Flagging Edge as Riskware

[Da_Shadow]

Using the free trial version without Browser Guard as I don't want to install it. Windows 10 Pro. 

I keep getting a popup window saying website has been blocked. Riskware website is reported as: "Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

See attached text file.WebsiteBlocked_Malwarebytes.txt

Free trial is up in 2-3 days from now (20 Mar). Not going to Premium. Just wondering why Edge on my SSD is considered Riskware. Edge still opens.

 

[Porthos]

2 hours ago, Da_Shadow said:

Just wondering why Edge on my SSD is considered Riskware. Edge still opens.

 

It is not the Edge browser that is being detected but Edge is communicating with an IP that is blocked.

 

[Da_Shadow]

OK. Then what is causing Edge to do this? I get the notice of RiskWare when Edge is first opened, get it after it has been opened, and get it when I open Edge's Collections.  I've asked Micro$oft but have not received a response. Do you know how to pin this down? The text file I attached shows an IP of 103.224.182.210. I have checked WhoIs and several other sites, and they give a lot of information but nothing others have ever complained about as a bad site.

I have attached a screen capture of the WhoIs information. Maybe you can read it and tell me why it may be causing the Riskware flag and getting blocked.

[Maurice Naggar]

Hello  @Da_Shadow

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• The block notice by the web-protection of Malwarebytes is keeping the pc safe from potential harm.
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware or riskware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection.
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Web-protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
Incoming block notice can be ignored, the Malwarebytes real-time protection is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, DISCORD, or Instagram, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
The IP address blocked ) on outbound comm attempt) seems to be to a domain "above(.)com".

[AdvancedSetup]

That IP address is considered unsafe.  103.224.182.210

https://www.virustotal.com/gui/url/057dcd4bc896432e63bfb54bb6069d96fc88942b680c57e0c63a0bfdd17d478f?nocache=1

https://www.abuseipdb.com/check/103.224.182.210

 

[Da_Shadow]

On 5/25/2023 at 11:00 AM, AdvancedSetup said:

That IP address is considered unsafe.  103.224.182.210

https://www.virustotal.com/gui/url/057dcd4bc896432e63bfb54bb6069d96fc88942b680c57e0c63a0bfdd17d478f?nocache=1

https://www.abuseipdb.com/check/103.224.182.210

 

Hi: The outbound IP 103.224.182.210 is only reported as blocked when Edge is opened or when I open Collections and a few other things in Edge. It is ALWAYS Edge browser that Malwarebytes is triggered. Nothing else on my computer that I use causes that IP notice. I have tried to contact Microsoft but not sure why they aren't concerned. I just want to know why it is only Edge causing this and how to fix it.

[Da_Shadow]

On 5/25/2023 at 9:44 AM, Maurice Naggar said:

Hello  @Da_Shadow

 

I have tried to respond to your post but I keep getting a notice that my wording is spam. I tried rewording. After 5 times I quit trying and just letting you know this so you know I did read your post.

[Maurice Naggar]

Hello @Da_Shadow You did manage to make 2 posts and succeeded. @AdvancedSetup Perhaps you can check on this poster's postings ?

@Da_Shadow Some times, the forum board software "may" display a wording about "ips spam ...." .....if it is just a display, kindly ignore it. As long as you can type and attach reports .....I do need to have the MBST Grab file collection.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[Maurice Naggar]

As I thought about it all, again. You can download and run the Support report tool on your machine. Then all you need do is 1 attach operation to simply without any comment, just attach the mbst-grab-results.zip

After attach is in place, just press the "Submit Reply" blue button at bottom.

[Da_Shadow]

On 5/28/2023 at 3:07 PM, Maurice Naggar said:

Hello 

@Da_Shadow Some times, the forum board software "may" display a wording about "ips spam ...." .....if it is just a display, kindly ignore it. As long as you can type and attach reports .....I do need to have the MBST Grab file collection.

I couldn't ignore the display as it never let me submit my post with the wording I used and tried to correct about 5 times. No problem.

As to using the support tool, that may not be effective as the blocking of that IP was done while using the trial version. I do not want to go Premium so I doubt it would help you if I ran it now that the trial period is over.

[AdvancedSetup]

I've whitelisted your account so you should be able to post now without the blocking @Da_Shadow @Maurice Naggar

[Da_Shadow]

16 hours ago, AdvancedSetup said:

I've whitelisted your account so you should be able to post now without the blocking @Da_Shadow @Maurice Naggar

Thank you. I don't think I will be able to do what Maurice Naggar wants me to since my trial version is over. There have been no more notices about the block since it has reverted to the free version. I really wanted to know why Malwarebytes was flagging that IP address as RiskWare. It seems I can't get any response from Microsoft about why Edge needs to communicate with the IP address in the first place. If you know of any way or ways to contact Microsoft that would result in a proper response, please let me know.

