5.9.4.0 Triggers Webroot Malware Alert for NGROK.EXE

[TheWaterbug]

I just installed 5.9.4.0 on two of my BI servers, and my security software, WebRoot, immediately flagged NGROK.EXE at %temp%\pft7d4b.tmp\ as W32.Malware.Gen.

I immediateliy rolled back to 5.9.3.4 and scanned both machines, to be safe.

Is this a false positive? Does a perfectly safe NGROK.EXE trigger malware warnings?

 

[bp2008]

Evidently 5.9.4.0 includes the NGROK executable.

5.9.4.0 update notes:

5.9.4 - June 20, 2024

The automation of NGROK for remote access is now built-in. You no longer have to
register tokens, create batch files or find ways to always keep NGROK open and running.
After creating your NGROK account, just copy/paste your authtoken into the Settings/Web
server page and Blue Iris will handle the rest.

Ngrok on its own is not dangerous. However it has been packaged into malware before and it is not something you'd typically find on the computer of someone who isn't a software developer, which is why your security software is sounding the alarm.

 

[bp2008]

Also, if I may say so, holy crap is ngrok an inefficient program or what? 28 megabytes for a basic outgoing tunneling program. I am kind of surprised Ken decided to just bundle that into Blue Iris even though only a tiny fraction of users will ever use it.

 

[TheWaterbug]

It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?

 

[Bruce_H]

It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?

I just updated to 5.9.4.0, I scanned with an updated version of Bitdefender Total Security and it found no issues, I even went back and scanned the NGROK.exe file separately and Bitdefender found no virus

 

[JDWX]

Malwarebytes detected it this morning as "riskware.Ngrok" malware.

I'm sure it's nothing to do with Malwarebytes wanting to sell me a VPN lol...

 

[TheWaterbug]

Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.

 

[looney2ns]

Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.

As he described in the what's new notes.

 

[105437]

Testing today's release and noticed that it appears to be doing a complete DB rebuild by scanning files, alerts etc. Is that something new Ken is doing? Thanks

 

[TheWaterbug]

As he described in the what's new notes.

Where do you find the What's New notes? When I look at the official update thread, all the recent entries say pretty much the same thing:

UI3 update, NGROK easy setup and automation, Other minor enhancements and bug fixes.

 

[Tinman]

I had issues with that on 5.9.4.8 and it lost all my alerts. Fortunately, I was planning on doing a complete wipe on my clip drives anyway. So, I formatted my clip drives and deleted the DB and started over fresh on 5.9.4.7, but when I updated to 5.9.4.8 it wanted to do a DB rebuild again?? Again, started out fresh and stayed on 5.9.4.7 and today I updated to 5.9.4.9 and all went well. Been fine for last 7 hrs.

 

[Tinman]

Where do you find the What's New notes? When I look at the official update thread, all the recent entries say pretty much the same thing:

In the help file: