Malware Block List (Malware Patrol) falsely identifying uBlock as trouble #2315
Comments
|
Chrome extension content is verified by hashes. |
|
@lewisje on runtime as well or installation only? |
|
Each time before the extension is launched I believe. You can find out by removing or adding something and see what happens when you enable the extension. |
|
OK, I am satisfied that all is good with the extension itself. I also managed to contact Malware Patrol and let them know of the issue. Not sure how they will handle it. |
|
Could you drag-n-drop here a screenshot of what ClamAV + Malware Patrol warns regarding uBO? |
|
Here they say they use Extremeshok's clamav-unofficial-sigs, while ClamAV allows you to ignore/whitelist individual signatures. |
|
This is an exerpt of the log with the relevant bits: /home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt: MBL_1191716.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/mirror1.malwaredomains.com/files/justdomains: MBL_2730588.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000347.ldb: MBL_3307899.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000217.ldb: MBL_3233778.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Subresource Filter/Unindexed Rules/4/Filtering Rules: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Subresource Filter/Indexed Rules/10/4/Ruleset Data: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt: MBL_1191716.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/mirror1.malwaredomains.com/files/justdomains: MBL_2730588.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000067.ldb: MBL_3307899.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000022.ldb: MBL_3233778.UNOFFICIAL FOUNDso it could be that it is detecting domain strings in the database rather than uBlock itself, but I can't be sure. |
It detected something in the malware lists and EasyList (which ship with uBO package). The other hits are because uBO will cache the remote content of these lists locally, so there are also hits for whatever files Chrome uses to save extension data (through It apparently also detect something in Chrome's own block lists. This confirms false positive. |
I was running ClamAV on my Linux the other day and it spat a bunch of detections for an extension in Chrome, identified by this ID - cjpalhdlnbpafiamejdnhcphjbkeiagm. This comes from the filter at Malware Patrol. It might be a good idea to add another entry to the False Positive page.
I also tried to contact them, but their contact form is really not helpful. Maybe someone else has better luck.
I was also wondering if uBlock could be a vector for malware - meaning malware having integrated itself in my local uBlock after installation? I can't tell if uBlock is verified by Chrome in some way.
The text was updated successfully, but these errors were encountered: