0afc2cd12de9/app/eventpages/block.html?referrer=null&url=https%3A%2F%2Fwww.paypal.com%2Fcheckoutnow%3Flocale.x%3Den_US%26fundingSource%3Dpaypal%26sessionID%3Duid_95e603dd31_mdc6mzq6mza%26buttonSessionID%3Duid_17f2c5f7d8_mdc6mzq6mza%26env%3Dproduction%26fundingOffered%3Dpaypal%252Ccredit%252Ccard%252Ccard%252Ccard%252Ccard%252Ccard%26logLevel%3Dwarn%26sdkMeta%3DeyJ1cmwiOiJodHRwczovL3d3dy5wYXlwYWxvYmplY3RzLmNvbS9hcGkvY2hlY2tvdXQuanMifQ%26uid%3Df5dad30a57%26version%3D4%26token%3DEC-7SR345266W760622F%26xcomponent%3D1&host=www.paypal.com&type=scam&subtype=phishing&tabId=null&filename=null&prevUrl=null

Hi, caving.ie is blocked as fraud, but appears valid. It's the website of The Speleological Union of Ireland and doesn't sell anything except perhaps membership subs. Whois confirms that the owner is The Speleological Union of Ireland Limited. I'm not connected with the site, just a caver/potholer trying to look something up on it. Log attached. cavingiemwb.log

Hi, Malwarebytes has detected the free version of Attribute Magic and Malware.Sandbox.32 I believe it's legit freeware, from 2003. Log and zipped exe attached. attmag.zip attmag.txt

Thanks. Yes, as I said, it's an old file and I don't need it, but I thought that reporting it might help with feedback to the AI detection engine.

Hi, Malwarebtes detected the installation file for a redundant version of nmap as Malware. Previous scans did not detect it. Log and file attached. Reported for feedback only, I don't need the file as it's an old version. nmap-6.01-setup.zip mwb export nmap.txt

Thank you. Block Penetration Testing attacks is off. I'll take turning off Spawning Batch Command Prevention as the solution.

Thanks Porthos. Apologies for posting in the wrong section. I've done that and tested it (having put LibreOffice back on the Protected list) and it flags an exploit as before. I didn't see any control ticks change when I restored the defaults. However, I haven't explore that area of Settings previously, and I notice the 3rd tab is "Application behavior protection" and includes a control in the "MS Office" column for "Office Spawning Batch Command Prevention". I turned off that control and and that does prevent an exploit being flagged. So it appears that control applies to other Office suites, not just MS Office. I assume it's a narrower exemption than taking protection off LibreOffice completely, which I think is better. Do you know if that's the way Malwarebytes is intended to work, or should it be possible to respond to the nature of the macro rather than react to it as a Spawning Batch Command? I can see from the log that cmd.exe was called so understand that it literally is a spawned batch command.

Malwarebytes is flagging an exploit when attempting to run a macro in LibreOffice. Invoking the menu command Tools > Macro > Run Macro on a newly created blank text document or spreadsheet with only the built in macros will cause the application to close and the exploit to be flagged. This happens before selection of a macro to run. This occurs on a two separate new installations of LibreOffice 7.3.4, downloaded from https://www.libreoffice.org/download/download/?type=win-x86_64&version=7.3.4&lang=en-GB. SHA256 string of the downloaded file matches the target. Macro protection settings in the application do not affect the outcome. Saving a blank file and adding it to the Allow List in Malwarebytes does not prevent the behavior. I attach a typical log and zipped .odt file - the issue may be in the application itself, which I have not attached but can be downloaded as above. I have turned off LibreOffice in the Protection Applications list but see that as a temporary workaround. Thanks. mwb libre.txt LibreOfficeblank.zip

Malwarebytes has reported m32-471-rc.exe, a 2009 version of Mercury Mailserver as MachineLearning/Anomalous.100 Mercury is well respected software and no malicious activity was detected when I used this version, so I think it's a false positive. Log and zipped detected file attached. Reporting as feedback to detection engine; the file is redundant so whitelisting is moot. m32-471-rc.zip fp_mercury_mailsvr.txt

Thanks. They were detected on 4 July, as shown in the log. I didn't quarantine them and have just rescanned and there weren't detected now. I assume an update has fixed the issue, so nothing more to do.

Hi, I reported a false positive in Tessaract-OCR in January, which was confirmed. I have recently had the same false positive, plus two more from Tessaract (I have not changed my installation). Since they were connected, I reported the recent events on the same thread, but maybe that was the wrong thing to do as there has been no response. The thread, with attachments for the new event, is here Thanks