False Positive?

[AlSky 4]

7 hours ago, virus-checking said:

I am getting the same alert via Anydesk being flagged as the issue. Eset is blocking x2.c.lencr.org on the machine. I went to it earlier and it downloads a cert to your machine. 

That's what happened to me, I accidentally clicked on the link and tried to download something, although Firefox apparently stopped it by detecting it as malicious.

[AlSky 4]

8 hours ago, itman said:

Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.

It happened. This time Firefox did not detect the file as malicious and downloaded it, a white file of 299 bites named qURnoJU9. What the hell is this? How can download something to the computer that url? Is this dangerous?

[LH2023 0]

This is still happening to me. When I opened my laptop this morning I got the same pop-up that I got several times last night saying that the URL x2.c... at IP address  104.97.44.70 had been blocked. If this is something ESET knows about, why is it still happening? And should I be concerned?

I updated my ESET program and will see if that fixes it? Also did a scan of my laptop and nothing was found.

 

 

Edited May 23 by LH2023

[itman 1,717]

I wonder if this issue has something to do with Let's Encrypt updating of its "Chain of Trust" processing which appears to be in-progress and to be completed by June, 2024: https://letsencrypt.org/certificates/ ?

Depending on which Let's Encrypt CA relay server you're being directed to, Eset will throw an alert?

[LH2023 0]

Thanks! That sounds like it might be a factor.

I'm going to keep an eye on it, but have no idea what triggers it on my computer. Maybe updating ESET did the trick - we'll see, but it is disconcerting to see that kind of pop up!

Will report back if I see it again.

[gregarican 1]

Our business to ran into this yesterday. Apparently after ESET updates were processed the false positives stopped. As of this morning I can verify when testing out the Let's Encrypt URL. Definitely a mess for awhile, since apparently lots of processes besides just standard interactive web browsing relied on the CRL's!

[AlSky 4]

1 hour ago, itman said:

I wonder if this issue has something to do with Let's Encrypt updating of its "Chain of Trust" processing which appears to be in-progress and to be completed by June, 2024: https://letsencrypt.org/certificates/ ?

Depending on which Let's Encrypt CA relay server you're being directed to, Eset will throw an alert?

Second time neither Firefox nor ESET stopped the download of the file from x2.c.lencr.org I mentioneed above. It is a 299 bites file. Is it safe or should I'll be worry about?

[itman 1,717]

39 minutes ago, AlSky said:

Second time neither Firefox nor ESET stopped the download of the file from x2.c.lencr.org I mentioneed above. It is a 299 bites file. Is it safe or should I'll be worry about?

You shouldn't be attempting to access the URL via a browser.

The URL is accessed via Windows svchost - crypto service to download Let's Encrypt certs., cert. statuses, etc.. on a periodic basis.

[AlSky 4]

3 hours ago, itman said:

You shouldn't be attempting to access the URL via a browser.

The URL is accessed via Windows svchost - crypto service to download Let's Encrypt certs., cert. statuses, etc.. on a periodic basis.

It was a mistake. I wanted to copy the link and accidentally clicked on it, it was not my intention to open it. Can that file contain malware or is it harmless? Please, answer what do you think. Thanks in advance.

[itman 1,717]

20 minutes ago, AlSky said:

Please, answer what do you think.

The file being downloaded is the current Let's Encrypt certificate revocation list; hence the small file size;

The file is safe.

[AlSky 4]

3 hours ago, itman said:

The file being downloaded is the current Let's Encrypt certificate revocation list; hence the small file size;

The file is safe.

Thank you very much, @itman Best regards.

[AlSky 4]

Hello. Virustotal.com today it keeps on marking x2.c.lencr.org like suspect of loading StealC and Lumma Infostealers https://www.virustotal.com/gui/url/d85ffc694e555ad7935df30fb361c401f747ebdf194596327df3e5e12b521fe0/detection

Yesterday they considered it safe (CLEAN), today no longer as seen in the screenshot.

Is that something we should worry about?

You don't feel safe without knowing if there is any malware capable of stealing information (passwords, etc.) on your computer.

Edited May 24 by AlSky

[itman 1,717]

4 hours ago, AlSky said:

Hello. Virustotal.com today it keeps on marking x2.c.lencr.org like suspect of loading StealC and Lumma Infostealers https://www.virustotal.com/gui/url/d85ffc694e555ad7935df30fb361c401f747ebdf194596327df3e5e12b521fe0/detection

Refer to the Comments section in the VT analysis; specifically the three Joe's Sandbox scans performed 22 hours ago. Only one scan received a suspicious verdict. Finally, note that the scans referenced not just x2.c.lencr.org but also google.com. If you're going to be obsessive over this, you should be worried about google.com based stuff.

You can't pick up an infostealer by just being redirected to a web site hosting one. Something has to be downloaded and installed on the device.

