Need some help. What's going on here? GOG was triggered as a trojan through this website request. I just have GOG Galaxy client open in the background.


Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/17/20
Protection Event Time: 4:46 PM
Log File: d5756af2-10b9-11eb-8e28-0000fb7a59fe.json

-Software Information-
Version: 4.2.1.89
Components Version: 1.0.1061
Update Package Version: 1.0.31490
License: Trial

-System Information-
OS: Windows 10 (Build 19041.450)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, R:\GalaxyClient\GalaxyClient.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain: cdn-edge-dynamic-5-bhs-ca-ovh.gogcdn.net
IP Address: 54.39.180.109
Port: 443
Type: Outbound
File: R:\GalaxyClient\GalaxyClient.exe



(end)

1. Did you download Galaxy on this website?
2. Upload the installation file to https://www.virustotal.com/ A lot of virus/malware free software gets a false positive by one or more anti-virus programs out there.
3. https://www.gog.com/forum/general_beta_gog_galaxy_2.0 is the subforum for everything Galaxy related.
4. This is the user forum. If you have certain expectations, contact GOG support.

Is that all the information Malwarebytes gives out? If so, it looks like a pile of garbage.

My interpretation is that they've decided (with no explanation of why) that cdn-edge-dynamic-5-bhs-ca-ovh.gogcdn.net (i.e. one of the hosts in GOG's content delivery network) "is a trojan" (what the fuck?) or perhaps supposedly distributes trojans, and based on that information, blocked Galaxy (because it tried to access that server in GOG's CDN).

It sounds very unlikely (almost definitely a false positive; perhaps someone else in the past used that IP address for Bad Shit and it ended up on a blacklist). But if there's a real problem (i.e. GOG's network is distributing trojans), then it's something for GOG to handle. I'd recommend you send the info to support.

EDIT: That's an OVH owned IP so it's very possible that someone used it for bad shit in the past. Now they've been kicked out, and GOG was lucky enough to get that IP. According to this site, it was used for controlling a botnet up till the end of March.

https://feodotracker.abuse.ch/browse/host/54.39.180.109/

This appears to be what I understand the situation is.

I've had the galaxy client installed forever from the site directly. Whatever updates it does in the background and this popped up from active protection. The Malwarebytes forum has a post from a week ago about that IP / server having issues https://forums.malwarebytes.com/topic/264697-malwarebytes-blocking-gog-galaxy-game-downloads/?tab=comments#comment-1412154

Yep, so IP blocking based on past data. Looks like the fastest way to resolve this is to contact Malwarebytes as the person above did.

Yeah but the data isn't like 6 months old or anything, it was I guess a week or so ago. I did run a current virustotal on my client exe as well as that site and they came back clean. So between me and a sysop buddy, we came to the same conclusion that it's using information obtained about that IP/server.

Mine started this stuff today also! I whitelisted it. I hope someone at GOG is on their JOB!

The majestic cloud: "it just works." IPv6 could solve a lot of IP re-use issues, maybe we'll all have IPv6 in 30 or 50 more years. :o)

Although GOG could contact Malwarebytes and get Malwarebytes to resolve it, it really isn't GOG's job to tell a third party that their blacklists are bogus. If you are a customer of Malwarebytes, then I think it's your job to contact them and tell them about the flaw in their program. This isn't something GOG caused, nor is it something GOG can fix. Can you believe that I just bought a new top-of-the-line 4G modem from Huawei this year and its DNS resolver sends truncated replies (when using UDP) for hosts that have a large number of IPv6 addresses. And the resolver in glibc throws its hands up in the air when AAAA resolution fails, even when it got a perfectly valid response for the A record. The worst part is that I don't even have IPv6 connectivity at all, it's disabled in the kernel (and my modem has no v6 address because my ISP doesn't hand me one), but glibc still insists on fucking resolving IPv6 addresses. The end result is that I randomly fail to connect to some sites, even if I could manually query the A record just fine and connect over IPv4 just fine.

Urrggh, it is so hopeless. I'm so tired of broken garbage software.

Getting the same warning as IggyDaDino:


Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/17/20
Protection Event Time: 2:52 PM
Log File: 17cb0246-10c3-11eb-950e-5404a6b207c3.json

-Software Information-
Version: 4.2.1.89
Components Version: 1.0.1045
Update Package Version: 1.0.31518
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain: cdn-edge-dynamic-5-bhs-ca-ovh.gogcdn.net
IP Address: 54.39.180.109
Port: 443
Type: Outbound
File: C:\Program Files (x86)\GOG Galaxy\GalaxyClient.exe



(end)

I updated malwarebytes and I think it's stopped. I updated the program not the definitions.
I was wrong it's still doing it. i hope they get this fixed It's a PITA.
I checked MB support site 45 min ago they said it will be lifted.

i uploaded it to virustotal just now.. i usually dp that when i download something off the web. and it triggered a Trogan alert on it and 2 Engines detected GOG GALAXY 2.0 client as TROGAN

Given the CDPR hack, this gives me pause.

Malwarebytes can be over the top at times, same as any other program from its category. Thank you for the clarification. in my opinion, Malwarebytes should address this issue.