Jump to content

184.106.62.49


Salelytics

Recommended Posts

Your software is blocking our website:  hxxps://www.salelytics.com/ (IP: 184.106.62.49).

Could you kindly remove it from your blacklist?  We thought it was fixed yesterday (see hxxps://forums.malwarebytes.com/topic/283414-1841066249/#comment-1500492), but we are still seeing the block by Malwarebytes Browser Guard:

image.png.e0ee93284c2b712c2bb589ad8eb802a1.png

Let us know if you need anything else from us.  Thank you.

Link to post
22 minutes ago, Salelytics said:

Yes, we've done that a few times already and still no luck.  Any other suggestions are welcome.

Your blocks are specific to IPs, correct?  Or are domains involved?

I have no blocks from any MB product.

Uninstall Browser Guard restart browser and reinstall and leave browser open for a few minutes then go to the site.

Link to post

Thank you for your assistance.  We will wait to hear what Gonzo has to say.  Btw, we uninstalled Malwarebytes Browser Guard in Firefox and re-installed as you suggested and the site is still getting blocked. 

Also, we are very curious to know why this site was blocked in the first place.  That was not provided to us yesterday on the other topic we submitted.

Link to post

I had no issues in Firefox or Chrome, then did have a block in Edge.  I had some coffee, let the computer do the same, and now it is working in all browsers. Maybe the developer had something to do with it (back end tuning or something).  It is working now.

ADDENDUM:

I see a detection in Edge's log 5 seconds after new databases were loaded, but the database update was not complete until 47 seconds after the detection.  It failed at first, but not after the database update. I use Edge very rarely, so my Edge databases were downlevel.

Edited by gonzo
further analysis
Link to post

We've installed the extension in Edge, FireFox and Chrome and on computers within our network and outside of the network and they all show the same blocked message from the screenshot originally posted.  Something is not right.  Also, we still don't know the root cause, so we can't explore ways to fix or prevent this on our side, assuming it wasn't just a false positive.  Any other information or suggestions are welcome.

Link to post

When Browser Guard is installed, it comes with databases that were current as of the date of the program version release. They require updating to become current as far as you are concerned.  Database updates occur every 15-20 minutes, unless there is some form of disruption.  When that happens, they are downloaded and then merged with existing databases. That takes a minute or less, and is the reason @Porthos said to leave the browser open. I violated that myself, causing me to get a detection in Edge and only Edge.

Download Browser Guard's logs and inspect them for the database download, the detection of salelytics.com that you are referring to, and the database update.  If you do not see success for the database operations, or if you see the detection, send me the logs.  You may also need to determine whether any other security/protection app has blocked the database update, or if there is a firewall issue.

Link to post

Ok, that information is helpful.   As far as I can tell the database should be up to date.  This time I left the browser open for over 20 minutes.  This is what I see in the logs regarding the site:

 

{"@timestamp": "2022-02-04T19:27:36.999Z", "session": "1644002811331", "message": "ANY: Just matched 'salelytics.com' in database: mbgc.db.phishing.2", "level": "INFO"}

{"@timestamp": "2022-02-04T19:27:36.999Z", "session": "1644002811331", "message": "OM: (PAGE_BLOCK) malware (phishing) match found on https://www.salelytics.com/ for https://www.salelytics.com/. Database: {'name':'mbgc.db.phishing.2','version':'2.0.202202041720','md5':'548bd81abcdf4306c61a19543b5d947b','sha256':'01f5428acb94f31f328ec85431dc703ca185e4b77c94813e430cb490a8e9f644','size':685012,'url':'https://cdn.mwbsys.com/packages/mbgc.db.phishing.2/5/4/8/b/548bd81abcdf4306c61a19543b5d947b/e1570878-cc62-4c91-81ec-48072ded1760.2'}", "level": "INFO"}

{"@timestamp": "2022-02-04T19:27:37.004Z", "session": "1644002811331", "message": "OM: Malware (malware) detection on https://www.salelytics.com/. Redirecting to block page.", "level": "INFO"}
 

Link to post
1 hour ago, Salelytics said:

Also, after I waited 20ish minutes for the database to update and unblock the site, I then closed the browser and re-opened it and the site is blocked again.  Is that expected behavior?  That's not very convenient to users.  Does that initial database eventually get updated permanently?

