5.9.4.0 Triggers Webroot Malware Alert for NGROK.EXE

TheWaterbug

Getting comfortable
Oct 20, 2017
892
1,878
Palos Verdes
I just installed 5.9.4.0 on two of my BI servers, and my security software, WebRoot, immediately flagged NGROK.EXE at %temp%\pft7d4b.tmp\ as W32.Malware.Gen.

I immediateliy rolled back to 5.9.3.4 and scanned both machines, to be safe.

Is this a false positive? Does a perfectly safe NGROK.EXE trigger malware warnings?
 
Evidently 5.9.4.0 includes the NGROK executable.

5.9.4.0 update notes:
5.9.4 - June 20, 2024

The automation of NGROK for remote access is now built-in. You no longer have to
register tokens, create batch files or find ways to always keep NGROK open and running.
After creating your NGROK account, just copy/paste your authtoken into the Settings/Web
server page and Blue Iris will handle the rest.


Ngrok on its own is not dangerous. However it has been packaged into malware before and it is not something you'd typically find on the computer of someone who isn't a software developer, which is why your security software is sounding the alarm.
 
  • Like
Reactions: looney2ns
Also, if I may say so, holy crap is ngrok an inefficient program or what? 28 megabytes for a basic outgoing tunneling program. I am kind of surprised Ken decided to just bundle that into Blue Iris even though only a tiny fraction of users will ever use it.
 
It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?
 
It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?

I just updated to 5.9.4.0, I scanned with an updated version of Bitdefender Total Security and it found no issues, I even went back and scanned the NGROK.exe file separately and Bitdefender found no virus
 
  • Like
Reactions: TheWaterbug
Malwarebytes detected it this morning as "riskware.Ngrok" malware.

I'm sure it's nothing to do with Malwarebytes wanting to sell me a VPN lol...
 
Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.
 
Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.
As he described in the what's new notes.
 
  • Like
Reactions: aesterling
Testing today's release and noticed that it appears to be doing a complete DB rebuild by scanning files, alerts etc. Is that something new Ken is doing? Thanks
1721084984441.png
 
I had issues with that on 5.9.4.8 and it lost all my alerts. Fortunately, I was planning on doing a complete wipe on my clip drives anyway. So, I formatted my clip drives and deleted the DB and started over fresh on 5.9.4.7, but when I updated to 5.9.4.8 it wanted to do a DB rebuild again?? Again, started out fresh and stayed on 5.9.4.7 and today I updated to 5.9.4.9 and all went well. Been fine for last 7 hrs.