Blocked Intrusion

[Falconeer82]

After installing 9.20.1.3 #01, My anti virus is reporting the following every time I start the game., never had this before????

 

[Quaksen]

CEF_BROWSER_PROCESS is a Wargaming file. It's NOT from the modpack.

It even has a Wargaming digital signature.

[Falconeer82]

OK, thanks

[Quaksen]

I would send a message to Wargaming support about it, to be sure what the hell it is.

[Guest]

Pls keep us updates about this

[tomjac29]

3 godziny temu, Falconeer82 napisał:

After installing 9.20.1.3 #01, My anti virus is reporting the following every time I start the game., never had this before????

 

Please use the game consistency in the game and then reinstall the modpack

Edited November 15, 2017 by tomjac29
wstawianie grafiki

[Guest]

Happened to me only after installing Aslains modpack. Anyone got any info?

[Falconeer82]

@tomjac29 Ran the consistency check and I still get it.

[tomjac29]

33 minuty temu, Falconeer82 napisał:

@tomjac29 Ran the consistency check and I still get it.

please paste the log file .... 

To report a bug or problem, please post a new topic in this section and include following things:

 

- Run special application: >> Aslains_WoT_Logs_Archiver.exe << (which can be found in the game installation folder  or as shortcut on your windows desktop) it will create Aslains_WoT_Logs.zip file, attach that file to your thread, it's mandatory !!! I don't need any other logs, only that particular zip file. Aslains_WoT_Logs.zip can be found in game folder inside Aslains_Modpack directory.

 

ps what is antivir program?

Edited November 16, 2017 by tomjac29

[tomjac29]

ps 2 Start the game in safe mode and see if you have the same .... theoretically this file is responsible for all these "special" notifications in the game ... some missions, etc.

[Guest]

1 hour ago, tomjac29 said:

please paste the log file .... 

To report a bug or problem, please post a new topic in this section and include following things:

 

- Run special application: >> Aslains_WoT_Logs_Archiver.exe << (which can be found in the game installation folder  or as shortcut on your windows desktop) it will create Aslains_WoT_Logs.zip file, attach that file to your thread, it's mandatory !!! I don't need any other logs, only that particular zip file. Aslains_WoT_Logs.zip can be found in game folder inside Aslains_Modpack directory.

 

ps what is antivir program?

The AV is Norton. Something in the modpack edits the browser .exe..

[Aslain]

@xSwedenPost your logs.

[Quaksen]

@Falconeer82 Could you post log files as well, please?

[Falconeer82]

@tomjac29

Ok, Launched game is safe mode and don't get message. Log file attached

Aslains_WoT_Logs.zip

[LionHeart]

I was getting this last night as well, but I've already installed the new modpack...

 

 

If I get it again tonight, I'll post logs.

 

Norton AV as well.

 

ETA: Still getting error on game launch.

 

 

Aslains_WoT_Logs.zip

Edited November 17, 2017 by downinflames
Still getting warning...

[tomjac29]

It analyzes these logs very carefully, but it will take a while ... for the moment I can only say that it is not a problem. Aslain modpack ... I will let you know and I will try to give a reason

Edited November 17, 2017 by tomjac29

[Guest]

Removed the modpack and checked the integrity of original WoT installation - And the attack stopped. Something included in the modpack attempts to activate malicious code. At least it seems so.

[Interface2037]

Same here I’m afraid. Norton AV prevented several intrusion attempts.

Edited November 18, 2017 by Interface2037

[tomaski_]

same here.

Expoint modpack website is infected, hence every attempt to connect to it, is blocked by FW

 

 

 

 

[Aslain]

Scan of ekspoint website: https://www.virustotal.com/#/url/c8d6021fe0ab6de98adf81ab866c3338920642fccb613813dfe80359d4868878/detection

[Guest]

43 minutes ago, Aslain said:

Scan of ekspoint website: https://www.virustotal.com/#/url/c8d6021fe0ab6de98adf81ab866c3338920642fccb613813dfe80359d4868878/detection

It's not a conclusive tool. We have evidence that something, very likely the Ekspoint mod, edits the CEF BROWSER exe-file to connect to a known malvertising address (Which does appear to be the website of Ekspoint mod). My theory is that there is a malicious ad on the website, which means that all connections that try to access Ekspoint website will be blocked by their AV's.

Edited November 18, 2017 by Guest

[Aslain]

I can agree on that ekspoint has updated all his mods recently, even today, maybe he fixed something.

[Guest]

Just analyzed the website - it contains malicious code. DONT visit it and DONT run the modpack as long as Ekspoint is there.

[Interface2037]

What parts of Aslains modpack is related to Ekspoint?

is there anything we can disable to be able to continue using the modpack?

Edited November 18, 2017 by Interface2037

[tomjac29]

I still check but I have the first malfunction. To the core. Do you use the TS plug-in to WoT and if so how do you have the TS client version and what is the TS server version

[Guest]

The Ekspoint mods isn't broken in the game - But the website is. So, anytime the modpack tries to connect to the website or anything like that - You automatically visit a malicious page which will try to attack you. That's the problem. I urge Aslain to remove the Ekspoint mods until this is fixed. I think the website is either hacked or is running malvertising on purpose. I visited the website on a secure virtual machine 10 minutes ago and it's still infected.

 

Edited November 18, 2017 by Guest

[Aslain]

I visited it on virutal machine too, i'm analyzing it atm. You are prolly right about the mods.

 

Will keep you informed.

 

currently these mods from ekspoint are in the modpack:

• auto equip (non xvm one)
• wn8 in the battle (MHL)
• various debug panels (except for ragnarocek)
• extra aim info
• info panel extended
• safe shot extended
• tactical map
• mini damage panel
• minimap tankview extended

 

Messaged ekspoint 5h ago, but no reply so far.

[Guest]

1 hour ago, Aslain said:

I visited it on virutal machine too, i'm analyzing it atm. You are prolly right about the mods.

 

Will keep you informed.

 

currently these mods from ekspoint are in the modpack:

• auto equip (non xvm one)
• wn8 in the battle (MHL)
• various debug panels (except for ragnarocek)
• extra aim info
• info panel extended
• safe shot extended
• tactical map
• mini damage panel
• minimap tankview extended

 

Messaged ekspoint 5h ago, but no reply so far.

Thanks for keeping us updated, Aslain. We all appriciate your work and we all know that this isn't your fault. I hope that this is resolved as soon as possible.

[Aslain]

I have tested it all on few various antivirs today. Only Norton was showing notifications.

 

http://slinadu.info/bnews.js?vxre34=855382  -> https://www.virustotal.com/#/url/341c38a6b294c555ed824e19a1a7f0ea5eaa7bde4683e92bc7e08e00dc20b7da/detection

 

http://ralkipa.info/cdrive.js?t5vg9c=855352 -> 

https://www.virustotal.com/#/url/95909a4f14fb5fae94f5d849e635e4d38a0cdcaf02fce231c96dfd42ce6a04e7/detection

 

It's might be simple redirection and code related to showing ads:

 

Yeah looks like the purpose of this connection is to display in game website from ekspoint:

 

 

Still waiting for a reply from him. Yet today his website was blocked by admins because he was cheating counters and auto surfing (redirections to ads).

[Guest]

So the website is attached to the browser process. And by displaying the ads on the website we get targeted with malvertising. I think all Ekspoint mods need to be removed til' this is fixed.