Jump to content

Potentially suspicious MB Protection update URL


Recommended Posts

This morning Little Snitch alerted me to the MalwareBytes Protection daemon connecting to a new URL to check for updates.

malwarebytes-main-dev.cphostaccess.com

I'm probably just being paranoid, but wanted to check this was legitimate. I run MB on several machines, and they haven't requested to connect to this URL before.

The domain registrar is Amazon, same as malwarebytes.com, but I can't see any references to cphostaccess.com anywhere in the MB online documentation.

I'm running the latest version of Big Sur and MB for macOS.

Any ideas?

Thank you.

Link to post
Share on other sites

Any time Little Snitch tells you the exact name of the application or process that is asking, you should trust the connection to the same extent as you trust that application/process.

Link to post
Share on other sites

LS prompts the same here. Guess it's legitimate (checks out at VirusTotal) but since it's a first wondering why this new prompt to dev.cphostaccess.com, which appears to be used by any number of other companies, including principally Shimano bicycle. IP is to Amazon Cloudfront.

Denying for two hours until I know a bit more.

https://i.postimg.cc/k595zFFG/Screen-Shot-2021-12-01-at-10-56-16-AM.png

 

Edited by WZZZ
Link to post
Share on other sites

  • Staff

Can those of you seeing this verify the following:

  1. The version of Malwarebytes you have installed
  2. When the last Malwarebytes update (not protection update) occurred
    • This can be found in the activity log tab in the pane that opens when you click on the Detection History card on the main dashboard
  3. When this first started happening
Link to post
Share on other sites

15 minutes ago, treed said:

Can those of you seeing this verify the following:

  1. The version of Malwarebytes you have installed
  2. When the last Malwarebytes update (not protection update) occurred
    • This can be found in the activity log tab in the pane that opens when you click on the Detection History card on the main dashboard
  3. When this first started happening
  1. The version of Malwarebytes you have installed
    1. 4.13.5 (according to log, finder just says 4.13)
  2. When the last Malwarebytes update (not protection update) occurred
    • This can be found in the activity log tab in the pane that opens when you click on the Detection History card on the main dashboard
      • 27th September 2021 18:29 (GMT)
  3. When this first started happening
    • This morning. Looking at the detection history log, the last protection update happened yesterday (v4.0.571) yesterday at 20:32 (GMT). So the check this morning appears to have been just that. Looking at Little Snitch 54.3kb was downloaded, 3.53kb was uploaded. Process signed by MalwareBytes and Apple.

I'm freaking out a little here, should I take my machines offline? Please advise ASAP.

Thank you.

Link to post
Share on other sites

  • Staff

No need to freak out, as that domain is apparently legitimately used by us. However, it's not anywhere in the code for the client, so I suspect something on the backend got messed up. Although it's not malicious, the client is not supposed to connect to that domain.

Thanks for that info... that definitely provides some evidence that my suspicion is correct.

Link to post
Share on other sites

3 minutes ago, treed said:

No need to freak out, as that domain is apparently legitimately used by us. However, it's not anywhere in the code for the client, so I suspect something on the backend got messed up. Although it's not malicious, the client is not supposed to connect to that domain.

Thanks for that info... that definitely provides some evidence that my suspicion is correct.

Ah that's good to know, thanks for the fast response.

If there does turn out to be any cause for concern (which sounds unlikely), please do let us know.

Link to post
Share on other sites

  • Staff

Okay, looks like this was definitely an error on the backend, and it has been found and should be fixed now. If you allowed that domain in Little Snitch, please remove that (so that Little Snitch will alert on it again), and then let me know if you see the alert come back again in the next 24-48 hours.

  • Thanks 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.