Open GWD72 opened 1 week ago
celenityy
commented
1 week ago Thanks for the heads up!
My best guess as to what's happening here is that Windows is scanning the list and recognizing that the list contains malicious domains - so it might think the list itself is malicious. I can assure you this is a false positive, as the list is simply a basic text file listing domains...
cc: @stamparm for comment & more details
GWD72
commented
1 week ago OK! Thing is, I had to do an offline virus scan because whilst logged in, only 1 of 2 entries (simultaneously detected) could be "fully resolved".
I can accept still, it could be a false positive. The next problem for me then, is that I cannot take a back-up of my settings, to have other machines using the same settings/lists without spending much more time to repeat importation of block lists, other settings (of which there are a horrendous number in adguard windows), copy/paste etc.
I could add, I use other anti-malware dns block lists, which seem to cause no problems for me. And with that in mind, I will take a pass on the Maltrail.
It is a difficult call for me. I know MS AV products over-react for many reasons (some not actually relating to virus activity) but then again, there are many viruses targeting MS products out there. I have no choice but to err on the side of caution (once bitten, twice shy; not prepared to risk losing another HDD!).
For anyone else, I am using the entire list (of lists) kindly organised and made available by @celenityy and there are absolutely no issues in my usage case, other than this one!
stamparm
commented
1 week ago lots of malware detection signatures are simpletons based on dummy strings. in this case, the related malware signature contains the problematic malware domain. that's just bunch of malicious domains listed in that .txt as you are all probably aware
GWD72
commented
6 days ago lots of malware detection signatures are simpletons based on dummy strings.
@stamparm, sure, lots of false positives to be had. Probably as many as actual trojans. There are >400,000 entries in that .txt file you publish. Perhaps that is why no one knows what is in there but you. Personally, I will stick with other malware domain block-lists that don't require offline virus removal efforts. Kind of surprised at the casual hand-waiving and lack of seriousness in the response, but it is what it is, so, since nothing is happening here, this issue can be "closed".
stamparm
commented
5 days ago 1) There are >400,000 entries in that .txt file you publish. Perhaps that is why no one knows what is in there but you. <- please, i sincerely apologize for not explaining each of those entries. also, i thought that the naming maltrail-malware-domains.txt is self-explanatory, but seems that i was wrong
2) Kind of surprised at the casual hand-waiving and lack of seriousness in the response <- of course. So, basically, you would like me to go through each of those >400,000 entries to find the problematic one? I mean, that sounds kind of rude to ask IMHO. I'll just ignore this kind of requests in future
So this issue is pertaining to: Maltrail Malware Domains: https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt
Adding it to adguard windows, and then saving the program settings for export, triggers Win11 anti-virus to the attention of "Trojan:Win32/WinLNK.CJ!MTB". The location points directly to:
C:\Windows\SystemTemp\Adguard\.....\Filters\100032.txt.To find the offending URL, after adding many, I narrowed it down to this one. Removing it, and saving the program setting via the export settings function, did not trigger the Win1 AV response. Re-adding it did.
I'm not an expert, and so I admit freely, it could be a false negative, or it could be, considering the nature of the URL itself, that there is something more innocent going on with it. But for now anyway, I will not be using it. I bring it to the attention here, because it is only here that I found that link to use. Previously added to adguard home in Linux (without issue), but I've now removed it from use (even if it will not infect a Linux box).