data.rtbfy.com is attempting to make an outbound connection

Here I go with another F-Secure / Malwarebytes story. All of this is on W-7 64-bit.

 

Usually I use Firefox with NoScript and Ixquick for surfing; I have not added Flash to Firefox. I think my scheme of F-Secure IS, MBAM Pro, and Firefox with NoScript and no Flash is probably the best protection I can have against malware. But some websites won't work in that scheme, even if I temporarily allow all scripts on that page, so I use IE11 there. I cranked IE11 down as much as I could -- Enhanced Protected Mode, turned off SSL, Strict P3P Validation, and ActiveX Filtering -- but watching video on some sites requires ActiveX Filtering to be turned off. I'd love to use EMET, but half the time I cannot make it work.

 

I forgot I turned off ActiveX Filtering to watch video elsewhere and visited thediplomat.com. Immediately I started getting MBAM messages of "data.rtbfy.com is attempting to make an outbound connection." The relevant log entries are at the end of this post. I assume rtbfy.com is a data collection firm, much like Acxiom, Google, Facebook, and the other data thieves. I ran scans and found nothing, so I'm not terriby worried. My questions are:
1) Why doesn't F-Secure IS stop this?
2) Does anyone know what rtbfy is or who owns it? I searched a bit, even used whois, but could not find anything useful.

 

P.S. I wish F-Secure Search offered two search options: using Google and using Ixquick or Duckduckgo.


Detection, 2/6/2015 10:38:31 AM, SYSTEM, my-PC-name, Protection, Malicious Website Protection, IP, 208.43.117.244, data.rtbfy.com, 53071, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,
Detection, 2/6/2015 10:53:56 AM, SYSTEM, my-PC-name, Protection, Malicious Website Protection, IP, 208.43.117.244, data.rtbfy.com, 53504, Outbound, C:\Program Files\Internet Explorer\iexplore.exe,

Accepted Answer

Comments

  • NikK
    NikK Posts: 935 Rock Star

    I can't answer about that specific site but here's a few comments and suggestions:

     

    No anti-virus/malware product can detect all malware and all bad sites. A couple of things that probably not that many know about:
    You shouldn't trust web site scans or web protection. Dynamic web pages are used by the bad guys to fool AV scan tools that a site is clean by checking the IP range of the caller before printing the bad code. If the IP is not recognized as coming from a security related tool or company, then the malware version of the page is shown instead. I only do file scans but you can't really trust file scans either since even VirusTotal is used by criminals to modify malware until no AV detects it.

     

    It sounds as you are using ActiveX filtering wrong. Once enabled you shouldn't turn it off/on temporarily on a global basis. You should turn it off per site, which you do to the right in the address bar on the blue circle. Not from menu Tools - Safety.

     

    Firefox is the only popular browser that doesn't have any kind of sandbox mode (yet). In IE11 you have Enhanced Protected Mode, but Firefox doesn't even have anything like that. I wouldn't agree you have the best protection you can have but I agree NoScript is great in blocking JavaScript and plugins from unknown or unwanted web sites.
    If you'd add Sandboxie for example and run Firefox(and IE) with it, you have a much better security because it adds a completely new layer as a virtual environment. Any infections won't affect your real files outside the sandbox.

     

    Another very good protection mechanism is anti-executable software like AppLocker or Software Restriction Policy which is built-in in Windows but unfortunately not in Home versions. It stops any undetected malware from executing.

     

    If you have problems with EMET it's most likely because of conflicts with F-Secure. The easiest solution is to exclude these programs from F-Secure's real-time scan. In the setting called "Virus Protection", "Exclude files from the scan" where you add objects to exclude.

     

    Two additional good Firefox extensions:
    Ghostery - blocks tracking and ads, even after you allow them with NoScript. And blocking ads sometime means also blocking malware. Youtube is one example where it's happened.
    WOT(Web Of Trust) warns about scam/malware sites based on user reputations.

     

    Having multiple and very different security layers is the best protection you can have IMO. If one layer fails the next one could stop the malware in a different way and so on. But maybe the single most important thing in case of a worse case scenario is to have a system image backup available. A good image backup, depending of the software used, either formats the hard drives before restoring the system, or it replaces the entire partitions.

  • NikK
    NikK Posts: 935 Rock Star

    Forgot to add that WOT even works with Ixquick. WOT ratings(circles) to the right of each link:

    wot.png

     

    Here's an example from Bing where you also get F-Secure ratings:

    bing.png

     

    Why have only one rating when you can have two, especially when the second is based on user experiences so the ratings can be very different Smiley Wink

  • I never knew that I could click on the ActiveX Filtering icon and turn it off per site. Thanks for that tip. Now I won't forget to turn it back on again.

