Not sure why malwarebytes browser guard keeps blocking the Webgui
-
Not sure if this is the correct place to post
However has anyone dealt with Malwarebytes browser gaurd blocking the webgui cause it thinks it has malware? I have sent to malwarebytes but they are investigating. It only happens when using the IP ( cause from what I can tell the 5.1 in the ip is being detected in there database. If I use the hostname.domain to access the browser gaurd doesnt detect.. Other ones like emsisoft and adguard dont flag it ( just used them for testing) from what I have been able to find in the documentations and any related posts here is that its most likely a false positive on the lan side IP... and its very rare to have malware on the netgate device itself.... it appears to be since there last update.
I know the self signed cert is always going to stop and warn on chrome and browsers since that is right in the documentation. Chrome itself doesnt flag it as anything other than this when no browser guards are active and they are only used as a layered protection beyond the endpoint protection of malwarebytes which itself doesnt block with its built in webprotector - cause we have dumb users and the bosses feel better this way
Im assuming since it only detects when using the IP versus the hostname.domain its really a false id on there end. Or am I wrong.
-
@bobsoul-0 said in Not sure why malwarebytes browser guard keeps blocking the Webgui:
Malwarebytes browser gaurd blocking the webgui cause it thinks it has malware.
The self-signed certificate comes to mind.
Try changing the GUI to HTTP (System->Advanced) and see if it still argues. If it doesn't then it's definitely the certificate and you should find out how to bypass that check.
-
Thanks - so far I have been just using the hostname.domain:port to access and it has no issues. My other 4 netgates dont have the issue cause they all have different LAN side ips of course..
From the logs on Malwarebytes it shows a hit on the 5.1 in the LAN side IP.
I'll try changing the gui to http ( am assuming this is an on the fly change dont have to reset the states etc. Have active users and services running that is the only reason) I had not done it earlier since the other three dont flag only this one with the 5.1 LAN side IP
-
Its not the self signed cert it appears to be the lan side ip having the 5.1 in its address thats tripping it. I tested 2 other netgate routes same make model software version etc ( actually all bought and setup last month at same time) on the same PC since the other three are connected via IPSec tunnels so could test that fast - they work fine and dont trip the browser guard up. The have 2.2 and 3.2 as their last two numbers versus the 5.1 which appears to be cause the issue. work around so far is to either allow it in the malwarebytes browser guard or use the hostname.domainname:port to access it over using the IP until malwarebytes fixes it
I guess my biggest paranoid issue is that this is not actually a malware infection on the netgate device itself. ( I did do a reboot and restored a config backup from last week to test that it wasnt sonething I messed up)
-
@bobsoul-0 said in Not sure why malwarebytes browser guard keeps blocking the Webgui:
I guess my biggest paranoid issue is that this is not actually a malware infection on the netgate device itself. ( I did do a reboot and restored a config backup from last week to test that it wasnt sonething I messed up)
Unlikely to be the case but you can request a fresh image and restore from your config to see if that makes a difference.
-
@bobsoul-0 said in Not sure why malwarebytes browser guard keeps blocking the Webgui:
I'll try changing the gui to http ( am assuming this is an on the fly change dont have to reset the states etc. Have active users and services running that is the only reason)
No, it just restarts nginx on port 80 instead of 443.
-
@rcoleman-netgate thanks for the replies for the moment I have been able to either turn the browser extension off or use the hostname.domain to connect which is my preferred work around at moment .Once I can try the other suggestion you gave I will. You did answer my main paranoia lol
about the netgate device actually be infected as an unlikely cause. My gut tells me it is a false id in the malwarebytes browser guard extension -
Im convinced this is a false detection on malwarebytes web browser guard. It will detect even when on http over https.... if I use the hostname.domainname:port# instead of the ip it connects and it only seems to be the IP itself that is hitting a false match on the LAN side ( the last numbers being 5.1 that the logs show being the match)
My thought on this is the router isnt infected as rcoleman mentioned was unlikely overall on the netgate device- since using the hostname to connect would trigger that same block as the ip if it was. The fact it doesnt lends me to think its a false id.
I didnt try the new image and restore yet... This router is the only one running this particular office live and dont have a clear window to take it down at moment. Only to find it detects again cause of the IP being used.
And I need to brush up on terminal connection and install versus what I have normally done running preinstalled devices and using the webgui ( I dont recall seeing a image restore from gui in the docs )Ultimately its only the web browser extension that has the issue not the endpoint detection software or others browser guards so easy enough to disable on browser as needed ( or add to allow list) , till malwarebytes corrects.. which on the web broswer guard they are slow as opposed to the endpoint side they would have fixed already.
-
Solved : false positive verified by Malwarebytes -
This was due to a database that dynamically applies new patterns in the wild to proactively block emerging threats and was obviously an FP.
This should be resolved in the next database update (give it about 30 minutes)
[https://forums.malwarebytes.com/topic/296960-false-positive-pfsense-router-webgui/#comment-1563675](link url)
It will not be that fast is my bet but It is now confirmed and can move on
Hopefully this helps someone else as wellAnd thank you guys very much !! and for humoring me along the way :)