Desura blocked again and again.

Hello, starting today I kept getting an avast! popup block from this IP address in Oregon belonging to Amazon Technologies Inc. As of yesterday, I had 0 viruses blocked.
As of posting this, I’ve had 107. Its always from the same website/IP address, through the process “Desura.exe”. I’ve used Desura for over 3 years now and nothing bad has happened.
The IP was: 54.191.69.114/2/updatepoll
I have no idea whats happening, other than I’ve seen multiple other people today have similar issues with multiple blocks. All help is welcome.

Thanks.

Same thing is happening to me. Is it a bug with the update of Avast or is there something going on with Desura that the media is not reporting?

False positives may be more common than real threats.
Other vendors also had FPs earlier: http://forums.steampowered.com/forums/showthread.php?t=2701526
Nothing here: http://www.herdprotect.com/desura.exe-0f13aae9f84f3e931190cd8e82d88b99dee76982.aspx
Given OK: http://www.shouldiblockit.com/desura.exe-4906cd5816a8ac5f8cda9623002a5978.aspx
This vendor had a FP last May: Qihoo 360 SecurityMalware.QVM20.Gen1.0.0.1015
and there were FPs in 2012.
So wait for comments on this one from avast developers?

polonus

I’ve submitted a bunch of false positives, and am wondering if I shouldn’t submit a bug report on this one. I think I know why Avast is blocking the URL, after looking at this: https://www.virustotal.com/en/ip-address/54.191.69.114/information/ It seems there are quite a few obvious malware distributors using Amazon AWS now, alongside legitimate services like Desura.

Also, when I added hxxps://54.191.69.114/* and hxxp://54.191.69.114/* and even hxxps://secure.desura.com/* (obviously with http instead of hxxp), it STILL had a conniption! I couldn’t even LOG IN, let alone updates or accessing games I had recently purchased.

Edit: I changed hxxps://secure.desura.com/* to hxxps://secure.desura.com/?/memberlogin* and now the Desura client seems to be working again. I was able to log in, update some games, install some I recently purchased, and it was able to check for updates without any more interference. So, I guess until the next update, here’s a workaround for everybody.

I assume it could also have to do with avast http/https scanning on your configuration. What platform are you on?
I have read here on the forums that some end-users had some problems with this recently.
Remember that there are a lot of issues that are wrong from the outset,
but still may work out well without giving problems online under normal conditions,
here I mean “sub domains” versus “naked domains” configuration.

polonus

I’m actually pretty sure it’s not just http/https scanning. It’s specifically blocking traffic to 54.191.69.114, which is one of desura.com’s new IP’s, and, if you follow that link I posted above, also host to a bunch of random-gibberish domains, some of which are known malware domains. A whois search reports it as one of Amazon’s AWS/EC2 nodes.

As for the platform I’m on, I’m running Win7 x64, and Avast 2015 Free Edition. It hasn’t started doing this until Saturday or Sunday, I can’t remember just now. And, when I say “domains”, I don’t mean local domains, like one would find on an intranet, but a domain, like desura.com, like one would find on the internet. In this case, that IP belongs to Amazon’s EC2 platform, and is hosting over a dozen domains/sites, not just *.desura.com. There was NO other change on my end, and adding hxxps://secure.desura.com/?/{insert_api_task_here} slowly cleared the issue. In the meantime, I reported each and every block caused by Avast as a false positive via the popup dialog.

I know it’s blocking by IP, since there are a few times it has resolved to another west coast AWS node, and traffic that way wasn’t blocked. Luckily for me, I have access to a VPN with endpoints located in other geographic locations, so I can kinda-sorta force desura.com to resolve to another node. Also, to be safe, I also play with throwaway virtual machines, to make sure my main windows machine doesn’t get infected very easily.

I am getting this problem too - same IP address, 54.191.69.114 - and this is the only info I can find about it. Based on Machete’s post, I’ll assume it’s just a false positive.

Even after adding those URLs to the exclusion lists, it seems it started blocking them again this afternoon?! It wasn’t until I added hxxps://54.191.69.114/* and hxxp://54.191.69.114/* to both the Web Scanner’s exclusions list, and the general exclusions list that I am able to access Desura again, without resorting to a slow VPN to another part of the US. After looking at that list of hosted domains, I’m loath to accept this as a viable workaround, since this could potentially allow a digital TON of malware/adware/virii/etc through! Is there any way to automate adding these inclusions upon starting up Desura’s client, and then removing them on exit?

Edit: I even added desura.exe & desura_service.exe to Web Shield’s “Processes to exclude” list, without any luck. It STILL blocked it until I added that IP address to the exclusions list in both Web Shield and the General Settings tabs.

we will not unblock IP 54.191.69.114 because this IP hosts many malicious sites. Desura should move theirs domains on different IP

Sirmer, they ARE on different IPs, but because of how Amazon’s EC2 service works, I don’t get to access them now. It’s a distributed service, and the decision on which node you get depends on your geoip data. The only workarounds I’ve found, so far, other than removing Avast, is to add that IP to both URL exclusion lists, or use a slow VPN that was not made for this. If there were a list of EC2 nodes that were hosting Desura, I could add the closest one to my hosts file, but you can probably imagine how difficult that would be to find.

Also, since this IS an IP that belongs to Amazon, has anyone contacted THEM about it? How about Desura? Did you have any idea that this would effectively block people from accessing non-malware content, software, and services that they have paid for? If so, when were you going to tell the rest of us that this was going to happen? It’s rather frustrating and unnerving when you pay for something, and someone else keeps you from getting it, you know?

Desura, should be smart enough not to be hosting their “content” on a Malicious IP Address, whether it is owned by Amazon or not is not of concern!

