Mohd 0 Posted August 20, 2023 Share Posted August 20, 2023 Hello,, Recently I installed eset smart security premium and another Malware remover.. Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound).. It's annoying me but this continues message appearing showing the IP address including port number and the application used. Unfortunately, I'm not able to attach the message here! however, I'm communicating with them and waiting their analysis. My question is, Eset smart security supposed to provide full protection isn't it? why it did not detect such that riskware? Any tool provided by eset that detecting or protecting against above riskware? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted August 20, 2023 Administrators Share Posted August 20, 2023 Without knowing more details about what the other software blocked it's impossible to tell if the block is legitimate or false positive. Link to comment Share on other sites More sharing options...
itman 1,741 Posted August 20, 2023 Share Posted August 20, 2023 1 hour ago, Mohd said: Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound).. What is the name of the other malware remover you installed? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted August 20, 2023 Most Valued Members Share Posted August 20, 2023 1 hour ago, Mohd said: Hello,, Recently I installed eset smart security premium and another Malware remover.. Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound).. It's annoying me but this continues message appearing showing the IP address including port number and the application used. Unfortunately, I'm not able to attach the message here! however, I'm communicating with them and waiting their analysis. My question is, Eset smart security supposed to provide full protection isn't it? why it did not detect such that riskware? Any tool provided by eset that detecting or protecting against above riskware? Thanks I have a question apart from other replies Did you open detection of Unwanted and Unsafe applications ? Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 20, 2023 Author Share Posted August 20, 2023 Marcos and itman.. Bellow may answer your questions. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 8/19/23 Protection Event Time: 9:20 PM Log File: 25720e1e-3ebd-11ee-8287-005056c00001.json -Software Information- Version: 4.6.0.277 Components Version: 1.0.2114 Update Package Version: 1.0.74217 License: Trial -System Information- OS: Windows 10 (Build 19045.3324) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Program Files\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , -Website Data- Category: RiskWare Domain: wtrxus.com IP Address: 147.182.140.228 Port: 443 Type: Outbound File: C:\Program Files\Google\Chrome\Application\chrome.exe (end) Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 20, 2023 Author Share Posted August 20, 2023 1 hour ago, Nightowl said: I have a question apart from other replies Did you open detection of Unwanted and Unsafe applications ? You mean : Advanced setup==> Protections==> potentially unsafe applications it was off by default. I have changed it to "Balanced" now. Link to comment Share on other sites More sharing options...
itman 1,741 Posted August 20, 2023 Share Posted August 20, 2023 (edited) As far as MBAM detection of wtrxus.com, it might be picking up that McAfee has blacklisted the domain: https://sitecheck.sucuri.net/results/wtrxus.com . Also, no one is detecting anything malicious with the IP address associated with wtrxus.com; At this point, I would say MBAM is giving a false positive detection. Finally if you are running MBAM in real-time mode, you shouldn't be since it can potentially interfere with Eset's real-time scanning. -EDIT- Quttera has also blacklisted the web site: https://quttera.com/detailed_report/wtrxus.com# although no reason given as to why. Also on VirusTotal, 6 vendors including Kaspersky rate the domain malicious: https://www.virustotal.com/gui/domain/wtrxus.com. Looks like alphaMountain.ai is the one rating the site as malicious, Edited August 20, 2023 by itman Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 20, 2023 Author Share Posted August 20, 2023 I read a lot about wtrxus.com, the most giving it low rate and looks like a safe domain but some are dealing with it as malicious domain. From its behavior I beleive wtrxus.com is malicious domain as the Malwarebytes popup notification is almost appearing every minute (blocking something from communicating with outside). Yes you are correct I should not use both of them at the same time but ultimately Malwarebytes discovered some suspicious behavior in my PC and for that reason only I did not stop it although ESET must be the main security product. