BobSoul Posted April 17, 2023 ID:1563495 Share Posted April 17, 2023 browser guard is flagging and blocking my pfsense router's webgui interface on the local lan side when accessing it - I can add to allow list and it is fine -- I have ran adguard and emsisoft blockers against it and they do not have the issue.. I believe it may be the lan ip that triggered it. 192.168.5.x range - It did not start till friday prior to that no issues so assuming it m ay be the latest update etc -- my malwarebytes endpoint nebula products do no block it. I can either add to filter or just say ignore and it lets me through - I know pfsense routers use self signed certs but in the past and on other pfsense routers ( not using the same lan ip ) they are fine Link to post
Staff Dashke Posted April 17, 2023 Staff ID:1563500 Share Posted April 17, 2023 Can you please attach a screenshot? Link to post
BobSoul Posted April 17, 2023 Author ID:1563507 Share Posted April 17, 2023 (edited) Thats the screen shot I can continue or add to allow list -- its actually the router webgui thats being accessed -- I have checked router rebooted etc even rolled back to a previous config of the router and backup just to be sure Also other webblockers dont flag it and neither does endpoint nebula as I mentioned Edited April 17, 2023 by BobSoul Link to post
BobSoul Posted April 17, 2023 Author ID:1563530 Share Posted April 17, 2023 Well after lots of testing it is only malwarebytes browser guard that does this - ( latest version ) - no other browser guards have blocked it- From what I can tell it appears to be caused by the sshguard feature of the webgui which monitors for attempts to log in from untrusted sources or locations thats triggering the browser guard in combination with the specific lan ip I know for a fact this router is not infected.... pfsense software is very good at preventing that and as I stated ( rebooted and went backwards to an backup image of the router ) verified with netgate documentations etc -- The combination of self signed certs and the sshguard appear to be triggering browser guard when in combination with the IP Link to post
BobSoul Posted April 17, 2023 Author ID:1563544 Share Posted April 17, 2023 further info if i connect using the routers ( hostname and local domain ) it does not trigger the detection.. only when using the IP -- so this would then appear to be a false detection based on the IP since its fine using the hostname and local domain of the router lan side Link to post
Root Admin AdvancedSetup Posted April 17, 2023 Root Admin ID:1563593 Share Posted April 17, 2023 Hello @BobSoul Please try the following Browser Guard Reset To do so: Open Browser Guard On the top right, click the 3 vertical dots Click "Support" Click "Factory Reset" If still an issue, then please get us some logs from Browser Guard You can download the log from the Support page Here is an example of the log naming to look for when uploading. BG-Logs_v2.6.0_2023-04-17_135159.txt Thank you Link to post
BobSoul Posted April 17, 2023 Author ID:1563601 Share Posted April 17, 2023 That fixed it .... I tested across 2 machines after factory reset and no further blocking issue - when using the LAN IP. ( made sure allow list was blank as well... though I did that prior to testing with using the host name and domain name combo -which these routers use there own or you can use the network domain - which made a easy way to test for a real issue versus a false detection ) Link to post
BobSoul Posted April 17, 2023 Author ID:1563604 Share Posted April 17, 2023 ok I jumped the gun abit on that after closing the browser and trying again a few times it started again here is the debug file BG-Logs_v2.6.0_2023-04-17_182138.txt Link to post
BobSoul Posted April 17, 2023 Author ID:1563605 Share Posted April 17, 2023 It still will work fine as long as I dont use the IP after factory reset it worked a few times than started again .. however works fine when accessing via the hostname I'll upload debug with accessing that way as well Link to post
BobSoul Posted April 17, 2023 Author ID:1563607 Share Posted April 17, 2023 this is when accessing by host name versus ip which works with no issues just when using the IP If I do a factory reset it works fine again then a bit later starts second log is with doing a factory reset again BG-Logs_v2.6.0_2023-04-17_18261.txt BG-Logs_v2.6.0_2023-04-17_182834.txt Link to post
Root Admin AdvancedSetup Posted April 17, 2023 Root Admin ID:1563609 Share Posted April 17, 2023 Thank you for the logs @BobSoul I will submit them to the team for further review. Link to post
BobSoul Posted April 17, 2023 Author ID:1563610 Share Posted April 17, 2023 Thanks - from what I can tell by the debug logs its the 5.1 that is hitting a match versus when using the host name of the router whihc they both load the same php pages and webgui in the same manner just different address. Ive extensively scanned machines etc - they are all clean -- have other pfsense routers connected via ipsec tunnels as well that dont detect but they do not have the 5.1 ip. this started on friday afternoon prior to that no problem earlier in the day accessing ( until after update on the browser guard) Just trying to give you as much info as possible 1 Link to post
BobSoul Posted April 17, 2023 Author ID:1563618 Share Posted April 17, 2023 Malwarebytes Nebula scans and active web blocker so clean as well - I just went through all the nebula logs etc for various machines and several scans on the machines I have been testing this on as well ( Emsisoft brower still sees it as fine as does adguard - default chrome protection only sees the self signed Cert and warns on that but that is normal and is documented by netgate pfsense as normal 1 Link to post
BobSoul Posted April 18, 2023 Author ID:1563674 Share Posted April 18, 2023 (edited) Update info just incase its helpful - spoke with netgate themselves - the router is clean and they believe its the actual ip address itself with the 5.1 in that is triggering the error based on this from the debug log {"@timestamp": "2023-04-17T22:21:27.277Z", "session": "1681770081858", "message": "ANY: Just matched '5.1' in database: spyware", "level": "INFO"} {"@timestamp": "2023-04-17T22:21:27.277Z", "session": "1681770081858", "message": "OM: (PAGE_BLOCK) malware (spyware) match found on https://xxx.xxx.5.1:xxxx/ for https://xxx.xxx.5.1:xxxx/ changing the routers IP is not actually a quick option since it requires redoing an entire network of statics and other devices pools of address as well as IPsec tunnels and VPN connection profiles etc. With out doing anything to the browser guard can change to using the hostsname.domain inplace of the ip and it does not get blocked Edited April 18, 2023 by BobSoul blocking the ips with xxxx to only highlight the 5.1 Link to post
Staff Solution ceckelberry Posted April 18, 2023 Staff Solution ID:1563675 Share Posted April 18, 2023 (edited) @BobSoulThis was due to a database that dynamically applies new patterns in the wild to proactively block emerging threats and was an FP. This should be resolved in the next database update (give it about 30 minutes). Edited April 18, 2023 by ceckelberry 1 Link to post
BobSoul Posted April 18, 2023 Author ID:1563679 Share Posted April 18, 2023 @ceckelberry Thank you - I never want to just assume something with out testing etc and then verifying -- This way can tell the boss its fine forget about it lol Link to post
Staff ceckelberry Posted April 18, 2023 Staff ID:1563705 Share Posted April 18, 2023 @BobSoulFor sure! Glad you asked :) Link to post
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now