Website blocked due to riskware

Mohd · August 20, 2023

Hello,,

Recently I installed eset smart security premium and another Malware remover..

Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound)..

It's annoying me but this continues message appearing showing the IP address including port number and the application used.

Unfortunately, I'm not able to attach the message here! however, I'm communicating with them and waiting their analysis.

My question is, Eset smart security supposed to provide full protection isn't it? why it did not detect such that riskware?

Any tool provided by eset that detecting or protecting against above riskware?

Thanks

Marcos · August 20, 2023

Without knowing more details about what the other software blocked it's impossible to tell if the block is legitimate or false positive.

itman · August 20, 2023

1 hour ago, Mohd said:

Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound)..

What is the name of the other malware remover you installed?

Nightowl · August 20, 2023

1 hour ago, Mohd said:

Hello,,

Recently I installed eset smart security premium and another Malware remover..

Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound)..

It's annoying me but this continues message appearing showing the IP address including port number and the application used.

Unfortunately, I'm not able to attach the message here! however, I'm communicating with them and waiting their analysis.

My question is, Eset smart security supposed to provide full protection isn't it? why it did not detect such that riskware?

Any tool provided by eset that detecting or protecting against above riskware?

Thanks

I have a question apart from other replies

Did you open detection of Unwanted and Unsafe applications ?

Mohd · August 20, 2023

Marcos and itman.. Bellow may answer your questions.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/19/23
Protection Event Time: 9:20 PM
Log File: 25720e1e-3ebd-11ee-8287-005056c00001.json

-Software Information-
Version: 4.6.0.277
Components Version: 1.0.2114
Update Package Version: 1.0.74217
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3324)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: wtrxus.com
IP Address: 147.182.140.228
Port: 443
Type: Outbound
File: C:\Program Files\Google\Chrome\Application\chrome.exe



(end)

Mohd · August 20, 2023

1 hour ago, Nightowl said:

I have a question apart from other replies

Did you open detection of Unwanted and Unsafe applications ?

You mean : Advanced setup==> Protections==> potentially unsafe applications

it was off by default. I have changed it to "Balanced" now.

itman · August 20, 2023

As far as MBAM detection of wtrxus.com, it might be picking up that McAfee has blacklisted the domain: https://sitecheck.sucuri.net/results/wtrxus.com .

Also, no one is detecting anything malicious with the IP address associated with wtrxus.com;

At this point, I would say MBAM is giving a false positive detection.

Finally if you are running MBAM in real-time mode, you shouldn't be since it can potentially interfere with Eset's real-time scanning.

-EDIT- Quttera has also blacklisted the web site: https://quttera.com/detailed_report/wtrxus.com# although no reason given as to why.

Also on VirusTotal, 6 vendors including Kaspersky rate the domain malicious: https://www.virustotal.com/gui/domain/wtrxus.com. Looks like alphaMountain.ai is the one rating the site as malicious,

Edited August 20, 2023 by itman

Mohd · August 20, 2023

I read a lot about wtrxus.com, the most giving it low rate and looks like a safe domain but some are dealing with it as malicious domain.

From its behavior I beleive wtrxus.com is malicious domain as the Malwarebytes popup notification is almost appearing every minute (blocking something from communicating with outside).

Yes you are correct I should not use both of them at the same time but ultimately Malwarebytes discovered some suspicious behavior in my PC and for that reason only I did not stop it although ESET must be the main security product.

Nightowl · August 21, 2023

16 hours ago, Mohd said:

You mean : Advanced setup==> Protections==> potentially unsafe applications

it was off by default. I have changed it to "Balanced" now.

That should do it , and also there is Potentially Unwanted Application , enable them , if you want higher detections , you can go with aggressive reports and detections.

You can keep MBAM as second opinion scanner , without the real-time parts being active. , just a scanner when you need it as itman said , it will cause conflicts , doesn't matter which one you want to keep in the end it's your own opinion and thought of which proves to be better for your usage , but one realtime protection should be active at the time , otherwise it would conflict and cause problems and maybe blue screen crashes.

Edited August 21, 2023 by Nightowl

Mohd · August 21, 2023

12 hours ago, Nightowl said:

That should do it , and also there is Potentially Unwanted Application , enable them , if you want higher detections , you can go with aggressive reports and detections.

You can keep MBAM as second opinion scanner , without the real-time parts being active. , just a scanner when you need it as itman said , it will cause conflicts , doesn't matter which one you want to keep in the end it's your own opinion and thought of which proves to be better for your usage , but one realtime protection should be active at the time , otherwise it would conflict and cause problems and maybe blue screen crashes.

I changed all of them to aggressive including what you said but still ESET is not detecting the riskware.

You are right regarding enabling two malware protection same time. But MBAM is discovering that threat if I run real-time enabled. I think nothing will stop the malware if it's disabled.

I know no product provides 100% protection but As I found this riskware by another product and I'm using ESET as main protection product.. I hope to look for some one here to help in a proper solution.

Marcos · August 21, 2023

You could start Chrome without extensions as per the instructions here and see if the url is still blocked. Even then the url would be rather fishy then malicious and it's questionable if it should be blocked or not although there's no actual content but "Hello". We can try to block it as PUA for now and see what happens.

If you want, you can supply logs collected with ESET Log Collector for me to check what Chrome extensions you have installed.

itman · August 21, 2023

28 minutes ago, Marcos said:

Even then the url would be rather fishy then malicious and it's questionable if it should be blocked or not although there's no actual content but "Hello".

The concerns that are blacklisting the domain are doing so because it's a parked domain. Parked domains can be used for malicious purposes:https://unit42.paloaltonetworks.com/domain-parking/ .

In the OP's case, it appears he installed something that is using the domain in question to redirect to another one for possible malicious purposes.

Edited August 21, 2023 by itman

itman · August 21, 2023

Here's Joe's Cloud Sandbox analysis of wtrxus.com: https://www.joesandbox.com/analysis/890578/0/html . It's definitely malicious.

The Chrome browser was used in the analysis leading me to believe this only manifests using Chrome. It looks like upon access by to the web site in Chrome, a second instance of Chrome is being spawned to perform malware activities. Assumed this second instance of Chrome is a redirect.

-EDIT- I missed this one from the Joe's analysis although it was "staring me in the face." The domain is serving up a fake and assumed malicious Chrome update;

When you mouse click on "Turn on autoupdate," you get nailed.

I also suspect that this activity only occurs via another malicious process. In other works if you directly access wtrxus.com in Chrome, all you will observe is the "hello" display.

Edited August 22, 2023 by itman

Mohd · August 22, 2023

As Marcos suggested, I uninstalled all extensions not only start chrome without extensions.

Now it looks no more notifications about riskware are coming,

Although still I don't know what this malware is doing on my PC and why most of malware protectors are not considering it as malware.

Thanks all of you for your help

itman · August 22, 2023

2 hours ago, Mohd said:

Although still I don't know what this malware is doing on my PC and why most of malware protectors are not considering it as malware.

If you read the PaloAlto article I posted a link to, monitoring of parked domains for malware activity is "iffy" since it does produce false positive detection's.

As far as browser extensions go: https://www.darkreading.com/cloud/study-more-than-half-of-browser-extensions-pose-security-risks .

Edited August 22, 2023 by itman

Mohd · August 24, 2023

correct..

Ultimately, extensions are another doors for the attackers .. I have removed all the extensions and not even thinking to use them again!

Thanks

Sign In

Website blocked due to riskware

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics