soctech 1 Posted April 20 Share Posted April 20 (edited) ESET antivirus regularly blocks h%%ps://us.ck-ie.com for many users on corporate endpoint devices. It looks like the reason for the webprotect blocking is this: Certificate revocation of h%%ps://us.ck-ie.com, certificate authentication error. The website doesn't seem to do anything. When we run it in Any Run and other sandboxes, browse forums, it hasn't been found to distribute malicious code. Can you help me understand why unrelated users browsing different websites (news, weather, lifestyle) are getting the same block? The websites have completely different content, are on different web hosting sites, and the users aren't clicking on ads. Reading the forums, many users are experiencing similar problems, but I have not found an answer as to why the auto-connect request of the mentioned page is triggered by the browser, does anyone know the reason for this? Has anyone researched this phenomenon? Edited April 20 by soctech Link to comment Share on other sites More sharing options...
Administrators Marcos 5,408 Posted April 20 Administrators Share Posted April 20 The SSL cert. used by the web server was indeed revoked: https://www.ssllabs.com/ssltest/analyze.html?d=us.ck-ie.com&s=8.2.110.97 Revocation status Revoked INSECURE Link to comment Share on other sites More sharing options...
soctech 1 Posted April 20 Author Share Posted April 20 Thank you, Marcos. The question still remains as to why the auto-connect request from this page appears on the endpoint device. Link to comment Share on other sites More sharing options...
itman 1,790 Posted April 20 Share Posted April 20 (edited) 1 hour ago, soctech said: Thank you, Marcos. The question still remains as to why the auto-connect request from this page appears on the endpoint device. Others having the same redirect issue: https://www.reddit.com/r/computerhelp/comments/1c15l3o/avg_antivirus_says_my_computer_has_been/ . Appears no one has been able to figure out what is causing the redirection. Edited April 20 by itman Link to comment Share on other sites More sharing options...
soctech 1 Posted April 20 Author Share Posted April 20 I found it in the category of promotional cookies listed by some commercial websites: Name:CID Purpose:Used by Adriver to deliver targeted ads to a user based on their browsing habits Provider:.us.ck-ie.com Service:Adriver View Service Privacy Policy Country:United States Type:server_cookie Expires in:7 day This cookie is used for gathering data on how visitors use the website. Adriver is a Russian operator of an Internet advertising management and control system. I found an article that deals with this service provider and others, visit this page: https://adalytics.io/blog/adtech-not-checking-user-tcf-consent Look for the article "Belgian user visits euronews.com". You get a nice little chain of how websites synchronise cookies with a number of third party data brokers and ad tech providers without the user's permission. Had the SSL certificate used by the us.ck-ie.com web server not been revoked, and had ESET not alerted us, we would not have noticed the illegal data exchange going on in the background without the user's knowledge. Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
Recommended Posts