They only just switched over in the past month. They wouldn’t know unless someone reputable, like Avast, tells them. And, again, they ARE hosted at more than just this IP, this is just one of their regional nodes. It’s normally up to Amazon which of their EC2 nodes they are hosted on, isn’t it?

I have been having the same problem for the last couple of days, but it is intermittent. It only works about 10% of the time.

Can someone please tell me in plain English (not computer illiterate, but have no idea what Machete is talking about) what I need to do to get regular uninterrupted access back to Desura? Even if it included changing AV programs.

Either Desura needs to go with another service, Amazon needs to kick these n’er-do-wells off their service, or at least this particular server, or, and I HATE to even think it, switch to another antivirus. I can only think of one or two others I’d trust, but, other than this ONE incident, I’d rather stay with Avast, if possible.

@Sirmer: Just blocking ONE EC2 node is pointless. It’s kinda like blocking a single node of a content delivery network, and it can quickly devolve into a whack-a-mole game for everyone involved: those trying to access their particular EC2 service, antivirus vendors trying to block malware, etc. At least, unless/until Amazon can get involved. It’s THEIR property, after all. And, if THEY’RE unwilling to do anything, don’t stop at just ONE node, block them ALL, since they’ve made their position on hosting malware and phishing clear at that point.

I’ve sent an e-mail to Desura support about this, but, again, since I’m not a WELL-KNOWN ANTIVIRUS VENDOR, I don’t think they’ll take me too seriously, other than the fact I also told them about this thread, and provided a link. Since those are answered in the order they’re received, more or less, I’m sure it’ll probably take another day or two for them to even SEE it, let alone act on it.

Thanks machete.

Things have been working well over there most of the day (since shortly after I posted my original message). I have no real loyalty to avast, and have a decent idea of what I am doing on the net so I personally haven’t seen much difference in the free versions of most of the leading AV programs so I will probably just switch over to something else if I have more problems tomorrow.

@sbr32: If I may add one bit of advice, if you ARE deciding to switch away from Avast? Avoid AVG, for the time being. Every machine I’ve been called to work on, that was using it, also had the Conduit browser hijacker installed. Turns out, AVG, even on the paid versions, from what I’ve seen so far, installs it, along with changing your default home page(s) and search provider, in MSIE, Firefox, and Chrome, to theirs. And, even if you remove it, it gets reinstalled on the next update.

Consider carefully which free antivirus software you go with. So far, from my personal experience, Avast is the best of the free ones, so far, even with issues like this.

@Sirmer: I sent a message to Desura customer support with a link to your response in this thread this morning. I haven’t received a response from them, yet. Would you please make sure Amazon is aware, so they can purge that node? And maybe send an e-mail to Desura, so they can have information from someone more reputable than ME?

Edit: While I was typing this response, I did another “nslookup desura.com” and “nslookup secure.desura.com” and “nslookup media.desura.com”, and they’re now resolving to two other Portland, Oregon area IP’s: 54.68.89.164 and 54.149.228.122. Looking at VirusTotal’s information about those domains, they look pretty pristine, so maybe they’re transitioning away from that node?

Hi folks,

CTO of Bad Juju Games (the company that owns Desura) here.

Yes, we just moved the site to AWS, including us-west-2 (Oregon) ELBs.

Yes, one of the IPs appears to be in Avast’s list of malware-infected IPs.

No, we can’t force AWS to re-number the ELBs, however, they did so automatically (yay!).

I will say that flagging an IP in a cloud pool like AWS is … questionable at best? The AWS clients can stop/start VMs at will to get a new IP, so flagging an IP rather than a DNS name seems like it’s a waste of time, since a quick reboot will grant a new IP, and then those of us legitimate users who get stuck with them on an ELB have a nightmare to deal with.

We do scan all Desura downloadable games prior to making them available, but it’s never a bad idea to run your own scanner. Better safe than sorry. We’ve reached out to Avast to try to get some cooperation in case this sort of thing happens again in the future, but not sure how well that will go.

ec2-54-68-89-164.us-west-2.compute.amazonaws.com as naked domain for ec2-54-68-89-164.us-west-2.compute.amazonaws.com
gives various DNS problems: http://www.dnsinspect.com/us-west-2.compute.amazonaws.com/1418942181
Oops-Desura http-robots.txt: 26 disallowed entries (15 are shown)
The other IP from Boardman also these both for the sub.domain and the naked domain,
both have Secure Client-Initiated Renegotiation Supported DoS DANGER (robust B on most browsers)
Problems With HTTPS cache-control header settings, idem for cache-control.
Cookie settings issues regarding secure attribute and http-only cookie settings
AS = AS16509 has Blacklisted URLs: 2584 → http://sitevet.com/db/asn/AS16509
Quite a bit of DOM XSS vulnerabilty here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fdesura.com%2F
e.g: Results from scanning URL: htxp://static.desura.com/external/min/index.php?g=jquery&3 (div.innerHTML= etc)
Number of sources found: 107
Number of sinks found: 101
Vital to security is access-control and auditing, main things,

polonus

Thanks for clearing that up, Jeff, and I’m glad Amazon switched your IPs for us, and I agree with you, Avast just up and flagging a cloud IP is not a good idea, you potentially end up having to block the entire IP block, or start losing customers.

Edit: Jeff, it looks like some desura domains are still appearing at the blocked node: https://www.virustotal.com/en/ip-address/54.191.69.114/information/

As Jeff said, Better safe than sorry.
So yes, it is a good idea to block a ip if there is malware hosted on it and/or malicious websites.

If a domain on that IP really is clean, just ask avast to allow and it will be done.