Jump to content
webdandy

ANSWERED Site being listed as risky

Recommended Posts

Hi,

Site with SSL using the seal.starfieldtech.com seal (IP 68. 178.177. 7) on the site is being flagged by MB as "Riskware". The SSL was purchased from GoDaddy and seal supplied so not sure why this is being flagged?

Can you advise?

Thanks,

Elaine

starfield.txt

Share this post


Link to post
Share on other sites

I also get the same website blocking popup warning domain starfieldtech.com coming from SSL certificate bought from GoDaddy USA / UK or 123-Reg in the UK.

I did a threat scan it came up clean. The error popup is on any site I visit that bought an SSL from those companies. It's not coming up on any other website or SSL.

I'd guess this might be a possible false flag. But just wanted to add an extra report to the post already here. Please fix as soon as possible.

Share this post


Link to post
Share on other sites

Thanks pixelpebs. Are you using BT? I just asked someone else on another ISP and they don't see this, neither does my hosting company!

And when I try to go to the starfieldtech.com website I can't connect to it - I get various error messages e.g. can't connect - then goes to MB blocked screen, or the site is flagged with an SSL error.

Share this post


Link to post
Share on other sites

Hi Webdandy,

Yes I do happen to be using a BT broadband connection. If I go to the starfieldtech.com website I get the same error as you too, it redirects to:

https : / / block . malwarebytes . com / ? lic=Licensed & cat =Riskware&lang=en

With a big error message: "Website blocked due to malware Your Malwarebytes blocked this website because it may contain malware. We strongly recommend you do not continue."

Basically anything trying to connect to starfieldtech.com and malwarebytes is blocking it out.

Edited by pixelpebs

Share this post


Link to post
Share on other sites

Yes exactly the same here.

Wondering if this is related to a combination of MB and BT?

Share this post


Link to post
Share on other sites

I wouldn't expect an ISP to get in the way, unless BT are blocking all the domains IP ranges and Malwarebytes is picking that up, but I don't think it works that way.

As GoDaddy are one of the biggest domain and SSL suppliers worldwide and Malwarebytes has a large user base I expect this may effect quite a few people.

Hopefully someone will be along soon with further information on what the problem is.

Share this post


Link to post
Share on other sites

Yes I imagine there will be quite a few people affected. Lets hope the issue is sorted asap.

Share this post


Link to post
Share on other sites

Just on the off chance I called GoDaddy's SSL supplier support team in the UK and the technician had never heard of "malwarebytes" shocking lol. I told him it was a largely used software.. anyway moving on. They said they aren't aware of any issues but may not be able to help with third party software, they are raising it to second level support in case they know anything about why their domain is blocked, but advised to contact malwarebytes, I advised them someone already had.

Share this post


Link to post
Share on other sites

I also just spoke to godaddy and they mentioned this:

Starfield Technologies is a business entity related to GoDaddy, the American internet domain registrar and web hosting company that also sells e-business related software and services. You don't need to contact them eventually malwarebytes will recognize this as a form security and will not tag as a threat anymore soon

Share this post


Link to post
Share on other sites

My concern is why all of a sudden today it's happening when I have been visiting the same sites and this never popped up.

What changed somewhere?

Share this post


Link to post
Share on other sites

This has been noted on another forum section under Website blocking, but I'm also opening it here as it may be more widely noted.

All of a sudden, crl.starfieldtech.com is getting numerous popups, when visiting different web pages, that it is risky. The popups say it with an outbound connection. When I try to go to the starfieldtech.com website, it is being blocked. I ran a full system scan with 0 problems found. This only started this morning and I was wondering if a MB definition update is responsible or should I be concerned?

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

I'm in the USA. I do not know what BT is but I have McAffee running with MB. This warning started at 8:53am PDT (40 minutes ago) and is popping up every few seconds. Even when I am not active on the system. I think it started immediately when I engaged Thurnderbird. Nothing on my end has changed recently...have had this configuration for at least three years. No recent 

Share this post


Link to post
Share on other sites

It sounds like it's most likely the result of some browser plugin based on your description of the issue.  The first thing I'd suggest to test would be trying a different web browser to see if it still occurs.

Share this post


Link to post
Share on other sites

Hi WTK. BT is British Telecoms in the United Kingdom, they supply landline telephone and internet service provider services such as broadband. If you have something popping up when you are not active on the system and don't have an email or a browser window open connecting to the outside world and the mentioned SSL I'd suggest updating your Malwarebytes then doing a scan as it could be something on your system not just on a website page, I'm technical but not an expert, posting in the general MB forum might help more with that.

Thanks CICO. I wondered if they were aware their domain is blocked by a major software and if they knew of any IP address issues, I tested different websites and each loaded okay but had a popup about riskware from the same domain and with different IP ranges. Help guide says..