I am sorry to have taken up everyone's time and not have come to an answer. Thank you all for the help.

[AdvancedSetup]

You can still follow the directions from Maurice and we can scan your system for possible issue. I have NO better way to contact Microsoft than their current support system.

 

Edited May 31, 2023 by AdvancedSetup
Updated information

[Maurice Naggar]

Hello @Da_Shadow Running the support tool is needed so that we have a basis for eventually getting details. It does not matter in the least whether your Malwarebytes is in trial or free mode, nor even if your pc does not have Malwarebytes. Getting that collection is the first step. It is up to you.

[Da_Shadow]

5 hours ago, Maurice Naggar said:

Hello @Da_Shadow Running the support tool is needed so that we have a basis for eventually getting details. It does not matter in the least whether your Malwarebytes is in trial or free mode, nor even if your pc does not have Malwarebytes. Getting that collection is the first step. It is up to you.

If you don't have to have Malwarebytes installed, then exactly what is the information collecting? I can send information about my computer in detail usually software I have already. I can't see how you would understand why Malwarebytes is blocking an IP address if you don't have it installed. Nor, why you could determine the reason why it was blocking the IP when it was only doing so in trial mode. I'll be glad to upload the file but I would like to know what it will be looking through and what info it will be gathering.

[Da_Shadow]

6 hours ago, Maurice Naggar said:

Hello @Da_Shadow Running the support tool is needed so that we have a basis for eventually getting details. It does not matter in the least whether your Malwarebytes is in trial or free mode, nor even if your pc does not have Malwarebytes. Getting that collection is the first step. It is up to you.

OK. I went ahead and downloaded the support tool.

mbst-grab-results.zip

[Maurice Naggar]

Thank you for the reports. What had been blocked were Outbound attempts to reach IP address 103.224.182.210
The block was about that particular outbound attempt.
It just happened that EDGE was used in part of that attempt. It is not Edge browser itself that was tagged as a threat. As Porthos noted on the 20th 

Quote

It is not the Edge browser that is being detected but Edge is communicating with an IP that is blocked.

By the way, the last logged scan by Malwarebytes is on 25 May around 0920 hrs. No onboard infection was found on this pc.

It would be well nigh impossible to determine just what website or websites that Edge browser may have been on when the IP block happened.
Meaning can't tell what webpages were open at the moment of that event.

At this point, I would recommend a check for potential adwares that may possibly be on this system.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

Edited June 1, 2023 by Maurice Naggar

[Maurice Naggar]

What the support tool MBST report has are all the logs of Malwarebytes, which include scan logs and block event logs, along with general information about Malwarebytes status & configuartion.
There are no personally identifiable info. Also, included in the report is the Farbar FRST diagnostic report, which is quite handy to review running processes on the system, some basics about web browsers, and other security related things, such as a general list of system events.
It does not list contents of files. It does not have personal info. We use these reports in our diligent review for potential malicious malware. These reports are a big help. Plus the FRST provides a mechanism to accomplish custom fixes if they are actually needed.

[Maurice Naggar]

Looked at the section about EDGE browser. There are some 12 websites that are allowed to send Notifications, including Facebook, twitter, Instagram, Youtube, in addition to Outlook. Any one of those could have been the source of trigerring access attempt to a outside web IP address, if for example they happen to have a embedded link to a bad advertising or bad link.
I would suggest you consider to at least reduce all the notifications , if not to do away with all of them.
See this article on the Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

[Da_Shadow]

On 5/31/2023 at 6:39 PM, Maurice Naggar said:

Thank you for the reports. What had been blocked were Outbound attempts to reach IP address 103.224.182.210
The block was about that particular outbound attempt.
It just happened that EDGE was used in part of that attempt. It is not Edge browser itself that was tagged as a threat. As Porthos noted on the 20th 

By the way, the last logged scan by Malwarebytes is on 25 May around 0920 hrs. No onboard infection was found on this pc.

It would be well nigh impossible to determine just what website or websites that Edge browser may have been on when the IP block happened.
Meaning can't tell what webpages were open at the moment of that event.

At this point, I would recommend a check for potential adwares that may possibly be on this system.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

We knew the outbound IP block was 103.224.182.210.

I know Edge isn't the threat. Opening Edge triggered the response. Opening the feature Collections also triggered the block. I am trying to understand why Malwarebytes was triggered just by opening Edge. 

