Page 1 of 3 123 LastLast
Results 1 to 10 of 27
  1. #1
    Untangler
    Join Date
    Feb 2016
    Posts
    71

    Default Getting smashed with malware warnings from one address

    Hello, I am getting thousands of emails saying my wifes macbook pro has been blocked from a specific address ending in 1drv.com

    I cannot find a terrific amount of detail on line but it appears to be onedrive perhaps (She has one drive as do I)

    We do not know why this has triggered untangle, I am reluctant to whitelist it because we don't know what it is and we have run malware bytes on her mac with no issues detected. It started today and has just not given up!
    Last edited by garethsnaim; 02-10-2020 at 02:04 PM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,542

    Default

    Post the email alert as it will have the reason.
    f1assistance likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    Quote Originally Posted by garethsnaim View Post
    ...but it appears to be onedrive perhaps (She has one drive as do I)

    We do now know why this has triggered untangle, I am reluctant to whitelist it because we don't know what it is and we have run malware bytes on her mac with no issues detected. It started today and has just not given up!
    Can you tell us the why?

    Definitely DO NOT whitelist this. That is how phishing works, it is made to look like something authentic.
    Although 1drv.com is categorized as "file storage" at OpenDNS, it redirects to the site below.

    Microsoft's official domain is onedrive.com

    It may be that a real website has been hacked.

    take a look at what apps are running on the laptop, as well.

    This is from active web protection when clicking on a link, not a scan.
    Code:
    Malwarebytes
    -Blocked Website Details-
    Malicious Website: 1
    , C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0
    
    -Website Data-
    Category: Phishing
    Domain: login.live.com
    IP Address: 40.90.137.120
    Port: 51873
    Type: Outbound
    File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    login.live.com appears to be correct for a Microsoft account logon.

    It may also be that some service has it mis-categorized somehow. If so, this would be big enough that MS should get it fixed soon.
    Last edited by Jim.Alles; 02-10-2020 at 12:06 PM.

  4. #4
    Master Untangler Sam Graf's Avatar
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    932

    Default

    I wouldn't whitelist just yet either:

    Screenshot_2020-02-10 Report for 1drv com Norton Safe Web.png

    That, however, doesn't solve your problem. With more information (as jcoffin noted) we might be able to help with that.

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    What I am seeing is a database thing. from https://forums.malwarebytes.com/topi...omment-1361642

    Please dont remove updates or any other thing. We are working on fixing the database. These are fps nothing more.
    it started 3 hours ago, apparently.

    Yet, it is a coincidence, not related to O.P.
    Last edited by Jim.Alles; 02-10-2020 at 02:38 PM. Reason: additional information provided.
    If you think I got Grumpy

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

  7. #7
    Untangler
    Join Date
    Feb 2016
    Posts
    71

    Default

    here is one of the 1300 I deleted today.

    Sorry not sure what the malwarebytes has to do with untangle?

    "reason": "BLOCK_CATEGORY",
    "appName": "web_filter",
    "requestLine": "GET http://ixgbvg.sn.files.1drv.com/",
    "sessionEvent": {
    "entitled": true,
    "hostname": "xxxx",
    "CServerPort": 443,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": 47.6801,
    "localAddr": "/192.168.0.199",
    "SServerAddr": "/13.107.42.12",
    "remoteAddr": "/13.107.42.12",
    "serverIntf": 1,
    "CClientAddr": "/192.168.0.199",
    "serverCountry": "US",
    "sessionId": 103578989684727,
    "SClientAddr": "/xxxx",
    "clientCountry": "XL",
    "CClientPort": xxxx,
    "policyRuleId": 0,
    "timeStamp": "2020-02-10 15:44:09.293",
    "serverLongitude": -122.1206,
    "clientIntf": 2,
    "policyId": 1,
    "SClientPort": xxxxx,
    "bypassed": false,
    "SServerPort": 443,
    "CServerAddr": "/13.107.42.12",
    "tagsString": ""
    },
    "timeStamp": "2020-02-10 15:44:09.317",
    "flagged": true,
    "blocked": true,
    "category": "Malware Sites",
    "ruleId": 56,
    "categoryId": 56
    }

    This is an automated message sent because the event matched the configured
    Event Rules.

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    Information on what constitutes malware can be shared between the security firms.
    but I think what I picked up on with Malwarebytes was coincidence.

    Just like it might be 'coincidence' that a bad actor has something stored on MS OneDrive.

    At this point, I would take this at face value:
    something on that particular macbook pro machine is malware that is trying to phone home and download something worse.

    Have you re-booted it?
    Last edited by Jim.Alles; 02-10-2020 at 02:45 PM.

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    This is what Untangle NGFW webfilter would be making that decision on:

    Attachment 9859

    Untangle FTW!
    Last edited by Jim.Alles; 02-10-2020 at 02:52 PM.

  10. #10
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,325

    Default

    http://whois.domaintools.com/13.107.42.12
    Its a Microsoft site.
    If Microsoft its a malware or not is subjetive :-lol
    The world is divided into 10 kinds of people, who know binary and those not

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2