5.9.4.0 Triggers Webroot Malware Alert for NGROK.EXE

TheWaterbug

Getting comfortable
Joined
Oct 20, 2017
Messages
870
Reaction score
1,839
Location
Palos Verdes
I just installed 5.9.4.0 on two of my BI servers, and my security software, WebRoot, immediately flagged NGROK.EXE at %temp%\pft7d4b.tmp\ as W32.Malware.Gen.

I immediateliy rolled back to 5.9.3.4 and scanned both machines, to be safe.

Is this a false positive? Does a perfectly safe NGROK.EXE trigger malware warnings?
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,698
Reaction score
14,169
Location
USA
Evidently 5.9.4.0 includes the NGROK executable.

5.9.4.0 update notes:
5.9.4 - June 20, 2024

The automation of NGROK for remote access is now built-in. You no longer have to
register tokens, create batch files or find ways to always keep NGROK open and running.
After creating your NGROK account, just copy/paste your authtoken into the Settings/Web
server page and Blue Iris will handle the rest.

Ngrok on its own is not dangerous. However it has been packaged into malware before and it is not something you'd typically find on the computer of someone who isn't a software developer, which is why your security software is sounding the alarm.
 

TheWaterbug

Getting comfortable
Joined
Oct 20, 2017
Messages
870
Reaction score
1,839
Location
Palos Verdes
It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?
 

Bruce_H

Young grasshopper
Joined
Feb 22, 2017
Messages
55
Reaction score
15
It’s also possible that the installer is pulling a compromised version of ngrok. Not likely, especially if he’s compiling from source, but possible if he’s using a binary that he got from somewhere else.

Has anyone else installed 5.9.4.0 and scanned with security software other than Webroot?
I just updated to 5.9.4.0, I scanned with an updated version of Bitdefender Total Security and it found no issues, I even went back and scanned the NGROK.exe file separately and Bitdefender found no virus
 

JDWX

Getting the hang of it
Joined
Aug 26, 2014
Messages
140
Reaction score
42
Location
Cleveland, Ohio
Malwarebytes detected it this morning as "riskware.Ngrok" malware.

I'm sure it's nothing to do with Malwarebytes wanting to sell me a VPN lol...
 

TheWaterbug

Getting comfortable
Joined
Oct 20, 2017
Messages
870
Reaction score
1,839
Location
Palos Verdes
Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,781
Reaction score
23,314
Location
Evansville, In. USA
Looks like Ken is no longer bundling ngrok.exe with the BI updates. I just installed 5.9.4.7, and Webroot no longer finds anything scary.

I was looking through the remote access wizard and the help files, and somewhere (can't remember where) there's a note about ngrok.exe being identified as riskware, and a link to download it separately.
As he described in the what's new notes.
 

105437

BIT Beta Team
Joined
Jun 8, 2015
Messages
2,114
Reaction score
1,008
Testing today's release and noticed that it appears to be doing a complete DB rebuild by scanning files, alerts etc. Is that something new Ken is doing? Thanks
1721084984441.png
 

Tinman

Known around here
Joined
Nov 2, 2015
Messages
1,236
Reaction score
1,539
Location
USA
I had issues with that on 5.9.4.8 and it lost all my alerts. Fortunately, I was planning on doing a complete wipe on my clip drives anyway. So, I formatted my clip drives and deleted the DB and started over fresh on 5.9.4.7, but when I updated to 5.9.4.8 it wanted to do a DB rebuild again?? Again, started out fresh and stayed on 5.9.4.7 and today I updated to 5.9.4.9 and all went well. Been fine for last 7 hrs.
 
Top