IP blocking in GOG Galaxy

[Hijin25 12]

Greetings.

I have been using GOG galaxy for several years without any problem. But today, when starting the download of a game, EIS blocked the connection with this message;

Time; 03/25/2019 08:32:19 p.m.
URL; https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net
State; Blocked by internal IP blacklist
Application; C: \ Program Files (x86) \ GOG Galaxy \ GalaxyClient.exe
IP adress; 54.39.176.22
SHA1; A8B71843C86F1A71427BF91A70A7DD6F89265F6F

Is it a genuine block or a false positive?

Analyze the URL in virustotal and all the analyzes show that it is a clean site.

Also analyze the IP, and only Eset and two more antivirus detect it as malware.

Thanks in advance for any

[Marcos 5,069]

For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all.

[Hijin25 12]

Thanks for answering.

Well that's the URL that the ESET warning message threw at me.

Today I tried again the download and I could do it without problems . What could have caused the blockade?

[itman 1,659]

9 hours ago, Marcos said:

For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all.

Same here, doesn't resolve in IE11.

The IP address resolves to OVH Hosting which appears to be a domain server. My guess is the domain in question has been removed from it.

[Hijin25 12]

Today I returned to analyze the IP in virustotal, and now ESET no longer detects it as malicious, I suppose then that it was a "lapse" of the antivirus.

I worried a lot, since I usually shop from GOG galaxy.

[itman 1,659]

I tried again to connect to https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net using IE11. It failed gain.

Submitted the URL to QUALS SSL Server test for a scan and it wouldn't resolve there either. As far as the VT scan of it, it doesn't verify the URL as to routing ability. It only verifies if any of the AV engines there have it blacklisted.

[itman 1,659]

Now this is interesting.

I submitted IP Address, 54.39.176.22 , to IPVoid for a scan. All the rep scanners there state it is probably clean. When I selected the very first scanner there, AlienVault, for further details, I was greeted with this:

54.39.176.22 is a threat to your network!

Don't know if they are phishing for my e-mail address which is required to receive a detailed threat report, or what.

[Hijin25 12]

This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist?

[itman 1,659]

10 hours ago, Hijin25 said:

This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist?

The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration.

As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection.

One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection.

Edited March 28, 2019 by itman

[itman 1,659]

FYI.

Quote

GOG Galaxy Game Launcher Vulnerable to Privilege Escalation Attacks

GOG Galaxy contains six severe vulnerabilities that permit privilege escalation and arbitrary code execution.

• Most of the vulnerabilities concern the macOS version of the game launcher, but Windows users aren’t entirely safe either.
• GOG Galaxy accounts for around 10% to 20% of digital game sales, so attackers have a lot of potential unpatched targets.

Cisco Talos researchers have analyzed GOG Galaxy video game launcher version 1.2.48.36, and found that this version number, and most probably all of the recent ones that came before it are vulnerable to various types of malicious attacks that result in remote privilege escalation and arbitrary code execution.

https://www.technadu.com/gog-galaxy-launcher-vulnerable-privilege-escalation-attacks/62961/

Edited March 28, 2019 by itman

[Hijin25 12]

2 hours ago, itman said:

The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration.

As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection.

One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection.

As far as I know, I do not use anything he mentions.

18 minutes ago, itman said:

FYI.

https://www.technadu.com/gog-galaxy-launcher-vulnerable-privilege-escalation-attacks/62961/

This is worrying, I hope ESET will help me mitigate these threats. As I mentioned was the only one of the renowned antivirus that blocked the connection to that IP, I prefer a "paranoid" antivirus than a permissive one.

Thank you for your assistance.

[itman 1,659]

1 hour ago, Hijin25 said:

I hope ESET will help me mitigate these threats

Make sure your software is updated to the latest version available. Cisco indicated in their detailed write-up that GOG Galaxy has patched the software against these vulnerabilities.

[Hijin25 12]

The platform is updated, now in verison 1.2.54. The version mentioned in the article is from mid-November 2018.

In the GOG technical support, they just thanked me for reporting the incident. XD.