Description of the issue:
Everytime Password Manager is opened, MalwareBytes triggers a pop-up window always about IP 20.212.64.14 Outbound Port 443 being blocked because it is compromised. Sometimes it identifies only the IP & Port; sometimes it also shows this domain as well: waws-prod-sg1-097-4aa1.southeastasia.cloudapp.azure.com
I don’t know how to resolve this.
How can this issue be reproduced?
Simply opening Password Manager triggers the MalwareBytes pop-up every time.
Expected result:
No MalwareBytes error when opening Password Manager.
Brave Version( check About Brave):
Version 1.73.89 (Nov 13, 2024)
Additional Information:
I did an uninstall, cleaned the registry of Brave references. Did a clean install. No error message pops up from MalwareBytes when opening the Password Manager. However, as soon as I import my passwords, the MalwareBytes error pops up.
Somehow, something (possibly a script downloaded), might (as in maybe) be affecting the Brave Password Manager - such that, the Brave Browser Password Manager acts/attempts to connect to a Microsoft cloud server (“Azure region” server) that is in Southeast Asia. Server IP address: 20.212.64.14
My guess is, that probably should not happen.
I do not use Malwarebytes, but my suggestion is, to click on the “Manage Exclusions” button, and where you can, then ENABLE/MAINTAIN blocking of the item.
Until you learn more. And, maybe start your Windows OS machine, into Safe Mode(?) and run a complete scan.
Using the Windows OS command line (command prompt), the following command
dir /p /o:d
Provides a list of files in chronological order, for your present directory. Very handy for finding recent virus invaders and their associates, that generally appear within a certain time frame (recent).
It is a lot of work, marching through Windows OS machine directories, in particular, the BraveSoftware directory and its sub-folders:
C:\Users[UserName]\AppData\Local\BraveSoftware\
but that is a handy command for finding some things . . . that ought not be on a PC.
Another tool - Kaspersky Rescue Disk:
Save the Kaspersky Rescue Disk software to a USB memory device or a CD/DVD (to learn how to do this, see support.kaspersky.com/8092).
Boot up your PC – from the storage device that contains Kaspersky Rescue Disk.
Update the antivirus databases.
Run a system scan on your PC and then follow the instructions on your screen.
After multiple attempts at logic to solve this, I circled back to “maybe it’s just something in the saved passwords that’s causing the issue.” It turns out, it was.
I deleted all passwords, and slowly uploaded 50 at a time, instead of the whole .csv file. I eventually isolated it to one password.
The problematic record, attached, was for a specific subdomain on .PlanetFitness.com. I don’t have a membership there anymore, so I deleted the record. (I also observe on the PF website, the member info is no longer available on that subdomain, but instead thru www.planetfitness.com/my-account/profile. )
I’m guessing that subdomain is either flagged at MalwareBytes, or it’s compromised but identified by simply loading the Password Manager which possibly does a quick online check of all domains referenced in the Password Manager upon each opening? I don’t know, but it’s fixed now. And apparently nothing glitch-y about Brave at all.
I just did a search on Wayback Machine. The subdomain IS breached. Instead of a member sign-on page for Planet Fitness, this was captured on that subdomain in 2023:
We have reached out to MWB and they have confirmed that they’ve removed the IP from the blocklist — fix should be live now (if not now then very shortly).
