False Positive?

[itman 1,712]

This just started.

I open Firefox and immediately get two blocked URL detections for the same URL;

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 3:56:32 PM;http://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;2600:1407:7400:d86::21cc;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 4:02:34 PM;http://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;23.44.77.91;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC

Later got another alert for the IPv6 address detection.

I cleared Firefox cache and history and so far no more alerts.

The IP address resolves to Akamai.

[matte 4]

Getting the same thing and is 99% a false positive. The domain is owned by Let's Encrypt and ESET seems to be the only provider reporting this as malicious as per VirusTotal

EDIT: Already gone from VirusTotal, probably fixed?

Edited May 22 by matte

[BlargBurger 0]

I just started getting those alerts as well. I wasn't connected to anything out of the ordinary. I looked it up, from what I've seen, the lencr.org domain belongs to 'Let's Encrypt'. Apparently they are a legitimate website that routinely distributes software certificates. I'm guessing it's just a false postive?

Edited May 22 by BlargBurger

[JoshMI 0]

Similar issue with 2 users after the modules updated today.

 

Time;URL;Status;Detection;Application;User;IP address;Hash
5/22/2024 1:20:07 PM;hxxp://x2.c.lencr.org;Blocked;Internal blacklist;C:\Windows\System32\svchost.exe;NT AUTHORITY\NETWORK SERVICE;104.71.213.90;E4E3F6BBAD17B41A42687B3D75ADE4A10B0870EC
 

[SalvationCode 0]

Hey guys, just created an account just to check if anyone else was also getting this. Glad to hear it's a false positive, quick Google search said the same but I wanted to be sure. This just started happening maybe 15-20 mins ago. 

[rawalanche 2]

Yep, same here. I've been shitting my pants wondering how did I get infected, because it's coming from svchost. Glad to see I'm not alone 🥺

[Marcos 5,154]

Well, the block was based on an actual malicious redirector on http://x2.c.lencr.org (it's not there any more) but we're investigating why this url was blacklisted as it shouldn't have been despite the malware detection.

[itman 1,712]

1 minute ago, Marcos said:

but we're investigating why this url was blacklisted

Appears to me the web site cert. is expired;

[denzilla 0]

8 minutes ago, rawalanche said:

Yep, same here. I've been shitting my pants wondering how did I get infected, because it's coming from svchost. Glad to see I'm not alone 🥺

lol, I got the same thing and it warned me at the exact moment I clicked on a UPS tracking link in a legit email from ATT. Got a total of 3 warnings, one of which happened after I closed the browser. People have been coming to me asking what the warning was about.

I also need fresh pants. 

[itman 1,712]

What I am wondering is if there is a hacked Win Update backbone server out there?

Edited May 22 by itman

[Marcos 5,154]

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

[jfksdt45245 0]

Just got the same thing and was really worried. It appeared without me even opening a new page in the browser so it was very strange.

Checked the eset report and saw it wasn't coming from browser but from svchost, I removed svchost's online access via tinywall but since it's a windows process I think it needs to remain online and bypasses firewall block?

What is the cause of this anyway? Why is svchost pinging this sort of address anyway, instead of a Microsoft addresses? Telemetry?

Is this something that just happened to all windows users or? Why is it the first time eset flags it?

Can Admins confirm it's safe? Or should we remain offline until more info

Edited May 22 by jfksdt45245

[Marcos 5,154]

You don't need to be concerned. C.lencr.org domain is used by Let's Encrypt certification authority that provides certificate revocation lists.

[denzilla 0]

6 minutes ago, Marcos said:

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

The first warning I got, I had chrome opened with Ublock Origin loaded. I have JavaScript disabled by default. The third time the warning appeared, I had no browser open. The logs show svchost for me as well.

Edited May 22 by denzilla

[AlSky 4]

7 minutes ago, Marcos said:

Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad

Good evening. I have the same problem, but I didn't even open Firefox, I just started the computer, I opened Telegram desktop and... voilà! Two messages saying that process C :\Windows\System32\svchost.exe; and the user NT AUTHORITY\Network service were attempting to access hxxp://x2.c.lencr.org and had been blocked. I closed everything, restarted the computer, without opening any program a new warning that ESET had blocked the process C :\Windows\System32\svchost.exe; and user NT AUTHORITY\Network service attempt and the  user from accessing http ://x2.c.lencr.org. I don't know whether to worry or not. Why is my computer trying to connect to that web site? Is infected by any malware? According to virustotal.com this web site is used to load StealC and Lumma Infostealers.

[itman 1,712]

1 minute ago, Marcos said:

C.lencr.org domain is used by Let's Encrypt certification authority that provides certificate revocation lists.

If a CA server is hacked, is that not a big deal? I say Let's Encrypt needs to take that server off-line.

[Marcos 5,154]

5 minutes ago, itman said:

If a CA server is hacked, is that not a big deal? I say Let's Encrypt needs to take that server off-line.

I don't know the exact purpose of the redirector that was there and pointing to a domain blocked by several other AV vendors. Unfortunately the url doesn't work any more so it's not possible to find out what was there in the past.

[jfksdt45245 0]

Re-enabled internet and it seems it is still happening, 2 new notification pop-ups. Why is svchost still pinging this address? Concerning.

[AlSky 4]

12 minutes ago, Marcos said:

I don't know the exact purpose of the redirector that was there and pointing to a domain blocked by several other AV vendors. Unfortunately the url doesn't work any more so it's not possible to find out what was there in the past.

Interesting what happened to me. I tried to edit my previous post so that the url was not visible as a link and, accidentally, I clicked on it. ESET didn't detect anything, but Firefox did, blocked the attempt to download a file from that link and gave me two options, complete the download or delete the file without ending the download (in the folder "My downloads" a 0-bit file had appeared). How is that possible? Did it really download something to my computer from that link?

[itman 1,712]

1 hour ago, jfksdt45245 said:

Re-enabled internet and it seems it is still happening, 2 new notification pop-ups. Why is svchost still pinging this address? Concerning.

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

[itman 1,712]

1 hour ago, AlSky said:

"My downloads" a 0-bit file had appeared). How is that possible? Did it really download something to my computer from that link?

Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.

[virus-checking 0]

I am getting the same alert via Anydesk being flagged as the issue. Eset is blocking x2.c.lencr.org on the machine. I went to it earlier and it downloads a cert to your machine. 

[jfksdt45245 0]

21 minutes ago, itman said:

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

It was the same URL 3 times, there are 3 instances in the log with the same URL as reported here

The first was 2 hours 40 minutes ago, I think same time as everyone here got it too, I disconnected when it appeared

I re-enabled connection a bit after checking that thread and Marcos saying it was safe

It occurred again second and third time (one minute interval between the two) 1 hour 40 minutes ago when I made that post. Log shows different IP from the first time, but also point to Akamai

Other users in this thread have reported seeing it 3 times as well so perhaps me disconnecting/reconnecting caused a delay but didn't prevent the two other times from happening anyway, I don't know but it still happened one hour later

[AlSky 4]

8 hours ago, itman said:

You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.

Error, it wasn't the message I wanted to quote.
 

Edited May 23 by AlSky

[AlSky 4]

7 hours ago, itman said:

Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.

Thank you so much for answering, @itman. I clicked on "delete the file without ending the download" since Firefox had warned me that it was a malicious file. The 0-bit file in the "My downloads" folder disappeared. Does that mean it couldn't download anything to my computer?

In any case, how can a url that supposedly no longer works attempt to download something to the computer? And how is it possible that yesterday our computers tried to connect to that url without our active participation and we received ESET alert messages blocking the connection? This is how some malware works.