False positives like this are a real issue... as they make people unnecessarily concerned about legitimate software, but also because they get annoying and then people stop trusting the anti-virus/anti-malware software!
Topic: Malwarebytes stopping outbound phishing and exploit attempts from Electrum (Read 336 times)
May 31, 2020, 03:27:13 AM
As far as I know, it's simply an IP/domain-based "blacklist"... likely caused by miscreants abusing certain IP/domains for nefarious purposes in the past... now MalwareBytes thinks anything attempting to connect to these IP/domains using certain ports is "Phishing" or "Exploits"
False positives like this are a real issue... as they make people unnecessarily concerned about legitimate software, but also because they get annoying and then people stop trusting the anti-virus/anti-malware software!
False positives like this are a real issue... as they make people unnecessarily concerned about legitimate software, but also because they get annoying and then people stop trusting the anti-virus/anti-malware software!
May 27, 2020, 04:52:22 AM
Norton 360 at times blocks it too.
I have been a Norton user for years and have never had a situation where this AV blocked my Electrum BTC for any reason, but I use NS (older version). Yet for some reason the same AV block Electrum LTC to the point that I stopped using it thinking there was really something malicious in that program.
May 26, 2020, 06:34:01 AM
Norton 360 at times blocks it too.
Side note but still interesting: I run my own electrum server as a VM on the PC that I have electrum client installed on.
Occasionally I get a warning about outbound connections even though it's talking to itself. So, yeah AV software can be stupid at times.
As everyone above said so long as you checked the signatures of the file you downloaded you should be fine.
Stay safe.
-Dave
Side note but still interesting: I run my own electrum server as a VM on the PC that I have electrum client installed on.
Occasionally I get a warning about outbound connections even though it's talking to itself. So, yeah AV software can be stupid at times.
As everyone above said so long as you checked the signatures of the file you downloaded you should be fine.
Stay safe.
-Dave
May 26, 2020, 05:41:03 AM
As for Electrum, I have been using it for years without any problems by my AV or Malwarebytes Premium. Maybe it’s just that I’ve never used it for MB problematic servers, because how else to explain that the same software causes problems for someone and not for someone else? One explanation is that the OP uses an older version of Malwarebytes, and new version have fix for false positive detection.
I've just scanned it with VirusTotal and the detection rate is 11/72. It's not a huge number but it could throw off newbies. IIRC, it started with the use of some component of Python within the program. IIRC, they tried to improve on the detection rate but some of the antivirus still detects it, albeit as riskware.It's Microsoft Defender btw, better AVs like Malwarebytes are more prudent with their detection.
May 26, 2020, 05:33:30 AM
Antivirus seems to be particularly sensitive to the Electrum's build and often tags it as malicious. It's nothing to worry about *IF* you verify the binaries.
As for Electrum, I have been using it for years without any problems by my AV or Malwarebytes Premium. Maybe it’s just that I’ve never used it for MB problematic servers, because how else to explain that the same software causes problems for someone and not for someone else? One explanation is that the OP uses an older version of Malwarebytes, and new version have fix for false positive detection.
May 26, 2020, 03:07:05 AM
^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
I misuse the word installation, Sorry for that, I download portable version so that it will skip installation process since I will be using it for sign message only. The warning from my windows defender pop up suddenly but I neglect it since I downloaded it on official website. I'm just a bit worried since I saw this thread tho. I still have a trauma for my loss ladt year for downloading minex wallet app on official website then suddenly someone access my wallet even though I never use the wallet for a year and I check regularly the balance.
Antivirus seems to be particularly sensitive to the Electrum's build and often tags it as malicious. It's nothing to worry about *IF* you verify the binaries.
copper member
Activity: 2800
Merit: 1179
Leading Crypto Sports Betting & Casino Platform
May 26, 2020, 01:38:10 AM
^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
I misuse the word installation, Sorry for that, I download portable version so that it will skip installation process since I will be using it for sign message only. The warning from my windows defender pop up suddenly but I neglect it since I downloaded it on official website. I'm just a bit worried since I saw this thread tho. I still have a trauma for my loss ladt year for downloading minex wallet app on official website then suddenly someone access my wallet even though I never use the wallet for a year and I check regularly the balance.
May 25, 2020, 09:23:07 AM
those are likely electrum servers. it's a false positive. you didn't have to delete everything. install it all again and whitelist electrum 
May 25, 2020, 06:53:00 AM
All in all, I wouldn't worry about this as long as the hashes in the PGP match with the program. This just means Windows' alternative verification method failed to verify it.
Maybe my wording is bad, but I was actually referring to the PGP signature and not the Windows one. But yeah, should be okay if OP did verify and the result match.
May 25, 2020, 02:37:51 AM
^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
If the digital signature (certificate) isn't embedded into an .exe file when it's created, or if there is a certificate but it doesn't have a parent/grandparent/ancestor certificate that's not in Windows' certificate storage, then it's going to display a warning. Maybe electrum doesn't purchase a certificate from a certificate authority and self-signs them, a practice which Windows flags as a warning (which just means that you trust the developer of the program, or you have other means of integrity verification like PGP).
All in all, I wouldn't worry about this as long as the hashes in the PGP match with the program. This just means Windows' alternative verification method failed to verify it.
