Jump to content

ESET is blocking a Sourceforge website

DrTeeth

By DrTeeth
in ESET NOD32 Antivirus

 Share

Recommended Posts

DrTeeth

DrTeeth 5

Posted
Posted

It really drives me nuts when ESET AV blocks a site that I do not want it to. I keep on filing false positive reports but nothing changes. I would like there to be an option to allow a site/domain on the 'site blocked' notification. I cannot think of any reason why ESET blocks Sourceforge, for example.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

It really drives me nuts when ESET AV blocks a site that I do not want it to. I keep on filing false positive reports but nothing changes. I would like there to be an option to allow a site/domain on the 'site blocked' notification. I cannot think of any reason why ESET blocks Sourceforge, for example.

 

I've searched emails sent to samples[at]eset.com but couldn't find any unresponded one. I rather assume it was a PUA detection or url block that you encountered. Feel free to pm me the url that is blocked by ESET. Also please create a dedicated topic for a complaint like this as it has nothing to do with "Future changes to ESET NOD32 Antivirus" that this topic is used for.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

These days PUA's are found in many softwares on the Net even on a site like SourceForge so there is a very good reason why you may get some detections on SF if you have detection of PUA's enabled.

Edited by SweX
Link to comment
Share on other sites
DrTeeth

DrTeeth 5

Posted
  • Author
Posted

It is not the software, it is the site in this case.

 

Go to hxxp://sourceforge.net/projects/smplayer/files/Unstable/redxii-unstable/ and download one of the files. When the timer on the next page gets to zero one gets the attached.

 

Marcos, I am using the link in the dialogue box to report the site as okay and have done so several times.

 

There is NOTHING bundled in the installer and I can download the file by using the 'direct download' link on the page with the countdown. Also, I have just discovered, that if one turns on the Direct Download Link that is on the page lined above (see screenshot), ESET does not protest.

 

Basically, why let us report and incorrectly blocked page and do nothing about it?

post-914-0-96148200-1402344909_thumb.png

post-914-0-98301000-1402345307_thumb.png

Link to comment
Share on other sites
Proactive Services

Proactive Services 11

Posted
Posted

Looks like it's bundled with InstallCore when the "Direct Download Link" is set to "Off". I put this in a VM and it pulled down all sorts of . You really, really don't InstallCore's malware on your computer. Find an alternative software and, ideally, report this abuse to sourceforge. They should not be hosting malware.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted

Nice research job  ;)

 

I agree in finding an alternative download source is a good idea, a program is rarely hosted at one site/location only but usually several locations. And by alternative I don't mean Cnet or Softonic. 

Link to comment
Share on other sites
DrTeeth

DrTeeth 5

Posted
  • Author
Posted

Looks like it's bundled with InstallCore when the "Direct Download Link" is set to "Off". I put this in a VM and it pulled down all sorts of ######. You really, really don't InstallCore's malware on your computer. Find an alternative software and, ideally, report this abuse to sourceforge. They should not be hosting malware.

I have never got any malware installed by installing this program, no matter how I have downloaded it unless ESET has let it though.

MalwareBytes shows my PC is clean as does ESET NOD32. I don't know what the heck you have been doing ;) , but I have no malware problems or infections here.

I have whitlisted SourceForge.

post-914-0-02540600-1402945475_thumb.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

I was unable to reproduce the block. However, if Proactive Services says that InstallCore was downloaded, it was a correct PUA detection.

Link to comment
Share on other sites
Proactive Services

Proactive Services 11

Posted
Posted (edited)

Interesting that some people are having trouble reproducing this. I can still re-create this as follows with Firefox or IE11 (clean profiles, clean machines both tested):

Visit hxxp://sourceforge.net/projects/smplayer/files/Unstable/redxii-unstable/

Works if you're logged into SF or not.

 

To get the malware installer:

There is some bold blue text beside "Looking for the latest version?". The blue text reads "Download smplayer-14.3.0-win32.exe (21.4 MB)"

Don't click on the link yet. Just below is some more blue text which states: "Direct Download Link". By default here, it reads "Off". If it reads "On", click the link so that it toggles to "Off".

Screen shot when hovering over "Direct Download Link" (to follow, having problems with this editor)

Click the "Download smplayer-14.3.0-win32.exe (21.4 MB)".

An HTTPS POST transaction is initiated to ids.sourceforgecdn.com (I know this because Firefox gives me a prompt about sending information over a secure connection.)

The malware installer is offered which has exactly the same file name as the clean installer: smplayer-14.3.0-win32.exe

MD5: c29bf625fbc151f025ecfb135ed3065b

Icon: "SF"

Authenticode signature to the name of: IC-Forge via COMODO Code Signing CA 2

Eset detects as: a variant of Win32/InstallCore.OY PUA

VirusTotal analysis (Way to go Eset!)