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted August 21, 2023 Most Valued Members Share Posted August 21, 2023 (edited) 16 hours ago, Mohd said: You mean : Advanced setup==> Protections==> potentially unsafe applications it was off by default. I have changed it to "Balanced" now. That should do it , and also there is Potentially Unwanted Application , enable them , if you want higher detections , you can go with aggressive reports and detections. You can keep MBAM as second opinion scanner , without the real-time parts being active. , just a scanner when you need it as itman said , it will cause conflicts , doesn't matter which one you want to keep in the end it's your own opinion and thought of which proves to be better for your usage , but one realtime protection should be active at the time , otherwise it would conflict and cause problems and maybe blue screen crashes. Edited August 21, 2023 by Nightowl Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 21, 2023 Author Share Posted August 21, 2023 12 hours ago, Nightowl said: That should do it , and also there is Potentially Unwanted Application , enable them , if you want higher detections , you can go with aggressive reports and detections. You can keep MBAM as second opinion scanner , without the real-time parts being active. , just a scanner when you need it as itman said , it will cause conflicts , doesn't matter which one you want to keep in the end it's your own opinion and thought of which proves to be better for your usage , but one realtime protection should be active at the time , otherwise it would conflict and cause problems and maybe blue screen crashes. I changed all of them to aggressive including what you said but still ESET is not detecting the riskware. You are right regarding enabling two malware protection same time. But MBAM is discovering that threat if I run real-time enabled. I think nothing will stop the malware if it's disabled. I know no product provides 100% protection but As I found this riskware by another product and I'm using ESET as main protection product.. I hope to look for some one here to help in a proper solution. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,234 Posted August 21, 2023 Administrators Solution Share Posted August 21, 2023 You could start Chrome without extensions as per the instructions here and see if the url is still blocked. Even then the url would be rather fishy then malicious and it's questionable if it should be blocked or not although there's no actual content but "Hello". We can try to block it as PUA for now and see what happens. If you want, you can supply logs collected with ESET Log Collector for me to check what Chrome extensions you have installed. Link to comment Share on other sites More sharing options...
itman 1,741 Posted August 21, 2023 Share Posted August 21, 2023 (edited) 28 minutes ago, Marcos said: Even then the url would be rather fishy then malicious and it's questionable if it should be blocked or not although there's no actual content but "Hello". The concerns that are blacklisting the domain are doing so because it's a parked domain. Parked domains can be used for malicious purposes:https://unit42.paloaltonetworks.com/domain-parking/ . In the OP's case, it appears he installed something that is using the domain in question to redirect to another one for possible malicious purposes. Edited August 21, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,741 Posted August 21, 2023 Share Posted August 21, 2023 (edited) Here's Joe's Cloud Sandbox analysis of wtrxus.com: https://www.joesandbox.com/analysis/890578/0/html . It's definitely malicious. The Chrome browser was used in the analysis leading me to believe this only manifests using Chrome. It looks like upon access by to the web site in Chrome, a second instance of Chrome is being spawned to perform malware activities. Assumed this second instance of Chrome is a redirect. -EDIT- I missed this one from the Joe's analysis although it was "staring me in the face." The domain is serving up a fake and assumed malicious Chrome update; When you mouse click on "Turn on autoupdate," you get nailed. I also suspect that this activity only occurs via another malicious process. In other works if you directly access wtrxus.com in Chrome, all you will observe is the "hello" display. Edited August 22, 2023 by itman Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 22, 2023 Author Share Posted August 22, 2023 As Marcos suggested, I uninstalled all extensions not only start chrome without extensions. Now it looks no more notifications about riskware are coming, Although still I don't know what this malware is doing on my PC and why most of malware protectors are not considering it as malware. Thanks all of you for your help Link to comment Share on other sites More sharing options...
itman 1,741 Posted August 22, 2023 Share Posted August 22, 2023 (edited) 2 hours ago, Mohd said: Although still I don't know what this malware is doing on my PC and why most of malware protectors are not considering it as malware. If you read the PaloAlto article I posted a link to, monitoring of parked domains for malware activity is "iffy" since it does produce false positive detection's. As far as browser extensions go: https://www.darkreading.com/cloud/study-more-than-half-of-browser-extensions-pose-security-risks . Edited August 22, 2023 by itman Link to comment Share on other sites More sharing options...
Mohd 0 Posted August 24, 2023 Author Share Posted August 24, 2023 correct.. Ultimately, extensions are another doors for the attackers .. I have removed all the extensions and not even thinking to use them again! Thanks Link to comment Share on other sites More sharing options...
Recommended Posts