This explains Windows' signing process called Authenticode:
https://docs.microsoft.com/en-us/archive/blogs/ieinternals/everything-you-need-to-know-about-authenticode-code-signing
May 25, 2020, 12:38:44 AM
^
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
As long as the signature match then you should be fine. But how exactly does this installation on portable Electrum happened? I use one and I don't remember any installation was required to run it.
copper member
Activity: 2800
Merit: 1179
Leading Crypto Sports Betting & Casino Platform
May 24, 2020, 10:26:25 PM
I got some warning too using my window defender AV for installing the portable version of electrum yesterday. I seldom used windows version of wallet since I experience an attack last year. I downloaded it on official website electrum.org. I check it multiple times before I download. I import already my recovery seed since I need to do sign message. Only good thing was all funds on my wallet was already move to my local wallet.
Is there a way to force logout all my wallet login. I'm scared that someone will still my balance if ever I deposit some of my BTC on it. I'm using that wallet addy for receiving my signature payment tho.
PS: I thought that warning was normal since I'm installing portable version just like installing crack version software.
Is there a way to force logout all my wallet login. I'm scared that someone will still my balance if ever I deposit some of my BTC on it. I'm using that wallet addy for receiving my signature payment tho.
PS: I thought that warning was normal since I'm installing portable version just like installing crack version software.
May 24, 2020, 10:17:32 PM
What gives? Anyone know what's going on?
Those are in the list of available Electrum servers when you click on the connection green/red circle icon->sever tab.You must be connected to one of those servers, then Electrum failed because of your AV then selected the other one.
And you're not the first one to report such incident.
If it didn't happen when you connected to other servers and you don't want to use those servers flagged by your AV,
consider manual server selection:
Open the server tab (same as the above), uncheck "Select server automatically", right click on a server and select "use as server".
May 24, 2020, 10:10:53 PM
I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...
it "definitely" isn't OP's problem because despite what we (humans) say about these nodes being "malicious" their behavior in the eyes of a computer is no different than the behavior of any other Electrum node. they are doing the same exact communication with the clients as any other Electrum node does and even the "malicious" message looks the same not to mention that it will only be sent to the client when they try to broadcast a transaction not during syncing.
May 24, 2020, 09:38:17 PM
This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...
Oh okay. Maybe the entirety of having a cryptocurrency-related software might be a flag to Malwarebytes already? Like what antivirus software does as well? I think if the OP adds it to the permanent exception list, like what you suggested, he might be paranoid because of those kinds of notifications of outbound connections. Yeah a lot of AV goes off community usage and heuristics...
And I haven't used malwarebytes recently but, op, if you get some text next to it that says something like win-gen-2 then it's just a generic report picked up by the heuristic algorithm... If you have issued with trusting the electrum foundation then I'd suggest looking up how to launch a virtual machine on your computer to sandbox it - some AV software can also sandbox it on the current machine in a virtual environment too but this will trade off security a little.
Edit: just the inclusion of "gen" or "generic" in the report is enough to assume it might be a false positive.
May 24, 2020, 09:32:30 PM
This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...
Oh okay. Maybe the entirety of having a cryptocurrency-related software might be a flag to Malwarebytes already? Like what antivirus software does as well? I think if the OP adds it to the permanent exception list, like what you suggested, he might be paranoid because of those kinds of notifications of outbound connections. May 24, 2020, 09:28:45 PM
I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
This is ONLY for versions below 3.0.5 and probably isn't the Ops problem (though it may have been why electrum was initially reported)...
May 24, 2020, 09:15:32 PM
I think the attacks on the electrum wallet are still ongoing continuously. Maybe your electrum wallet has connected to a malicious node? Upon researching, if you connected to one, your transactions might get intercepted and receive a fake update or something related to that.
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
Information about Electrum wallets being attacked can be read here. The article was dated April 22, 2019
https://blog.malwarebytes.com/cybercrime/2019/04/electrum-bitcoin-wallets-under-siege/
May 24, 2020, 08:32:45 PM
If it was and the signature was right and those nodes listed above are the ones it has found then you can add it as a permenant exception in malwarebytes...
A lot of firewall software has a contingency for not trusting the unknown and this may be one of those occasions.
A lot of firewall software has a contingency for not trusting the unknown and this may be one of those occasions.
May 24, 2020, 08:29:38 PM
Electrums official website is electrum.org... Nothing else (other than maybe their github)
Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.
Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.
I checked and double checked that I was on electrum.org. Hell, I quadruple checked the 2nd time
May 24, 2020, 08:23:20 PM
Electrums official website is electrum.org... Nothing else (other than maybe their github)
Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.
Scams where a link is genuine can be seen where the user trusts and bookmarks the page and then goes back and downloads an attackers version... Think about it, at the moment people could bookmark it and they can't be reported for being malicious but as soon as they have enough downloads they can change their download applications.
May 24, 2020, 08:20:06 PM
Malwarebytes stopped 3 outbound attempts from Electrum
2 phishing going to endthefed.onthewifi(dot)com IP 37(dot)211(dot)78(dot)253
And 1 exploit going to exs.ignorelist(dot)com IP 79(dot)11(dot)31(dot)76
When I downloaded Electrum 3.3.8 I checked signature and fingerprint. Both checked out
All this happened before I even set up the wallet
I deleted everything and redid the entire process and the same thing happened
What gives? Anyone know what's going on?
Jump to: