Ublock: Malware Block List (Malware Patrol) falsely identifying uBlock as trouble

Created on 17 Jan 2017  路  8Comments  路  Source: gorhill/uBlock

I was running ClamAV on my Linux the other day and it spat a bunch of detections for an extension in Chrome, identified by this ID - cjpalhdlnbpafiamejdnhcphjbkeiagm. This comes from the filter at Malware Patrol. It might be a good idea to add another entry to the False Positive page.

I also tried to contact them, but their contact form is really not helpful. Maybe someone else has better luck.

I was also wondering if uBlock could be a vector for malware - meaning malware having integrated itself in my local uBlock after installation? I can't tell if uBlock is verified by Chrome in some way.

external
Source
picture kgizdov

Most helpful comment

it could be that it is detecting domain strings in the database

It detected something in the malware lists and EasyList (which ship with uBO package). The other hits are because uBO will cache the remote content of these lists locally, so there are also hits for whatever files Chrome uses to save extension data (through chrome.storage.local API).

It apparently also detect something in Chrome's own block lists.

This confirms false positive.

picture gorhill on 23 Jan 2017
👍5

All 8 comments

Chrome extension content is verified by hashes.

lewisje picture lewisje on 18 Jan 2017

@lewisje on runtime as well or installation only?

kgizdov picture kgizdov on 18 Jan 2017

Each time before the extension is launched I believe. You can find out by removing or adding something and see what happens when you enable the extension.

gorhill picture gorhill on 18 Jan 2017
👍1

OK, I am satisfied that all is good with the extension itself. I also managed to contact Malware Patrol and let them know of the issue. Not sure how they will handle it.

kgizdov picture kgizdov on 19 Jan 2017

Could you drag-n-drop here a screenshot of what ClamAV + Malware Patrol warns regarding uBO?

gorhill picture gorhill on 20 Jan 2017
👍1

Here they say they use Extremeshok's clamav-unofficial-sigs, while ClamAV allows you to ignore/whitelist individual signatures.

Atavic picture Atavic on 22 Jan 2017

This is an exerpt of the log with the relevant bits:

/home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt: MBL_1191716.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/mirror1.malwaredomains.com/files/justdomains: MBL_2730588.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000347.ldb: MBL_3307899.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Default/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000217.ldb: MBL_3233778.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Subresource Filter/Unindexed Rules/4/Filtering Rules: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Subresource Filter/Indexed Rules/10/4/Ruleset Data: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/www.malwaredomainlist.com/hostslist/hosts.txt: MBL_1191716.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/easylist-downloads.adblockplus.org/easylist.txt: MBL_4437670.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.10.4_0/assets/thirdparties/mirror1.malwaredomains.com/files/justdomains: MBL_2730588.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000067.ldb: MBL_3307899.UNOFFICIAL FOUND
/home/gizdov/.config/google-chrome-back-ovfs/Profile 1/Local Extension Settings/cjpalhdlnbpafiamejdnhcphjbkeiagm/000022.ldb: MBL_3233778.UNOFFICIAL FOUND

so it could be that it is detecting domain strings in the database rather than uBlock itself, but I can't be sure.

kgizdov picture kgizdov on 23 Jan 2017

it could be that it is detecting domain strings in the database

It detected something in the malware lists and EasyList (which ship with uBO package). The other hits are because uBO will cache the remote content of these lists locally, so there are also hits for whatever files Chrome uses to save extension data (through chrome.storage.local API).

It apparently also detect something in Chrome's own block lists.

This confirms false positive.

gorhill picture gorhill on 23 Jan 2017
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

butonic picture butonic  路  3Comments
pfofi picture pfofi  路  4Comments
rvandermeulen picture rvandermeulen  路  4Comments
ghost picture ghost  路  3Comments
KonoromiHimaries picture KonoromiHimaries  路  3Comments