Jump to content

Possible false positive


td47

Recommended Posts

Hello, I also have the same issue with a false positive for a different AWS CLOUDFRONT service, at server-18-64-50-125.mel52.r.cloudfront.net (IP address 18.64.50.125).

Can this one also be whitelisted please? In this case it is being used by the Microsoft News APP (msedgewebview2 API).  I suspect MWB might be blocking these because of unreliable VIRUSTOTAL entries?

-Website Data-
Category: Malware
Domain: server-18-64-50-125.mel52.r.cloudfront.net
IP Address: 18.64.50.125
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe

Link to post
Share on other sites

On 2/22/2024 at 3:58 PM, Porthos said:

You are here posting in the new topic.😁

Apologies for mixing up the old and new post, I had both open in 2 tabs on the same Firefox browser, and the posts looked the same. I forgot to scroll up! Regards, Embarrassed in OZ!! 🤫

Link to post
Share on other sites

22 hours ago, BjelakovicL said:

Hi,

Can you please check if you're using the latest database? Neither domain or IP are on our blocklist. If you're still seeing this detection, please reinstall MB.

I did do an update check after you posted, and my MWB did indeed go from 4.6.8.311 to 4.6.9.314, with a small update to the defs I think. We will have to see how it goes, as the news services items seem to use lots of different CLOUDFRONT services, and I guess it is difficult to white-list all of the variations. However, I did read on the VirusTotal technical pages, that they try to avoid flagging large entities with multi-domain multi-tenant service offerings, such as Amazon AWS, Google, and Microsoft Azure, and CloudFlare, just to name the top 4. Perhaps they need to clean this up, if big vendors like yourselves are pulling data into your definitions. 

Link to post
Share on other sites

19 hours ago, Porthos said:

Malwarebytes does not report at Virus total web web/ip blocks.

OK, thanks for that observation. I see that VT has an API, where expert users, (and I assume also AV vendors), can query their database to gather details on new threats, or to check on a threat status. I am just wondering if it can work the other way around, i.e. can vendors (such as MalwareBytes),  use VT for updating the internal threat database of the product?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.