Security Check tool blocked

[Zeus_Dog]

I wanted to point out that I tried to download this tool https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

to check it out and a second or two after it finishes download Browser Guard pops up and flags it then deletes the file from my downloads folder. Not sure if anyone else is having the problem. So I had to disable it to get it then ran checks with MBAM, Kaspersky, Emsisoft, and Bitdefender and they say it is clean but on Virus Total Malwarebytes and two others are flagging it. I attached the screen shot. Just thought you might want to know.

[AdvancedSetup]

Can you please check and verify what version of Malwarebytes Browser Guard you're using and let us know.

 

[Zeus_Dog]

2.2.17

[Zeus_Dog]

In case you want to know I'm on wi7x64 Sp1 using Firefox 84.0.2

[AdvancedSetup]

I've reported it, but I'm on the same version but on Windows 10 and cannot duplicate the block.

Hopefully by Monday someone can take a further look into it.

Thank you

 

[gonzo]

I have not been able to duplicate this in Chrome or Firefox on Windows 10.  Knowing that suspicious downloads are sometimes the result of a block on a referring domain, could you please tell us the steps you took to end up with this problem?  We need to be able to reproduce it before we can know exactly how to fix it.

[Zeus_Dog]

Hey Gonzo,

 

   I find it very inconsistent myself, but I would just either click on the link that Advanced setup had given or copy and paste it into a new tab and it would present a little Windows window "OpeningSecurityChec,exe" and ask to save or cancel. I would save, it would download, and then sometimes after the download was complete, it would then popup the Browser Guard window and delete the file from the downloads folder. Now I run Kaspersky Total Security as my main av, not sure if there is something there causing Browser Guard to randomly trigger on it??

[gonzo]

safezone.cc is in my whitelist.  That should also take care of subdomains.  Theoretically, that should also take care of suspicious downloads.  Theoretically, we should not have pandemics either.  I just tried to trigger it five times with Firefox.  It successfully downloaded each time.  Not being able to reproduce the problem, the best I can offer is to ask you to send me a debug log should it happen to you again. At least then, I will have something to look at that may yield a clue.

[Zeus_Dog]

Where would I be finding the debug log? Also curios about the Virus Total flags from Malwarebytes, Palo Alto Networks, and Sentinal One, I'm assuming FP's?

[Zeus_Dog]

Granted I realize Security Check is not a Malwarebytes product, but since it is recommended by staff, just making sure it is safe for customers they recommend it for.

 

[AdvancedSetup]

The file is from 2017 and simply reads data from your computer and compares it to a list of program updates available via an XML file within the program.

You can open it with WinZip, 7-Zip, etc and look at it.

https://www.virustotal.com/gui/file/6fbd17dc86e44b0a3fa4ab8d4d5cadd541bb67cc1dc505cc3c5b495eadd2946e/detection

[gonzo]

Debug log is created in your \Downloads directory.  Look for a file with a "jsonl" extension.  WARNING: This puppy grows faster than the national debt.  A new log is started every time a new browser session starts (browser, not browser tab), but multiple tabs and long sessions create huge logs.

Ron beat me to the punch on the other part.

[Zeus_Dog]

I'm assuming you mean open up Browser Guard when this warning pops up and and click the three dots in upper right and click on support, and click download debug logs? If so do I have to do it when that warning is up? I did download the log a few minutes ago, I had received the error twice tonight, the browser has not been closed since this happened, but the tab it was in has. Not sure if that will have it in it?

[gonzo]

Your assumption is correct.  If you have not exited your browser, evidence may still be in the logs.  It also has a maximum size so the oldest data gets discarded to make way for new data.  With only a few minutes run time, you should be okay.  Download it, zip it up and send it over. The ZIP file will be fairly small (comparably).

[Zeus_Dog]

Here you go

BG-Logs_v2.2.17_2021-01-27_20941474.zip

[gonzo]

Could you see if you can determine the identity of this Firefox extension:

6d0326e4-7a4a-475a-a805-1830dd84caaf

It is causing a scam detection (only once) associated with a download of the file in question.  It is in the logfile at line 901.  Are you using a download manager?

I'm at about 10.5 hours in for the day, and I can hear a pizza off in the distance calling my name.  With what I have found and what further you may be able to tell me, I will talk to the developer in the morning.

[Zeus_Dog]

That extension is uMatrix made by Raymond Hill (uBlock Origin creator). I don not use a download manager.

[gonzo]

It appears there is an interaction between uMatrix and Browser Guard that is causing the issue.  It appears in line 901 of the log file, but only appears once in the file overall.  Because there is not a external URL that can be added to an Allow list, I would look to see if something could be done from the uMatrix side to allow Browser Guard operation.  From reading about uMatrix, it appears that it is doing the same thing as Browser Guard, but being able to go after scripts which Browser Guard may use during operation my also cause uMatrix to target Browser Guard.  I don't think either product or the file you are trying to download are problems on their own, but the interactions between them can be.

[Zeus_Dog]

Just so you know, at this time it appears that uMatrix is not being developed anymore, so it won't get fixed on that side. But at least we know the issue and if someone has to temporarily disable one to get it, it is what it is. It is simple enough, and as long as the file seems safe, (thoughts of the Solarwinds supply chain attack is what prompted me to wonder with the virustotal hits) then it is all we can do. Glad I could help.

[gonzo]

As am I.  Not enough hair left on this head to do much serious head scratching!

[Porthos]

31 minutes ago, Zeus_Dog said:

at this time it appears that uMatrix is not being developed anymore

I personally use UBlock Origin and Browser guard together on all of my supported browsers. No issues.🙂

[Zeus_Dog]

I do to, but umatrix has some nice abilities as well with script, xhr, frame and other blockings that noscript and ublock don't cover. There is overlap, but also things each one can do that the other ones can't. I have found these to be a great one, two, three punch.