The warning seemed not to matter about which website Edge was on since I could trigger the warning by opening/closing/opening Collections. I wish Microsoft would respond about this.

I doubt if there are any adware problems as I do not get the block warning when using Firefox or any other browser. I'll do the Adwcleaner scan and get back to you.

Thanks for taking the time to help.

[Da_Shadow]

On 5/31/2023 at 7:15 PM, Maurice Naggar said:

Looked at the section about EDGE browser. There are some 12 websites that are allowed to send Notifications, including Facebook, twitter, Instagram, Youtube, in addition to Outlook. Any one of those could have been the source of trigerring access attempt to a outside web IP address, if for example they happen to have a embedded link to a bad advertising or bad link.
I would suggest you consider to at least reduce all the notifications , if not to do away with all of them.
See this article on the Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Now this is some information I can use. Thank you. I will disable all notifications. But, I will not be getting the popup notice that the IP is blocked as my trial period is over.  The trial period is doing the premium checks which will no longer be done. How will I tell if removing the notifications are the problem?

[Da_Shadow]

Here is the log (I hope) from Malwarebytes Adwcleaner.

AdwCleaner[C00].txt

[Maurice Naggar]

I do appreciate your wanting to know a lot more about the notices and the triggering source. You gotta understand that I rely on many years of helping lots & lots of similar cases. Push notifications especially if a site had corrupting embedded ad-links are known as a big source.
One has to be extremely picky and judicious as to which websites one allows to push "notifications".
It is best practice to have none. Thank you for the Adwcleaner report.

NOTE-1:  This is in the nature of integrity checks, and a wee-bit of housekeeping. This custom-script-fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files, if any found.  It will rebuild the Winsock. It will attempt to run scans with MS Defender. It will also clear cache files on web browsers . Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please run the following custom script. Read all of this before you start. Please Close all open work.

The tool FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt<-- - - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

[Da_Shadow]

2 hours ago, Maurice Naggar said:

I do appreciate your wanting to know a lot more about the notices and the triggering source. You gotta understand that I rely on many years of helping lots & lots of similar cases. Push notifications especially if a site had corrupting embedded ad-links are known as a big source.
One has to be extremely picky and judicious as to which websites one allows to push "notifications".
It is best practice to have none. Thank you for the Adwcleaner report.

NOTE-1:  This is in the nature of integrity checks, and a wee-bit of housekeeping. This custom-script-fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files, if any found.  It will rebuild the Winsock. It will attempt to run scans with MS Defender. It will also clear cache files on web browsers . Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please run the following custom script. Read all of this before you start. Please Close all open work.

The tool FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt 15.04 kB · 0 downloads <-- - - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Most of the notifications that were activated only provided notices I wanted. No ads ever appeared. These were used when I was on the computer to get notices in real-time instead of always having to check email.

That last scan I ran said it rebuilt the WinSock.

You said FRSTENGLISH.exe is already on my machine. Where will I find that? You mention putting it and the other file in the downloads folder. I take it you mean the system's download folder and not the one Edge uses. Are these ok to use on my machine: Win 10 Pro? Exactly what fix am I needing on this machine? I do not understand why you need this. I hope you noticed that the Adware scan quarantined a lot of Dell stuff that comes with the computer. Nothing bad was really found that I could see. I guess I'm supposed to leave the Dell stuff in the quarantine folder?

What's with the notice in RED about the script? Are you sure it will not create a problem on my PC? I haven't downloaded anything yet. I may be late getting back to you.

BTW, I use to be on the staff at Geeks2Go[.]com helping people with their computer problems. I'm 81 now and can't remember as much anymore. 😁😁😁

[Maurice Naggar]

I can assure you the FRSTENGLISH is at C:\Users\Bilox\Downloads\FRSTEnglish.exe
That is what I term the Downloads folder. I can assure you that the custom-script is helpful to your system. It will not harm pc in any way.

I have been in malware removal for nearly two decades now. Over many years, I have helped on malware removal on at least 4 other forums besides the Malwarebytes forum. As I noted in NOTE 1 above, the script will run SFC & DISM to recheck the system. It will clean out browser caches, it will try to run scans with MS Defender. I appreciate you being a old-timer from G2G.

By the way, the 2 lines in red in my "fix script "speech" were not meant for you. It was to wave off other possible "other readers" to not grab the script to run on "their" machine. The intent is to say that the fix script is customized to the machine of the original poster ( your machine. The machine of "Da_shadow").

Edited June 3, 2023 by Maurice Naggar