 

To get the clean installer:

Ensure that the "Direct Download Link" is showing "On".

Screen shot whilst hovering over (to follow, having problems with this editor)

Click the "Download smplayer-14.3.0-win32.exe (21.4 MB)".

HTTPS POST isn't sent (I get no prompt from Firefox.) A request is made to https://downloads.sourceforge.net and then on to hxxp://netcologne.dl.sourceforge.net/project/smplayer/SMPlayer/14.3.0/smplayer-14.3.0-win32.exe

Clean MD5: 2e8bf2cae67facb0ea0669b4e6851901

Icon: Orange DVD folder with a disc

Authenticode signature to the name of "Open Source Developer, Ricardo Villalba" via Certum Level III CA

No Eset detection

VirusTotal results (0)

Edited by Proactive Services
Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

Haha yeah  ;)  Whitelisting SourceForge doesn't sound like a good plan to me. Looking for alternative download locations for this and other softwares that you are interested in is what I would do instead.

 

One can wonder how many SF users that knows about that direct download link on/off thing. Mhm not nice.

Edited by SweX
Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

Makes no difference here at all.

What makes no difference?

 

Edit: I remember this old thread maybe it will help: 

 

SourceForge’s new Installer bundles program downloads with adware

https://www.wilderssecurity.com/threads/sourceforge’s-new-installer-bundles-program-downloads-with-adware.350712/

Edited by SweX
Link to comment
Share on other sites
DrTeeth

DrTeeth 5

Posted
  • Author
Posted

I have heard of those stories and am aware of the issue, BUT I have never got anything unintended from SourceForge.

 

Personally, I would like to be able to at least start to download* what I want and either during the download or execution, ESET steps in. Just my (strong) preference.

 

*At least I can configure ESET to work the way I want. Signed up my 6PCs for another year.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

Personally, I would like to be able to at least start to download* what I want and either during the download or execution, ESET steps in. Just my (strong) preference.

 

*At least I can configure ESET to work the way I want. Signed up my 6PCs for another year.

You should not get PUA warnings like this if you disabled detection of Potentially unwanted and unsafe applications. That's what I would do if you don't want to find alternative (better and safer) download sites.

 

They are detected for a reason wich you don't seem to understand, and these detections is user optional.

 

And I don't understand that you see it as a problem that ESET tells you about it before or after you start a download. The way it works today is great. The earlier the better IMO.

 

You can configure it as you want. Actually after a second thought, if you think detections on sourceforge is such a big problem then maybe it is better that you whitelist the whole site and stop "complaining" or what to call it that ESET does it's job having PUA detections enabled and all.  ESET is not only effective against malware, but is a fantastic PUA detector as well so I am not at all surprised if you feel it is a bit overwhelming at times, especially on sites like sourceforge where one can find PUA's.

 

 I have heard of those stories and am aware of the issue, .  BUT I have never got anything unintended from SourceForge

 

Not yet just wait and see... :ph34r:

Edited by SweX
Link to comment
Share on other sites
DrTeeth

DrTeeth 5

Posted
  • Author
Posted

I do not want to disable protection against PUAs at all. I just do not want ESET to block a site or sites even before anything has began to download. I am happy with a warning about a specific download, but not wholesale blacklisting. If ESET is competent in PUA detection, blunderbuss site blocking is not necessary.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

A site can be blocked based on the internal PUA blacklist. As you will see in your logs.

 

In your case you can simply add a PUA blacklisted site to the exclusions and you will be able to access it just fine, without turning off PUA detections. Though you might get a PUA warning if you download software from that site containing a PUA even if the site is excluded. Then you will be given the choice to exclude that application from being detected if you want. 

 

Edit: If you don't want to exclude a site and you get a site block like the one in post #4 then you could just click "Proceed To The Site" without too much hassle, wich is better of course than excluding the site. 

 

Personally I rarely see sites blocked because of a PUA so I don't know what sites it is that you are trying to access. But I would stay away. I would look for better alternative sites instead.

 

I thought about this PUA problem earlier today, it's a bit funny that CNET/Download.com that is owned by a huge company like CBS/CBS Interactive really needs to be in the PUA business. It's just sad and ridiculous.

Edited by SweX
Link to comment
Share on other sites
DrTeeth

DrTeeth 5

Posted
  • Author
Posted

That is what I have done. It is a big plus for ESET that it still lets users configure their software to this level.

 

With kindest regards

 

DrT

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted (edited)

That is what I have done. It is a big plus for ESET that it still lets users configure their software to this level.

 

With kindest regards

 

DrT

Good. Yes indeed, hopefully the configurability won't end with V7 but continues in coming versions as well.  :wub:

Edited by SweX
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...