Hijin25 12 Posted March 26, 2019 Share Posted March 26, 2019 Greetings. I have been using GOG galaxy for several years without any problem. But today, when starting the download of a game, EIS blocked the connection with this message; Time; 03/25/2019 08:32:19 p.m. URL; https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net State; Blocked by internal IP blacklist Application; C: \ Program Files (x86) \ GOG Galaxy \ GalaxyClient.exe IP adress; 54.39.176.22 SHA1; A8B71843C86F1A71427BF91A70A7DD6F89265F6F Is it a genuine block or a false positive? Analyze the URL in virustotal and all the analyzes show that it is a clean site. Also analyze the IP, and only Eset and two more antivirus detect it as malware. Thanks in advance for any Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted March 26, 2019 Administrators Share Posted March 26, 2019 For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all. Link to comment Share on other sites More sharing options...
Hijin25 12 Posted March 26, 2019 Author Share Posted March 26, 2019 Thanks for answering. Well that's the URL that the ESET warning message threw at me. Today I tried again the download and I could do it without problems . What could have caused the blockade? Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 26, 2019 Share Posted March 26, 2019 9 hours ago, Marcos said: For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all. Same here, doesn't resolve in IE11. The IP address resolves to OVH Hosting which appears to be a domain server. My guess is the domain in question has been removed from it. Link to comment Share on other sites More sharing options...
Hijin25 12 Posted March 27, 2019 Author Share Posted March 27, 2019 Today I returned to analyze the IP in virustotal, and now ESET no longer detects it as malicious, I suppose then that it was a "lapse" of the antivirus. I worried a lot, since I usually shop from GOG galaxy. Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 27, 2019 Share Posted March 27, 2019 I tried again to connect to https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net using IE11. It failed gain. Submitted the URL to QUALS SSL Server test for a scan and it wouldn't resolve there either. As far as the VT scan of it, it doesn't verify the URL as to routing ability. It only verifies if any of the AV engines there have it blacklisted. Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 27, 2019 Share Posted March 27, 2019 Now this is interesting. I submitted IP Address, 54.39.176.22 , to IPVoid for a scan. All the rep scanners there state it is probably clean. When I selected the very first scanner there, AlienVault, for further details, I was greeted with this: 54.39.176.22 is a threat to your network! Don't know if they are phishing for my e-mail address which is required to receive a detailed threat report, or what. Link to comment Share on other sites More sharing options...
Hijin25 12 Posted March 28, 2019 Author Share Posted March 28, 2019 This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist? Alberto T. Gomez 1 Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 28, 2019 Share Posted March 28, 2019 (edited) 10 hours ago, Hijin25 said: This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist? The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration. As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection. One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection. Edited March 28, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 28, 2019 Share Posted March 28, 2019 (edited) FYI. Quote GOG Galaxy Game Launcher Vulnerable to Privilege Escalation Attacks GOG Galaxy contains six severe vulnerabilities that permit privilege escalation and arbitrary code execution. Most of the vulnerabilities concern the macOS version of the game launcher, but Windows users aren’t entirely safe either. GOG Galaxy accounts for around 10% to 20% of digital game sales, so attackers have a lot of potential unpatched targets. Cisco Talos researchers have analyzed GOG Galaxy video game launcher version 1.2.48.36, and found that this version number, and most probably all of the recent ones that came before it are vulnerable to various types of malicious attacks that result in remote privilege escalation and arbitrary code execution. https://www.technadu.com/gog-galaxy-launcher-vulnerable-privilege-escalation-attacks/62961/ Edited March 28, 2019 by itman Link to comment Share on other sites More sharing options...
Hijin25 12 Posted March 28, 2019 Author Share Posted March 28, 2019 2 hours ago, itman said: The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration. As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection. One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection. As far as I know, I do not use anything he mentions. 18 minutes ago, itman said: FYI. https://www.technadu.com/gog-galaxy-launcher-vulnerable-privilege-escalation-attacks/62961/ This is worrying, I hope ESET will help me mitigate these threats. As I mentioned was the only one of the renowned antivirus that blocked the connection to that IP, I prefer a "paranoid" antivirus than a permissive one. Thank you for your assistance. Link to comment Share on other sites More sharing options...
itman 1,755 Posted March 28, 2019 Share Posted March 28, 2019 1 hour ago, Hijin25 said: I hope ESET will help me mitigate these threats Make sure your software is updated to the latest version available. Cisco indicated in their detailed write-up that GOG Galaxy has patched the software against these vulnerabilities. Link to comment Share on other sites More sharing options...
Hijin25 12 Posted March 28, 2019 Author Share Posted March 28, 2019 The platform is updated, now in verison 1.2.54. The version mentioned in the article is from mid-November 2018. In the GOG technical support, they just thanked me for reporting the incident. XD. Link to comment Share on other sites More sharing options...
Recommended Posts