RandyEVO 0 Posted February 14, 2019 Share Posted February 14, 2019 Think this is the right area to post this... been getting this popup for a blocked address, https://secure-drm.imrworldwide.com IP 3.17.238.130 and cant get it to go away, made sure it wasnt notifications or extensions on google chrome and there doesn't seem to be anything else. anyone else have something similar? Image attached. Thanks! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted February 14, 2019 Administrators Share Posted February 14, 2019 When does the alert pops up? When you launch a browser or a specific application, when browsing websites, etc? If it's browser related, does it pop up when running any other browsers? By the way, it appears that you have ESET Endpoint v5 installed. I'd strongly recommend upgrading to EPv7. Link to comment Share on other sites More sharing options...
itman 1,751 Posted February 14, 2019 Share Posted February 14, 2019 (edited) As far as that IP address goes, it resolves to Amazon: https://www.robtex.com/dns-lookup/ec2-3-17-238-130.us-east-2.compute.amazonaws.com . -EDIT- As far as domain https://secure-drm.imrworldwide.com goes, it is associated with: Quote The IP number is 138.108.140.100. The IP number is in Schaumburg, United States. It is hosted by Route for Nielsen. Secure-drm.imrworldwide.com has a chain of two CNAMEs ultimately pointing to secure-hongkong.imrworldwide.com. Secure-hongkong.imrworldwide.com has one IP number. Per Robtex: https://www.robtex.com/dns-lookup/secure-drm.imrworldwide.com Finally, IPVOID states 3.17.238.130 is not a valid IP address. Makes sense since it appears it is trying to directly access a backbone server. Appears something is screwed up DNS-wise. Edited February 15, 2019 by itman Link to comment Share on other sites More sharing options...
Wynot 0 Posted February 15, 2019 Share Posted February 15, 2019 I have a user that has also been getting this for a few days. Turns out its Iheart.com. She uses the website to play music instead of an I Heart Radio app and in the page source there are references to that site several times. She first reported this yesterday, 2/14/2019. The pop-up hits her desktop but doesn't register anything in the logs. Link to comment Share on other sites More sharing options...
itman 1,751 Posted February 15, 2019 Share Posted February 15, 2019 (edited) 1 hour ago, Wynot said: Turns out its Iheart.com The site itself is clean per URLVoid: https://www.urlvoid.com/scan/iheart.com/ . When I connect using iheart.com, I end up at quickio.iheart.com with an IP address of 34.195.19.104. Interestingly, that also resolves to Amazon per Robtex: https://www.robtex.com/ip-lookup/34.195.19.104 . The common theme to these alerts appears to be the connection to Amazon servers in the U.S.. Also I use EIS and are receiving no alerts on any of these connections. -EDIT- Forgot to mention to did observe routing connections through the Amazon backbone servers. Edited February 15, 2019 by itman Link to comment Share on other sites More sharing options...
Wynot 0 Posted February 15, 2019 Share Posted February 15, 2019 Additional info, this is a Win 10 PC. I have a Win 7 user who also connects to iheart.com and does not receive these alerts even though the same address is present in the source code. Link to comment Share on other sites More sharing options...
Wynot 0 Posted February 15, 2019 Share Posted February 15, 2019 Scratch that, the Win 7 user just got her 1st popup, same information. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted February 15, 2019 Administrators Share Posted February 15, 2019 Since the domain seems to be used for tracking and analytical purposes, we will unblock it. Link to comment Share on other sites More sharing options...
rshanwk 0 Posted February 18, 2019 Share Posted February 18, 2019 Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted February 18, 2019 Administrators Share Posted February 18, 2019 21 minutes ago, rshanwk said: Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you. Please post the appropriate row from the Filtered websites log. Link to comment Share on other sites More sharing options...
Recommended Posts