[AlSky 4]

1 hour ago, itman said:

Refer to the Comments section in the VT analysis; specifically the three Joe's Sandbox scans performed 22 hours ago. Only one scan received a suspicious verdict. Finally, note that the scans referenced not just x2.c.lencr.org but also google.com. If you're going to be obsessive over this, you should be worried about google.com based stuff.

You can't pick up an infostealer by just being redirected to a web site hosting one. Something has to be downloaded and installed on the device.

Hello @itman, thank you so much for answering.

That is exactly what worries me, that the first time Firefox blocked the download of a file, giving me the options to continue the download or delete the file without completing the download (I chosed this last option), but the second time neither Firefox nor ESET blocked it and a 299 bites file ended up in my "My Downloads" folder, as I showed in a screenshot. In short, something was downloaded to my computer and I don't know if that something was harmless or not. That's what worries me.

What do you think? Thanks in advance.

[itman 1,717]

18 minutes ago, AlSky said:

In short, something was downloaded to my computer and I don't know if that something was harmless or not. That's what worries me.

What do you think? Thanks in advance.

I already answer this question: https://forum.eset.com/topic/41085-false-positive/?do=findComment&comment=184665

[itman 1,717]

Based on @Marcos prior comments on this incident, here's what I believe happened.

An Akamai backbone server/s got hacked. It just happened to be hosting Let's Encrypt cert. downloads. Akamai responded quickly and mitigated the issue.

Bottom line - the issue is not directly related to Let's Encrypt but rather to Akamai.

Edited May 24 by itman

[AlSky 4]

3 hours ago, itman said:

Based on @Marcos prior comments on this incident, here's what I believe happened.

An Akamai backbone server/s got hacked. It just happened to be hosting Let's Encrypt cert. downloads. Akamai responded quickly and mitigated the issue.

Bottom line - the issue is not directly related to Let's Encrypt but rather to Akamai.

Thanks a lot, @itman. How do you have Firefox configured? My file downloads don't give me options to choose from except when, like May 22, it was detected as malicious or if the web tries to automatically download a file. Under normal conditions, if I click on download file, it's downloaded without asking if I want to continue with the download or not. That's why on May 23rd Firefox no longer gave me a choice, just downloaded it.

English is not my mother tongue, so I have some difficulties in expressing myself or understanding technical issues in this language. Should I understand that the hacking of an Akamai server hosting Let's Encrypt certificates did not affect the certificates themselves and there is no danger even if these certificates could be downloaded to computers?

Thank you in advance.

[itman 1,717]

15 minutes ago, AlSky said:

How do you have Firefox configured? My file downloads don't give me options to choose

Open Firefox Settings. Under General settings, first enable the following setting;

Next, enable the following setting;

[itman 1,717]

20 minutes ago, AlSky said:

Should I understand that the hacking of an Akamai server hosting Let's Encrypt certificates did not affect the certificates themselves and there is no danger even if these certificates could be downloaded to computers?

Eset blocked the download as evidenced by the alert received.

Next, the Let's Encrypt URL involved appears appears to download only its cert. revocation list. It is periodically re-downloaded during the day. As such, the next download after the incident was mitigated would have replaced the prior download.

[AlSky 4]

1 minute ago, itman said:

Eset blocked the download as evidenced by the alert received.

Next, the Let's Encrypt URL involved appears appears to download only its cert. revocation list. It is periodically re-downloaded during the day. As such, the next download after the incident was mitigated would have replaced the prior download.

Thank you very much, @itman My settings on Firefox were different, now I changed them for more safety. So I understand that the certificates like the one I donwloaded couldn't not be affected by any kind of malware, ¿right?

Thanks in advance.

[itman 1,717]

Just now, AlSky said:

o I understand that the certificates like the one I donwloaded couldn't not be affected by any kind of malware, ¿right?

Yes.

[AlSky 4]

1 hour ago, itman said:

Yes.

Thank you very much for the answer, @itman

Best regards.

[StevenWright 0]

I remember one time I had a similar issue where the same URL kept triggering alerts, just like in your case. It was like my computer was stuck in a loop of annoyance, and no matter what I tried, the alerts just kept coming.

[StevenWright 0]

On 5/29/2024 at 2:40 PM, StevenWright said:

I remember one time I had a similar issue where the same URL kept triggering alerts, just like in your case. It was like my computer was stuck in a loop of annoyance, and no matter what I tried, the alerts just kept coming.

After some trial and error, I decided to clear out the cache and history in Firefox, hoping it would do the trick. And you know what? It actually seemed to work! No more alerts popping up every time I opened my browser. It was like a breath of fresh air.

But hey, if you're still dealing with those pesky alerts, maybe give a malware analysis VM a shot. I've heard they can be pretty handy in situations like this, helping to pinpoint any underlying issues causing the trouble.

Edited June 4 by StevenWright