MarcFL 26 Posted April 15, 2022 Share Posted April 15, 2022 Everyday NOD32 is annoying me with this popup block and it's logged in filtered websites. This happens when I open Firefox the first time for the day. It only happens once a day. I checked Roboform and I have no link or saved credentials for hxxp://members.driverguide.com I used to, but it was deleted a long time ago. Before I configure an exception for this hash, I was wondering if anyone knows why this is happening. Thank You! Time;URL;Status;Detection;Application;User;IP address;Hash 4/15/2022 10:37:36 AMhxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com Blocked;PUA blacklist C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe; 142.250.64.132 D8C5ADCB1E302C1917DED2E3E058989FDE052CF8 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 15, 2022 Administrators Share Posted April 15, 2022 Unfortunately I have no clue why Roboform accesses the site driverguide.com (PUA-related). If it's ok for you and the benefits of accessing the website outweigh possible risks, you can add it to the list of allowed websites in the URL management setup. Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 15, 2022 Author Share Posted April 15, 2022 (edited) Thanks Marcos. I don't understand the difference between these two: Address list type •Excluded from checking – No checking for malicious code will be performed for any address added to this list. •Allowed – If the Allow access only to HTTP addresses in the list of allowed addresses option is enabled and the list of blocked addresses contain * (match everything), user will be allowed to access addresses specified in this list only. The addresses in this list are allowed even if they also match by the list of blocked addresses. Also, I can't find this setting mentioned above: "Allow access only to HTTP addresses" Edited April 15, 2022 by MarcFL Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted April 15, 2022 Administrators Share Posted April 15, 2022 The "excluded from checking" list contains addresses where the content will not be scanned at all, ie. any possible malware won't be detected. On the contrary, the "allowed" list contains urls that ESET will not block, however, the content will be scanned and possible malware would be detected. Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 15, 2022 Author Share Posted April 15, 2022 Thanks. So Allowed is the safer choice and should resolve my issue with the PUA URL warning. Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 15, 2022 Share Posted April 15, 2022 I scanned this URL: http://members.driverguide.com/ Quttera and its 100% clean. Ditto for VirusTotal; zip detections. However, the access to this site is being done via Roboform using this URL: http://www.google.com/s2/favicons?domain=http://members.driverguide.com . The favicons prefix is the culprit I believe. I would try to eliminate this connection within Roboform if possible. Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 15, 2022 Author Share Posted April 15, 2022 I'm at a loss to find out why Roboform is doing this. I have carefully searched Roboform and can't find anything. I've looked for driverguide and favicons and didn't find anything. It's probably a bug. Allowing these URLs in NOD32 did NOT work:https://members.driverguide.comhxxp://members.driverguide.comhttps://www.driverguide.comhxxp://www.driverguide.com I am now trying:hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.comhttps://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com Link to comment Share on other sites More sharing options...
itman 1,659 Posted April 15, 2022 Share Posted April 15, 2022 1 hour ago, MarcFL said: I am now trying:hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.comhttps://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com Adding both URL's to Allowed Address list will eliminate Eset PUA alert. However, all that is displayed is a black web page with an icon on it. Very suspicious to me. Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 16, 2022 Author Share Posted April 16, 2022 (edited) Thanks itman. I might as well add the URLs to the Block list. Unfortunately, NOD32 is unable to block these types of URLs. I've tried and it doesn't work (Advanced Setup, Web Access Protection, URL Address Management, Address List, List of Blocked Addresses). If you can find a way, let me know Please 🙂 What I want to block without blocking the entire google.com domain or the gstatic.com domain owned by google.hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com which is forwarded to this URL:https://t2.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=hxxp://members.driverguide.com&size=16 Edited April 16, 2022 by MarcFL Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 16, 2022 Author Share Posted April 16, 2022 (edited) Correction - What I want to block without blocking the entire google.com domain or the gstatic.com domain owned by google. Note: Replace hxxp with http in several places in the URLs since this forum keeps changing it even with the code box. hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com/ums/index.php which is forwarded to this URL: https://t3.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=hxxp://members.driverguide.com/ums/index.php&size=16 Edited April 16, 2022 by MarcFL Link to comment Share on other sites More sharing options...
MarcFL 26 Posted April 16, 2022 Author Share Posted April 16, 2022 (edited) In the meantime, I'm blocking this URL with wildcards and hopefully it will be enough to stop the Roboform: *driverguide.com* Edited April 16, 2022 by MarcFL Link to comment Share on other sites More sharing options...
Recommended Posts