ngrok getting flagged as malware

[chachadog]

I had been using ngrok reverse proxy for months, and today it started getting blocked by malwarebytes. I got a notification on my computer that the program had been quarantined.

Here is the ngrok site where there claim it's common that they get flagged as malware.

https://ngrok.com/docs/faq/#:~:text=Because ngrok is sometimes used,potentially unwanted application (PAU).

[Porthos]

@chachadog

Do you have a log of the detection? Or even a screenshot?

[chachadog]

I haven't been able to get the logs, because I'm not a direct subscriber to Malwarebytes. It's maintained by my local tech support at Billings Tech Guys. Here's the only info I've seen.

[chachadog]

Maybe there's a location on my local machine where I can see the logs?

[chachadog]

2024-05-16 19:45:44,388+02:00 [5652 ] [41] INFO  MBAMPlugin Located the service and it is Running
2024-05-16 19:56:51,862+02:00 [5652 ] [50] INFO  MBAMPlugin Threat Detected and Blocked Id:11822 Name:RiskWare.Ngrok RuleId:1231477 Object Name:C:\ProgramData\chocolatey\lib\ngrok\tools\ngrok.exe
2024-05-16 19:56:53,448+02:00 [5652 ] [50] INFO  MBAMPlugin Log Event CCHL_RTP:C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\RTPDETECTIONS\AC84199A-13AD-11EF-9D51-4074E0DC1E81.JSON:AC84199A-13AD-11EF-9D51-4074E0DC1E81
2024-05-16 19:56:53,822+02:00 [5652 ] [50] INFO  MBAMPlugin Quarantine Item Added -- QuarId:ac84199b-13ad-11ef-9770-4074e0dc1e81
   Client --- CType:ClientRtp ClientId:
   Detection - Path:C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\RtpDetections\ac84199a-13ad-11ef-9d51-4074e0dc1e81.json ResultsId:ac84199a-13ad-11ef-9d51-4074e0dc1e81
   Object ---- Path:C:\ProgramData\chocolatey\lib\ngrok\tools\ngrok.exe Type:CCObjectTypeFile
   Results ---- ThreatId:11822 Name:RiskWare.Ngrok at:2024-05-16T17:56:53Z Result:QuarantineResultSuccessful 
   Links  ---- ParentId: LnkType:CCLinkTypeNone


2024-05-16 19:56:58,840+02:00 [5652 ] [19] INFO  MBAMPlugin MBEADomain.Payloads.RealtimeEventData
{"status":"quarantined","clean_status":"quarantined","type":"file","block_type":0,"threat_name":"RiskWare.Ngrok","source":"rtp","date_detected":"2024-05-16T19:56:51+02:00","location":"C:\\ProgramData\\chocolatey\\lib\\ngrok\\tools\\ngrok.exe","detection_id":"ac84199b-13ad-11ef-9770-4074e0dc1e81","url":null,"ip":null,"port":null,"process_name":null,"app_display_name":null,"protection_technique":null,"protection_layer":null,"exploit_md5_hash":null,"md5":"7A3C5B70FFDB7399DC9386EA6511C0A9","sha256":"F7EE8FDCB8A064A192AA58B6EC2D80879BD71B5995B06352EE360CFB38CD4732","rule_id":"1231477"}

