Jump to content

Website blocked. Please review


adambiser

Recommended Posts

This is with the Firefox Browser Guard (at least).

Quote

 

Website blocked due to trojan

Website blocked: winwolf3d.dugtrio17.com

Malwarebytes Browser Guard blocked this website because it may contain malware activity.

 

There is a download in that subdomain that gets false positives.  I've recompiled it hoping that would make it a little better.  ESET MOD32 would delete the old download, but doesn't delete the new one.

Would you review this site please?  If there is an issue still, please let me know.

Thanks.

Link to post

Dr Web has removed the site from their blacklist.  Waiting on Yandex Safebrowsing now.

https://www.virustotal.com/gui/url/493ea005230a240382db924c87018af03ea87f0b0650bfa6e94b9839955cf6b1/detection

Norton at least gives some details.  "IMFCreator-1.0.17.3.exe" is a false positive and not available on the site anymore.  I've recompiled both the executable and the installer and posted a newer version.

Link to post

This one may be the root cause. It gets more hits than higher level folder or the domain itself.  I just ran that URL through VirusTotal right before making this post, so either VirusTotal has some history behind their evals or there is still something out there.  Plug the following URL into VirusTotal and see what I base my comment on.

winwolf3d.dugtrio17.com/download/IMFCreator

 

Edited by gonzo
Link to post

Yeah, that's the one that gets the false positives.

Approximately how long does it take for the checks that VirusTotal uses to re-evaluate?  I'm assuming that since Dr. Web has cleared it and once Yandex and Norton get around to re-evaluating the site/file that these others will eventually follow suit.

Each site is dumber than the next for reporting false positives.  This experience is actually making me trust them less.  (Looking at Fortinet requiring a description for how the software does boot execution and browser integration after I've just said that it does neither of the two.)

Link to post

Just so you know McAfee also has your site flagged. Go to https://sitecheck.sucuri.net/results/winwolf3d.dugtrio17.com/download/IMFCreator and you'll see that McAfee,Yandex, and Norton blacklist it at the subdomain and full path level. McAffe shows the exe and a php file as being dangerous. May need to check those out. Do you possibly use any shared repositories off say github or elseware that may be infected? It seems to be happening alot these days.

Link to post

I've checked out everything.  I'm just an indie developer trying to help out the Wolf3D modding community by providing these tools.  I don't have the resources to track down every AV software package flagging the file, so I'm just going to start removing things.  These were personal projects that have been around since before github existed and written almost completely from scratch by myself, but the amount of time it will take to fight these false positive reports is becoming overwhelming.  downloads.php is a file I wrote myself and is probably being flagged because it points to IMFCreator.

For example, Fortinet's submission page was the dumbest I've experienced requiring me to explain how the program does certain things that could be malicious after I've already said it does not.  They did this for six questions and the end result is that they still think it's malicious.  I'm actually using a subdomain from someone else's site and that the fact that this stuff is causing problems is putting me in such a bad situation.  It's just better for me to just remove the downloads so the reputation of his site will hopefully return to normal.

The funny thing is that now that I've tried to figure out how to compile the program in a way that AV programs don't think it's a virus has had the unintended result that they now see it as a polymorphing virus.  I'm giving up.

Link to post

Unless you just gotta have this tonight, I would recommend holding off on any more changes.  I got one of our researchers to look at the offending EXE, and he did not see any issues.  If there is a PHP involved as well, that has not been looked at.  If it is as simple as you say it is, it would not likely affect the outcome.  After hearing back from the researcher, I sent something off to the people who are in charge of blocks for our main products,.  I need them to remove the block.  I have not gotten their attention yet.  Its possible that European crew are involved, and if so, they are still sleeping.  I cannot effect a true change by adding a whitelist entry for Browser Guard, because only people who use it and do not use the main Malwarebytes product would benefit.  If they use the main product (or both), the block for the main product would overrule anything I could do.

I hope that all makes sense.  I am monitoring for any changes.  They just haven't happened yet.

Link to post

If it helps for me to re-add the IMFCreator download, I will, but I took it down so it doesn't affect the reputation of dugtrio17 any more than it already has.  As I mentioned, I was using a subdomain of his and since this is getting flagged, his site is flagged as well and I feel obligated to get it straightened up.  The php file is there and it's just a simple file to keep keep track of download counts for the database.

I do understand what you're saying and thank you for your time and patience in this.

Link to post

Thank you again for your time and patience.  It looks good through the browser add-on.  I'm going to hold off on re-posting IMFCreator until I get the all-clear from several AV vendors and things start to clear up.  If I add it back while some are still flagging it, will that cause the site to be blocked again?

Link to post

I honestly don't know if any of their results are historical or delayed (as compared to real-time testing), so I don't have a good answer for you.  I think it would be best to get to a known, stable place before making any further changes though.  If you see good results across the board, that is the time to start tinkering.  Otherwise, it might be a game of catch-up.

Link to post
  • Root Admin

I see on the site they say the file was removed. Whether or not the file is good or bad it is still hosted even though said it's not

http://winwolf3d.dugtrio17.com/downloads/IMFCreator-1.0.17.4.exe

Just downloaded it, so it's there and could/would be reason for ongoing flagging of the file.

40 out of 68 engines rescanned the file today and detect it.

https://www.virustotal.com/gui/file/82ec469d0324df9e3925ad11ec23140e4e92a3b837693765d022b70d1016d588/detection

 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.