Do the following and close the browser. Reopen the browser and do not go to the "blocked" site for a couple minutes then try it.

image.png.77830b0072479ebb617f56c045c978d2.pngimage.png.07e9c851aa421896dd410638fb347dfa.png

 
Edited by Porthos
Link to post

Still no luck.  Regarding a question I asked earlier.  Does this block only by IP or also by domain?  Because I noticed that our internal sites (for example abc.salelytics.com) are also being blocked by Browser Guard and there is no way our internal IPs are in the block databases.  It looks like the entire salelytics.com domain is being blocked.

Link to post

Could you send the log please?  There was a phishing block that was unblocked yesterday. I am currently asking if there are any IP blocks or wildcard blocks still in existence (both are possibilities as far as block types go). In the log, I want to see database updates and integrations.  You went straight to the detection and did not show the other items.

Link to post

Thank you for that.  I was hoping to see something that looked like this (from my own logs):

{"@timestamp": "2022-02-04T17:58:01.395Z", "session": "1643997419119", "message": "UPD: 26/26 databases updated,{'mbgc.db.ads.2':'2.0.202202031053','mbgc.db.adware.2':'2.0.202202032203','mbgc.db.compromised.2':'2.0.202202010041','mbgc.db.exploit.2':'2.0.202202041005','mbgc.db.fraud.2':'2.0.202202041406','mbgc.db.hijack.2':'2.0.202202032203','mbgc.db.malvertising.2':'2.0.202202021233','mbgc.db.malware.2':'2.0.202202041720','mbgc.db.pharma.2':'2.0.202202010041','mbgc.db.phishing.2':'2.0.202202041720','mbgc.db.pup.2':'2.0.202202010041','mbgc.db.ransomware.2':'2.0.202202032203','mbgc.db.reputation.2':'2.0.202202041720','mbgc.db.riskware.2':'2.0.202202041631','mbgc.db.spam.2':'2.0.202202030607','mbgc.db.spyware.2':'2.0.202202041005','mbgc.db.trojan.2':'2.0.202202041720','mbgc.db.whitelist.ads.2':'2.0.202201160820','mbgc.db.whitelist.malware.2':'2.0.202201241203','mbgc.db.whitelist.scams.2':'2.0.202202041720','mbgc.db.worm.2':'2.0.202201312353','mbgc.db.malware.partial.urls.2':'2.0.202201240827','mbgc.db.malware.patterns.2':'2.0.202201240827','mbgc.db.malware.urls.2':'2.0.202202041720','mbgc.db.whitelist.scams.patterns.2':'2.0.202201240827','mbgc.db.whitelist.tracker.2':'2.0.202202020528'}", "level": "INFO"}
{"@timestamp": "2022-02-04T17:58:13.117Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"}
{"@timestamp": "2022-02-04T18:17:00.026Z", "session": "1643997419119", "message": "UPD: 4/26 databases updated,{'mbgc.db.malware.2':'2.0.202202041808','mbgc.db.reputation.2':'2.0.202202041808','mbgc.db.riskware.2':'2.0.202202041808','mbgc.db.malware.urls.2':'2.0.202202041808'}", "level": "INFO"}
{"@timestamp": "2022-02-04T18:17:08.274Z", "session": "1643997419119", "message": "RDB: 26 databases loaded", "level": "INFO"}

Your log showed loading from cache.  Whether or not cache had been updated is unknown.  Directly next to the link you clicked to get the logs is a Factory Reset link.  Click that to dump cache and reset Browser Guard to its initial settings.  I just did that in Chrome to to determine that it almost immediately updated its databases.  See what that does for you.  Let me know after you get a chance to do that.

 

 

Link to post

Yes, that works.  And it works on any other tab that is opened while the browser is still open as well.  Unfortunately, after closing and re-opening the browser it goes back to blocking the site again.  Hopefully that helps get to a resolution though, since we can't expect users to do that anytime they need to get to our site.  Let us know what else you may need from us. 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.