2024-05-16 19:56:58,843+02:00 [5652 ] [19] INFO  EAEngine Post results to Nebula async invoked by _PrivateProcessMessage
2024-05-16 19:56:58,845+02:00 [5652 ] [44] INFO  NebulaCommunicator Post to Nebula - Id: 4d9e9236-b63f-4733-a5a9-d5ea2cb8652e - Created: 5/16/2024 7:56:58 PM - Size: 838 - Data:
	{"user":null,"job_id":null,"schedule_id":null,"schedule_etag":null,"type":"RTP_STREAM_EVENT","data":"{\"status\":\"quarantined\",\"clean_status\":\"quarantined\",\"type\":\"file\",\"block_type\":0,\"threat_name\":\"RiskWare.Ngrok\",\"source\":\"rtp\",\"date_detected\":\"2024-05-16T19:56:51+02:00\",\"location\":\"C:\\\\ProgramData\\\\chocolatey\\\\lib\\\\ngrok\\\\tools\\\\ngrok.exe\",\"detection_id\":\"ac84199b-13ad-11ef-9770-4074e0dc1e81\",\"url\":null,\"ip\":null,\"port\":null,\"process_name\":null,\"app_display_name\":null,\"protection_technique\":null,\"protection_layer\":null,\"exploit_md5_hash\":null,\"md5\":\"7A3C5B70FFDB7399DC9386EA6511C0A9\",\"sha256\":\"F7EE8FDCB8A064A192AA58B6EC2D80879BD71B5995B06352EE360CFB38CD4732\",\"rule_id\":\"1231477\"}","user_job_id":null,"started_at_local":"2024-05-16T19:56:58.8438295+02:00"}
2024-05-16 20:14:13,581+02:00 [5652 ] [30] INFO  BoomerangHandler Nebula Event name: event.command.received, Command Context: uuid:,scheduleid:,userjobid:d0e79966-bc7b-4ffd-8b1f-818d239ebde5,command:command.engine.getconfiguration
2024-05-16 20:14:13,585+02:00 [5652 ] [30] INFO  EAEngine Post results to Nebula async invoked by NebulaEvent
2024-05-16 20:14:13,587+02:00 [5652 ] [44] INFO  NebulaCommunicator Post to Nebula - Id: 9b63ad7f-e5e5-4a21-b4a0-2a406509685d - Created: 5/16/2024 8:14:13 PM - Size: 332 - Data:
	{"user":"","job_id":"","schedule_id":"","schedule_etag":"","type":"BOOMERANG_EVENT","data":"{\"event_name\":\"event.command.received\",\"error_code\":0,\"error_message\":\"\",\"timestamp\":\"2024-05-16T18:14:13.5835964Z\"}","user_job_id":"d0e79966-bc7b-4ffd-8b1f-818d239ebde5","started_at_local":"2024-05-16T20:14:13.5865810+02:00"}
2024-05-16 20:14:13,591+02:00 [5652 ] [45] INFO  BoomerangHandler Nebula Event name: event.command.start, Command Context: uuid:,scheduleid:,userjobid:d0e79966-bc7b-4ffd-8b1f-818d239ebde5,command:command.engine.getconfiguration
2024-05-16 20:14:13,593+02:00 [5652 ] [45] INFO  EAEngine Post results to Nebula async invoked by NebulaEvent
2024-05-16 20:14:13,608+02:00 [5652 ] [45] INFO  EAEngine Post results to Nebula async invoked by Execute
2024-05-16 20:14:13,609+02:00 [5652 ] [45] INFO  BoomerangHandler Nebula Event name: event.command.success, Command Context: uuid:,scheduleid:,userjobid:d0e79966-bc7b-4ffd-8b1f-818d239ebde5,command:command.engine.getconfiguration
2024-05-16 20:14:13,611+02:00 [5652 ] [45] INFO  EAEngine Post results to Nebula async invoked by NebulaEvent
2024-05-16 20:15:01,083+02:00 [5652 ] [44] INFO  NebulaCommunicator Post to Nebula - Id: 34523bd2-7a6f-4994-90e9-6ad65abe18e7 - Created: 5/16/2024 8:14:13 PM - Size: 329 - Data:
	{"user":"","job_id":"","schedule_id":"","schedule_etag":"","type":"BOOMERANG_EVENT","data":"{\"event_name\":\"event.command.start\",\"error_code\":0,\"error_message\":\"\",\"timestamp\":\"2024-05-16T18:14:13.5915259Z\"}","user_job_id":"d0e79966-bc7b-4ffd-8b1f-818d239ebde5","started_at_local":"2024-05-16T20:14:13.5940406+02:00"}
2024-05-16 20:15:01,507+02:00 [5652 ] [44] INFO  NebulaCommunicator Post to Nebula - Id: 08599e7d-344c-4f99-b595-ae872e8f1f90 - Created: 5/16/2024 8:14:13 PM - Size: 331 - Data:
	{"user":"","job_id":"","schedule_id":"","schedule_etag":"","type":"BOOMERANG_EVENT","data":"{\"event_name\":\"event.command.success\",\"error_code\":0,\"error_message\":\"\",\"timestamp\":\"2024-05-16T18:14:13.6110412Z\"}","user_job_id":"d0e79966-bc7b-4ffd-8b1f-818d239ebde5","started_at_local":"2024-05-16T20:14:13.6120416+02:00"}
2024-05-16 20:15:44,786+02:00 [5652 ] [60] INFO  MBAMPlugin Located the service and it is Running

 

Alright I might've found them. I retrieved this at "C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt"