itman 1,749 Posted September 3, 2021 Share Posted September 3, 2021 To begin, AMTSO Desktop Anti-phishing test works as expected. When accessing an actual phishing web site per below posted event log entry, Eset logs that it blocked access. However, no Eset alert is generated and access to web site is allowed. Time;URL;Status;Detection;Application;User;IP address;Hash 9/3/2021 2:39:12 PM;https://www.fixwindowserrors.biz;Blocked;Anti-Phishing blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;XXX-PC\XXX;2606:4700:3036::ac43:8793;6E6C61A9F8A1D1C96B17E310A48AEAA49545C0EF Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 3, 2021 Administrators Share Posted September 3, 2021 Strange, works fine for me with Firefox. What about Edge or Chrome? Isn't the page blocked in those either? Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 3, 2021 Author Share Posted September 3, 2021 (edited) 13 minutes ago, Marcos said: What about Edge Works properly in Edge. Do you have Firefox set at default settings? Such as HTTPS over DNS using Cloudflare for example? Edited September 3, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 3, 2021 Administrators Share Posted September 3, 2021 I was able to reproduce it eventually. I guess I didn't copy the whole url with https before; via http it's blocked in Firefox alright. Enabling DNS over HTTPS didn't make any different. Thanks for the heads-up, will keep you posted about what the developers find out. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted September 3, 2021 Most Valued Members Share Posted September 3, 2021 i can confirm that with Edge it's blocked whether it's https or not. FF will block it with http only. meddling with dns-over-https in FF doesn't have any effect. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 3, 2021 Author Share Posted September 3, 2021 Appears the connection is slipping through Eset HTTPS web filtering after being detected. The question is if its an isolated web site instance or all HTTPS affected? Appears that is not the case. Tested a couple of known phish HTTPS web sites from Phish Tank web site, and no issues with Eset blocking and alerting on those. This web site appears to be using something new in the way of bypassing. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 4, 2021 Author Share Posted September 4, 2021 I would also strongly recommend that Eset generate its small desktop popup window whenever an anti-phishing detection entry is written to the Filtered website log. This would give one a visual clue the accessed web site is a phishing one when Eset blocking access to the web site fails. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 4, 2021 ESET Insiders Share Posted September 4, 2021 Blocked properly here on https, Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 5, 2021 Administrators Share Posted September 5, 2021 Don't know what happened but today I've been unable to reproduce this either. Tried various products and module versions to no avail; the block web page was always displayed. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 5, 2021 Author Share Posted September 5, 2021 (edited) 4 hours ago, Marcos said: Don't know what happened but today I've been unable to reproduce this either. Tried various products and module versions to no avail; the block web page was always displayed. Unfortunately, that is not the case for me using Firefox. Entering this URL, https://www.fixwindowserrors.biz/ , allows unblocked access with no Eset alert. Note that per my posted log entry, access to this web site is being made via IPv6. When I use URL to IP address converters, they all resolve to IPv4 addresses. Robtex returns 198.187.31.37. URLVoid returns 172.67.135.147. Likewise, the IPv6 address being used changes. It's currently being shown in the Eset log entry as 2606:4700:3036::6815:1a3f which converts to IPv4 address, 104.21.26.63; i.e. Cloudflare interestingly. Edited September 5, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 (edited) I don't think it's related to IPv version, seems it's something Firefox is doing. Disabling SSL scanning allows the site to be shown but still showing a warning that it was supposedly blocked in Firefox. In my other browsers it's still blocked with SSL scanning on or off. Edited September 5, 2021 by NewbyUser Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 5, 2021 Administrators Share Posted September 5, 2021 Isn't it blocked even if you press Ctrl+F5 in Firefox? Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 Yes, even with clearing FF cache and history, still blocked with SSL scanning turned off. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 (edited) It's also blocking the IPv6 address here. And SSL Scanning still turned off. Edited September 5, 2021 by NewbyUser Link to comment Share on other sites More sharing options...
Most Valued Members Solution shocked 60 Posted September 5, 2021 Most Valued Members Solution Share Posted September 5, 2021 creating a new clean FF profile seems to make it work.. some weird setting seems to interfere with it but i can't understand what and why. even FF safe mode with addons disabled didn't help. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 5 minutes ago, shocked said: creating a new clean FF profile seems to make it work.. some weird setting seems to interfere with it but i can't understand what and why. even FF safe mode with addons disabled didn't help. That's likely the case with me then. I don't typically use FF and installed it just to try and help with this thread. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 5, 2021 Author Share Posted September 5, 2021 (edited) 3 hours ago, shocked said: creating a new clean FF profile seems to make it work.. I did a Firefox Reset and now Eset also properly alerts. Very strange indeed. Of note, "Goback" button works sometimes and other times it does not. Edited September 5, 2021 by itman NewbyUser 1 Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 5, 2021 Author Share Posted September 5, 2021 (edited) A few additional comments here. Eset had no issue detecting a phishing site using Firefox and alerting other than this web site in question based on my testing. As such, it can't be pointed to Firefox profile corruption as the source of non-alerting. If this was the case, Eset phishing alerting would not work on any blacklisted web site. It appears this web site somehow interacted with Firefox profile settings initially to partially defeat Eset phishing alert processing. As such, I stick with my recommendation that Eset phishing detection be modified to show desktop popup alert upon creation of Filtered website event log entry. Edited September 5, 2021 by itman Link to comment Share on other sites More sharing options...
ESET Insiders Minimalist 16 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 I still encounter this problem on Firefox but not on Edge and Chromium. I don't plan to refresh or recreate my profile so if logs or something similar is needed, I can provide them. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted September 5, 2021 Most Valued Members Share Posted September 5, 2021 1 hour ago, itman said: somehow interacted with Firefox profile settings it's really weird how it can interact with the FF settings and "defeat" the protection. i haven't changed anything security related to the FF config settings, only some that relate to tab previews etc. so it's puzzling. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 5, 2021 Author Share Posted September 5, 2021 Some additional info. Robtex lookup on the domain name in question yields: However, every Eset logged block event for this domain shows a Cloudflare server IPv6 address; i.e. DNS relay server. This parallels a recent posting I made in regards to Eset detection issues for the AMTSO cloudcar test. And I believe this has to do with 464XLAT tunneling my ISP is performing. It is basically now only using IPv6 and converting IPv4 addresses into IPV6 addresses en-route to my router. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted September 5, 2021 ESET Insiders Share Posted September 5, 2021 56 minutes ago, itman said: Some additional info. Robtex lookup on the domain name in question yields: However, every Eset logged block event for this domain shows a Cloudflare server IPv6 address; i.e. DNS relay server. This parallels a recent posting I made in regards to Eset detection issues for the AMTSO cloudcar test. And I believe this has to do with 464XLAT tunneling my ISP is performing. It is basically now only using IPv6 and converting IPv4 addresses into IPV6 addresses en-route to my router. But if it's your ISP, wouldn't the behavior be consistent regardless of whatever you did? And I could never reproduce the cloudcar issue either, so that may possibly be related to FF profile corruption also. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 6, 2021 Administrators Share Posted September 6, 2021 7 hours ago, Minimalist said: I still encounter this problem on Firefox but not on Edge and Chromium. I don't plan to refresh or recreate my profile so if logs or something similar is needed, I can provide them. Does pressing Ctrl+F5 to refresh the web page in Firefox make a difference? Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 6, 2021 Author Share Posted September 6, 2021 13 hours ago, NewbyUser said: And I could never reproduce the cloudcar issue either, so that may possibly be related to FF profile corruption also. No. Same behavior after resetting Firefox. Also although it appears Eset fixed the issue, what it is doing is detecting the cloudcar download when it hits the disk. Link to comment Share on other sites More sharing options...
itman 1,749 Posted September 6, 2021 Author Share Posted September 6, 2021 7 hours ago, Marcos said: Does pressing Ctrl+F5 to refresh the web page in Firefox make a difference? It didn't for me. Only a full Firefox reset which creates a new profile resulted in Eset phishing alert being generated. Link to comment Share on other sites More sharing options...
Recommended Posts