Jump to content

Anti-phishing Protection Issue


Go to solution Solved by shocked,

Recommended Posts

To begin, AMTSO Desktop Anti-phishing test works as expected.

When accessing an actual phishing web site per below posted event log entry, Eset logs that it blocked access. However, no Eset alert is generated and access to web site is allowed.

Time;URL;Status;Detection;Application;User;IP address;Hash
9/3/2021 2:39:12 PM;https://www.fixwindowserrors.biz;Blocked;Anti-Phishing blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;XXX-PC\XXX;2606:4700:3036::ac43:8793;6E6C61A9F8A1D1C96B17E310A48AEAA49545C0EF

Link to comment
Share on other sites

  • Administrators

Strange, works fine for me with Firefox. What about Edge or Chrome? Isn't the page blocked in those either?

image.png

Link to comment
Share on other sites

13 minutes ago, Marcos said:

What about Edge

Works properly in Edge.

Do you have Firefox set at default settings? Such as HTTPS over DNS using Cloudflare for example?

Edited by itman
Link to comment
Share on other sites

  • Administrators

I was able to reproduce it eventually. I guess I didn't copy the whole url with https before; via http it's blocked in Firefox alright. Enabling DNS over HTTPS didn't make any different.

Thanks for the heads-up, will keep you posted about what the developers find out.

Link to comment
Share on other sites

  • Most Valued Members

i can confirm that with Edge it's blocked whether it's https or not. FF will block it with http only.
meddling with dns-over-https in FF doesn't have any effect.

Link to comment
Share on other sites

Appears the connection is slipping through Eset HTTPS web filtering after being detected. The question is if its an isolated web site instance or all HTTPS affected? Appears that is not the case. Tested a couple of known phish HTTPS web sites from Phish Tank web site, and no issues with Eset blocking and alerting on those.

This web site appears to be using something new in the way of bypassing.

Link to comment
Share on other sites

I would also strongly recommend that Eset generate its small desktop popup window whenever an anti-phishing detection entry is written to the Filtered website log. This would give one a visual clue the accessed web site is a phishing one when Eset blocking access to the web site fails.

Link to comment
Share on other sites

  • Administrators

Don't know what happened but today I've been unable to reproduce this either. Tried various products and module versions to no avail; the block web page was always displayed.

Link to comment
Share on other sites

4 hours ago, Marcos said:

Don't know what happened but today I've been unable to reproduce this either. Tried various products and module versions to no avail; the block web page was always displayed.

Unfortunately, that is not the case for me using Firefox. Entering this URL, https://www.fixwindowserrors.biz/ , allows unblocked access with no Eset alert. Note that per my posted log entry, access to this web site is being made via IPv6.

When I use URL to IP address converters, they all resolve to IPv4 addresses. Robtex returns 198.187.31.37. URLVoid returns 172.67.135.147. Likewise, the IPv6 address being used changes. It's currently being shown in the Eset log entry as 2606:4700:3036::6815:1a3f which converts to IPv4 address, 104.21.26.63; i.e. Cloudflare interestingly.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

I don't think it's related to IPv version, seems it's something Firefox is doing. Disabling SSL scanning allows the site to be shown but still showing a warning that it was supposedly blocked in Firefox. In my other browsers it's still blocked with SSL scanning on or off.

 

2021-09-05 (1).png

2021-09-05 (2).png

2021-09-05.png

Edited by NewbyUser
Link to comment
Share on other sites

  • ESET Insiders

It's also blocking the IPv6 address here. And SSL Scanning still turned off.292894667_2021-09-05(7).thumb.png.92543e6c60e27a9aacf24771d05af3c6.png

 

2021-09-05 (6).png

Edited by NewbyUser
Link to comment
Share on other sites

  • Most Valued Members
  • Solution

creating a new clean FF profile seems to make it work.. some weird setting seems to interfere with it but i can't understand what and why. even FF safe mode with addons disabled didn't help.

Link to comment
Share on other sites

  • ESET Insiders
5 minutes ago, shocked said:

creating a new clean FF profile seems to make it work.. some weird setting seems to interfere with it but i can't understand what and why. even FF safe mode with addons disabled didn't help.

That's likely the case with me then. I don't typically use FF and installed it just to try and help with this thread. 

Link to comment
Share on other sites

3 hours ago, shocked said:

creating a new clean FF profile seems to make it work..

I did a Firefox Reset and now Eset also properly alerts. Very strange indeed.

Of note, "Goback" button works sometimes and other times it does not.

Edited by itman
Link to comment
Share on other sites

A few additional comments here.

Eset had no issue detecting a phishing site using Firefox and alerting other than this web site in question based on my testing. As such, it can't be pointed to Firefox profile corruption as the source of non-alerting. If this was the case, Eset phishing alerting would not work on any blacklisted web site.

It appears this web site somehow interacted with Firefox profile settings initially to partially defeat Eset phishing alert processing. As such, I stick with my recommendation that Eset phishing detection be modified to show desktop popup alert upon creation of Filtered website event log entry.

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders

I still encounter this problem on Firefox but not on Edge and Chromium. I don't plan to refresh or recreate my profile so if logs or something similar is needed, I can provide them.

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, itman said:

somehow interacted with Firefox profile settings

it's really weird how it can interact with the FF settings and "defeat" the protection. i haven't changed anything security related to the FF config settings, only some that relate to tab previews etc. so it's puzzling.

Link to comment
Share on other sites

Some additional info.

Robtex lookup on the domain name in question yields:

Eset_DNS.thumb.png.f3042f0bb9ecb9235c05adf0c251a7f0.png

However, every Eset logged block event for this domain shows a Cloudflare server IPv6 address; i.e. DNS relay server. This parallels a recent posting I made in regards to Eset detection issues for the AMTSO cloudcar test. And I believe this has to do with 464XLAT tunneling my ISP is performing. It is basically now only using IPv6 and converting IPv4 addresses into IPV6 addresses en-route to my router. 

 

Link to comment
Share on other sites

  • ESET Insiders
56 minutes ago, itman said:

Some additional info.

Robtex lookup on the domain name in question yields:

Eset_DNS.thumb.png.f3042f0bb9ecb9235c05adf0c251a7f0.png

However, every Eset logged block event for this domain shows a Cloudflare server IPv6 address; i.e. DNS relay server. This parallels a recent posting I made in regards to Eset detection issues for the AMTSO cloudcar test. And I believe this has to do with 464XLAT tunneling my ISP is performing. It is basically now only using IPv6 and converting IPv4 addresses into IPV6 addresses en-route to my router. 

 

But if it's your ISP, wouldn't the behavior be consistent regardless of whatever you did? And I could never reproduce the cloudcar issue either, so that may possibly be related to FF profile corruption also.

Link to comment
Share on other sites

  • Administrators
7 hours ago, Minimalist said:

I still encounter this problem on Firefox but not on Edge and Chromium. I don't plan to refresh or recreate my profile so if logs or something similar is needed, I can provide them.

Does pressing Ctrl+F5 to refresh the web page in Firefox make a difference?

Link to comment
Share on other sites

13 hours ago, NewbyUser said:

And I could never reproduce the cloudcar issue either, so that may possibly be related to FF profile corruption also.

No.

Same behavior after resetting Firefox. Also although it appears Eset fixed the issue, what it is doing is detecting the cloudcar download when it hits the disk.

Link to comment
Share on other sites

7 hours ago, Marcos said:

Does pressing Ctrl+F5 to refresh the web page in Firefox make a difference?

It didn't for me. Only a full Firefox reset which creates a new profile resulted in Eset phishing alert being generated.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...