Jump to content

Help Tracking Down source of filtered website Warning with Roboform


Recommended Posts

Everyday NOD32 is annoying me with this popup block and it's logged in filtered websites. This happens when I open Firefox the first time for the day. It only happens once a day. I checked Roboform and I have no link or saved credentials for hxxp://members.driverguide.com I used to, but it was deleted a long time ago.  Before I configure an exception for this hash, I was wondering if anyone knows why this is happening.  Thank You!

Time;URL;Status;Detection;Application;User;IP address;Hash
4/15/2022 10:37:36 AM
hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com
Blocked;PUA blacklist
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe;
142.250.64.132
D8C5ADCB1E302C1917DED2E3E058989FDE052CF8

Link to comment
Share on other sites

  • Administrators

Unfortunately I have no clue why Roboform accesses the site driverguide.com (PUA-related). If it's ok for you and the benefits of accessing the website outweigh possible risks, you can add it to the list of allowed websites in the URL management setup.

Link to comment
Share on other sites

Posted (edited)

Thanks Marcos.  I don't understand the difference between these two:

Address list type

Excluded from checking – No checking for malicious code will be performed for any address added to this list.

Allowed – If the Allow access only to HTTP addresses in the list of allowed addresses option is enabled and the list of blocked addresses contain * (match everything), user will be allowed to access addresses specified in this list only. The addresses in this list are allowed even if they also match by the list of blocked addresses.
 

Also, I can't find this setting mentioned above: "Allow access only to HTTP addresses"
 

Edited by MarcFL
Link to comment
Share on other sites

  • Administrators

The "excluded from checking" list contains addresses where the content will not be scanned at all, ie. any possible malware won't be detected.

On the contrary, the "allowed" list contains urls that ESET will not block, however, the content will be scanned and possible malware would be detected.

Link to comment
Share on other sites

Thanks.  So Allowed is the safer choice and should resolve my issue with the PUA URL warning.

Link to comment
Share on other sites

I scanned this URL: http://members.driverguide.com/ Quttera and its 100% clean. Ditto for VirusTotal; zip detections.

However, the access to this site is being done via Roboform using this URL: http://www.google.com/s2/favicons?domain=http://members.driverguide.com . The favicons prefix is the culprit I believe.

I would try to eliminate this connection within Roboform if possible.

Link to comment
Share on other sites

I'm at a loss to find out why Roboform is doing this.  I have carefully searched Roboform and can't find anything.  I've looked for driverguide and favicons  and didn't find anything.   It's probably a bug.

Allowing these URLs in NOD32 did NOT work:
https://members.driverguide.com
hxxp://members.driverguide.com
https://www.driverguide.com
hxxp://www.driverguide.com

I am now trying:
hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com
https://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com

Link to comment
Share on other sites

1 hour ago, MarcFL said:

Adding both URL's to Allowed Address list will eliminate Eset PUA alert.

However, all that is displayed is a black web page with an icon on it. Very suspicious to me.

Link to comment
Share on other sites

Posted (edited)

Thanks itman.  I might as well add the URLs to the Block list.  Unfortunately, NOD32 is unable to block these types of URLs.  I've tried and it doesn't work (Advanced Setup, Web Access Protection, URL Address Management, Address List, List of Blocked Addresses).   If you can find a way, let me know Please 🙂

What I want to block without blocking the entire google.com domain or the gstatic.com domain owned by google.
hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com
which is forwarded to this URL:
https://t2.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=hxxp://members.driverguide.com&size=16

Edited by MarcFL
Link to comment
Share on other sites

Posted (edited)

Correction - What I want to block without blocking the entire google.com domain or the gstatic.com domain owned by google.  Note: Replace hxxp with http in several places in the URLs since this forum keeps changing it even with the code box.

hxxp://www.google.com/s2/favicons?domain=hxxp://members.driverguide.com/ums/index.php
which is forwarded to this URL:
https://t3.gstatic.com/faviconV2?client=SOCIAL&type=FAVICON&fallback_opts=TYPE,SIZE,URL&url=hxxp://members.driverguide.com/ums/index.php&size=16

 

Edited by MarcFL
Link to comment
Share on other sites

Posted (edited)

In the meantime, I'm blocking this URL with wildcards and hopefully it will be enough to stop the Roboform:
*driverguide.com*

Edited by MarcFL
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...