"I received a notification on a safe site, why? If a notification is presented on a safe site, and the site loads, it is likely the site was loading content that is hosted on an IP known for malicious activity. In this case, the site itself will be displayed perfectly fine, with the malicious content being blocked. If however, the site does not load, it is likely the site is also hosted on the same malicious IP address. It is also entirely possible that the site in question, shares it's IP address with other malicious domains." (link).

If several users only just started seeing the problem possibly a software definitions update went out today. I wouldn't think a large company that provide SSL and privacy would have unsafe IP ranges for SSL. I assume it's likely to be a false positive that gets removed in an upcoming software definitions update. Will wait for an update.

Share this post


Link to post
Share on other sites

It's doing it in both Edge and Chrome with multiple websites. No new plugins or extensions added by me. See posts in forum heading Website blocking under false positives. Others there having problem with starfieldtech which should be related to GoDaddy and website security.

Edited by Phxflyer

Share this post


Link to post
Share on other sites

Similar problem here, just started a few minutes.  I added an exception because MB was repeatedly issuing block notices.  Here is my log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/4/18
Protection Event Time: 2:06 PM
Log File: 97329896-7fac-11e8-872a-1c6f65ccc00f.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5765
License: Premium

-System Information-
OS: Windows 10 (Build 17134.112)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: RiskWare
Domain: crl.starfieldtech.com
IP Address: 72.167.239.238
Port: [14831]
Type: Outbound
File: C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe

(end)

 

The file vbsserv.exe is a major Bitdefender component file.  I can't imagine that it is sending traffic to a malicious site?

Submitted for your information.

Have a great day.

Regards,
-Phil

Share this post


Link to post
Share on other sites

Here's my $0.02 on this matter.

Starfield Technologies is a legitimate certificate authority, and is a division of GoDaddy, the web site hosting company. Web sites using a Starfield certificate may be trying to authenticate the certificate using one of several protocols -- including SEAL & OCSP. But, since MB has put them on the Web exclusion blacklist, those certificates cannot be authenticated.

To me, these actions are a legitimate activity and should be whitelisted unless MB or someone else can prove any malicious activity other than certificate authentication.

 

Share this post


Link to post
Share on other sites

Hi, I've made sure both Malwarebytes & Bitdefender are up to date and rebooted Win 10 machine, full scans run in both. Malwarebytes keeps popping up with blocked websites from odd programmes - namely 

Category: RiskWare  Domain: ocsp.starfieldtech.com  IP Address: 188.121.36.239   Port: [51816] Type: Outbound, File: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
And also similar in an Adobe prog.

Please feel free to point me at an obvious answer as this is likely to have been answered before.

Thanks

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/4/18
Protection Event Time: 6:05 PM
Log File: 736504da-7fac-11e8-b79e-6c626dee2776.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.374
Update Package Version: 1.0.5765
License: Premium

-System Information-
OS: Windows 10 (Build 17134.112)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: RiskWare
Domain: ocsp.starfieldtech.com
IP Address: 188.121.36.239
Port: [51816]
Type: Outbound
File: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

 

(end)

FRST.txt

report scan.txt

website blocked.txt

Share this post


Link to post
Share on other sites

I was just rereading the posts about this under Website blocking and another user reported same problem. The difference with me is I'm in the US using cox.net, not BT, and I'm not using Bitdefender nor ever had it installed. I've never visited starfieldtech's website before but just tried to see what it was about when I found it was blocked. My problem was with continuous popups from MB alerting me to a "risky" website while I was browsing. I've listed this under exclusions for the time being. The important thing to note is this JUST started with me and it seems with those posting in the other forum.

Share this post


Link to post
Share on other sites

Happening to my site as well, but I am unable to recreate it.
I installed MalwareBytes and chrome extension and I'm not getting any warnings, but I have multiple users reporting the problem.

Just doing a little bump so I can be notified on responses, but if someone can tell me how I can recreate the issue that too would be helpful.

Thanks,
Tomasz

Share this post


Link to post
Share on other sites

I'm having the same problem but I'm in the US and not using BT nor am I using Bitdefender and have never ever installed it. I've started a post in the MB3 support forum hoping it might get a wider viewer audience. I've noted the important factor to me is these popups JUST started this morning. For the time being, I've listed starfieldtech under exclusions to get rid of those numerous popups.

Share this post


Link to post
Share on other sites

Repeating a comment from the other forum:

Here's my $0.02 on this matter.

Starfield Technologies is a legitimate certificate authority, and is a division of GoDaddy, the web site hosting company. Web sites using a Starfield certificate may be trying to authenticate the certificate using one of several protocols -- including SEAL & OCSP. But, since MB has put them on the Web exclusion blacklist, those certificates cannot be authenticated.

To me, these actions are a legitimate activity and should be whitelisted unless MB or someone else can prove any malicious activity other than certificate authentication.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.