     

    I did not know that Firefox did not have a sandbox. You told me about Sandboxie before, but I'm a little leery of installing it, given the problems I had with MBAE and EMET. After what you said about Firefox, I may change my philosophy of surfing.

     

    As for EMET having trouble with F-Secure, I'm not so sure. When I last had it (5.0), I would boot, start IE11, and EMET would immediately close IE with an error. I never got to scanning. But now I see that 5.1 is released. Okay, I tried it again, but the exact same problem occurred. I started IE11 and "EAF mitigation" prevented me from doing so. Bye, bye EMET. But now you make me curious if MBAM is the bully, not to mention that it might have been a false positive from it.

     

    As for Ghostery, there are people who believe that the vendor is part of the problem. I wish I could remember their rationale.

     

    I almost know what I am doing and I still run into things. People who are computer illiterate are doomed. We need a better Internet.

  • UPDATE: I was looking for an excuse to wipe the disk and reinstall the OS anyway, so I experimented. I removed MBAM and reinstalled EMET. "EAF mitigation" again. I removed EMET and F-Secure, then reinstalled EMET. Bingo! IE11 now comes up.

     

    Okay, so F-Secure and EMET combine to prevent IE11 from starting. But this has nothing to do with an F-Secure scan, so I now must ask you to explain a little more regarding their interaction. Does F-Secure run a scan when IE11 opens? Did you mean to say that I should add files to EMET to allow them, as the default settings allow Office and so on? Please tell me the names of F-Secure executables so I can add them to EMET. There are a bunch of applications in Program Files -> F-Secure and I'd hate to have to include them all. The most likely candidates appear to be:

    - fshoster32

    - fslauncher

    - fsadminsettings

    - fs_upgrade_handler

    - fs_upgrade_notifier

    - fs_settings_tool

     

    But then there are many more under "apps". Oh, boy!

  • ANOTHER UPDATE: Okay, I did what you originally suggested. I added the entire EMET folder to Manual Scanning exclusions, but it made no difference: "EAF mitigation."

  • Ukko
    Ukko Posts: 3,241 Superuser

    Hello,

     

    Just about original situation....  it's not blocked by F-Secure, because they have cloud-reputation as "clean" or "safe" for current source (maybe).

    You able to try use F-Secure SAS and transfer direct URL or original URL (where current background-connection happened) and read a response. It will be without result.

     

    My tips can be about "Browsing Protection" F-Secure feature about deny-lists of webpages. You simply can to add current URL for "deny-list" and check if it will be as "solution" (such as... connection was prevented/blocked or not).

    Also same tracking lists can be configured by Internet Explorer settings (as example).

     

    There can be a lot of CDN or other strange sources with a lot of strange purposes (or normal purpose, but it used by malware authors)... and most of them will be ignored by big companies, but can be marked as malicious by something as MBAM (but.. my opinion - temporary marked). All of strange URLs will be related with something around scam/scum... anyway.

     

    Anyway... also it more looks like "tracking". So you can to try get experience about recent solution by F-Secure:   Freedome for desktops.

    It's should to protect against tracking things, but it's just a VPN solution.

  • We’ve been all the way to FIFA 15 PC Coins the moon and back, but have trouble crossing the street to meet the new neighbor. We’ve conquered outer www.rsgpfast.com space, but not inner space; we’ve done larger things, but not better things.

  • NikK
    NikK Posts: 935 Rock Star

    As I said in the other thread: it's the exe file itself that can't start anymore after you've installed EMET, that you need to exclude to FS real-time scan. Example: if IE can't start you exclude iexplore.exe

     

    About Ghostery make sure you don't enable Ghostrank. Don't remember if it's enabled or not by default when you install it, but with that enabled it collects "anonymous data". It's available from the Ghostery settings.

  • NikK
    NikK Posts: 935 Rock Star

    I never said it was temporary. I said you shouldn't use ActiveX filtering by temporarily turn it off/on on a global basis(menu setting). Because then you might forget to turn it on again.

    I think you confuse it with other browsers similar features like Click-to-play. But with ActiveX filtering the purpose is to turn it off only on sites you trust. That way there's no need to block ActiveX objects next time you visit that trusted site. It's not a zombie state since you previously told ActiveX filtering that you trust that specific site. That's the purpose with ActiveX filtering Smiley Wink

    I don't have a problem with that design but it's important to understand that other browsers similar features might work in a different way which may be confusing.

     

    This page describes it clearly I think:

    http://www.sevenforums.com/tutorials/149053-internet-explorer-activex-filtering-turn-off.html

     

This discussion has been closed.