Malwarebytes blocking site

websnail

Printer VIP
Platinum Printer Member
Joined
Oct 27, 2005
Messages
3,661
Reaction score
1,345
Points
337
Location
South Yorks, UK
Printer Model
Epson, Canon, HP... A "few"
Hi folks,

Sorry for being so very absent but well... life.. work... excuses. :idunno

Anyway, just a quick heads up. Popped in briefly.. or tried to... and found that Malwarebytes is blocking the PrinterKnowledge site as a potential malware host indicating a Trojan. I've already run the site through TotalVirus and a few other malware scanners and they aren't providing any indicators that would back up the report so it's difficult to know what's causing the alert.

Thought I'd just let you know so those in the hosting side, and those googling the issue, can find this and see what needs to be done to detect and/or remove the issue or false positive.

...

Anyway, still very much alive, family growing, life chaotic but, on balance, good. Y'all take care of yourselves..

Martin
 

stratman

Printer VIP
Platinum Printer Member
Joined
Apr 19, 2007
Messages
8,712
Reaction score
7,163
Points
393
Location
USA
Printer Model
Canon MB5120, Pencil
Did you receive a notification like this?

DOC-1040-1.png


https://support.malwarebytes.com/hc...notification-from-Malwarebytes-for-Windows-v3

If so, could you screen capture it and post.

The only potentially sensitive info is "Port" as this might inform of an open port on your machine, though in this case the Port is for an outbound attempt to open and use that particular port, not necessarily an already open port. Regardless, you can blank it or cover it up in the image using Paint before posting if you want.

The above link explains what this warning is about and what to do about it.
 

PeterBJ

Printer VIP
Platinum Printer Member
Joined
Nov 27, 2010
Messages
5,055
Reaction score
4,896
Points
373
Location
Copenhagen Denmark
Printer Model
Canon MP990
I installed a trial version of MBAM Premium on a laptop and set the language to English. It blocks printerknowledge.com. Here is the pop-up notification:

Printerknowledge6.jpg


I also made some screen shots from the MBAM program window. I can upload these if necessary.
 

stratman

Printer VIP
Platinum Printer Member
Joined
Apr 19, 2007
Messages
8,712
Reaction score
7,163
Points
393
Location
USA
Printer Model
Canon MB5120, Pencil
@PeterBJ:

I wonder if the same warning occurs if you use a different internet browser such as Microsoft Edge, Chrome, etc?
 

stratman

Printer VIP
Platinum Printer Member
Joined
Apr 19, 2007
Messages
8,712
Reaction score
7,163
Points
393
Location
USA
Printer Model
Canon MB5120, Pencil
First, our Union Jack friend websnail is on it with a query on the Malwarebyte forum. :thumbsup

https://forums.malwarebytes.com/topic/263834-printerknowledgecom-209182234131-trojan/


Second, websnail either has the worst luck for falling into error holes or he is great at finding them. (Glass half empty - half full.) :idunno

https://www.printerknowledge.com/threads/problem-notification-issues-and-emails.13665/


PrinterKnowledge.com IP address = 209.182.234.131

This IP address is out of Texas. Were the forum's servers always located in Texas?

IP address does not appear to be on any blacklists:

https://www.whatismyip.com/blacklist-check/
 

PeterBJ

Printer VIP
Platinum Printer Member
Joined
Nov 27, 2010
Messages
5,055
Reaction score
4,896
Points
373
Location
Copenhagen Denmark
Printer Model
Canon MP990
The laptop has got Edge and Firefox, no other browsers installed. Trying to access printerknowledge.com in Edge produces a pop-up with the same text
 

PeterBJ

Printer VIP
Platinum Printer Member
Joined
Nov 27, 2010
Messages
5,055
Reaction score
4,896
Points
373
Location
Copenhagen Denmark
Printer Model
Canon MP990
According to the MBAM forum it looks to me like this post and/or this post cause the problem. The service tool st4904 might be infected.

I tried to open the link to the service tool from the first of the two posts and got this warning from AVG:

Printerknowledge7.jpg


The Danish text means: Threat secured. We have securely disconnected www.printerknowledge.com because it was infected with URL:Blacklist. There might be more hidden threats! SCAN MY PC.

So to me it looks like MBAM is right and does a good job. I think the best thing is to remove the st4904.zip links and explain they were deleted because of malware.
 

PeterBJ

Printer VIP
Platinum Printer Member
Joined
Nov 27, 2010
Messages
5,055
Reaction score
4,896
Points
373
Location
Copenhagen Denmark
Printer Model
Canon MP990
I still get the same pop up warning. There were two occurrences of the st4904.zip link. It looks like the st4904 in this post also needs to be removed.
 

stratman

Printer VIP
Platinum Printer Member
Joined
Apr 19, 2007
Messages
8,712
Reaction score
7,163
Points
393
Location
USA
Printer Model
Canon MB5120, Pencil
Try it now...
I was able to download the service tool after you posted to "try it now".

service tool st4904
Yes, this file is flagged by both my installed Norton 360 and Malwarebytes free scan of the file saved on my hard drive.

May be a false positive but Malwarebytes obviously relies on a blacklist list to give such a fast response, ie Malwarebytes is not doing real time scanning when you just try to navigate to the home page of a website.

Unless there is something else triggering MB?
 
Top