Hi guys,
today i stumbled over somthing strange.
I am using eBlocker 2.5.3 running on a Raspberry 4 with Raspi Os.
Over the last time I have tested the DuckDuckGo lists. Good so far except the malware list which has a lot of false positives.
In the meantime I have disabled the https server and use the eBlocker as a classic domain blocker.
Just for testing purpose I reinstalled the DuckDuckGo malware list.
Guess what:
even without pattern blocker activated, I see the same false positives, based on the DuckDuckGo list.
Does this mean that pattern files are active, even when https server is disabled?
Why then the separation of domain and pattern blocker?
strange!
Hello @Ulmisch
Thanks for testing the DuckDuckGo lists!
I'm kind of surprised that the DuckDuckGo malware list gives you false positives as it only includes 96 URLs, which in turn stem from just two domains (counter.yadro.ru and juicyads.com, see https://raw.githubusercontent.com/mainzelM/ddg-tr-as-easylist/master/easylist/topsites/malware.txt ). Could you give me a sample page where the DuckDuckGo malware list leads to a false positive?
With HTTPS disabled you will still get pattern blocking if you request a resource via HTTP.
Best regards
Martin
Hello @mainzelm,
i was surprised as well about the false positives, because i did not find them in your list.
If you like check the following sites i remember at the moment:
webfail.de
swp.de
cu
@ulmisch I‘ve modified the subject to sum up what‘s said in your post.
In general I would like to encourage you to use meaningful subjects to help readers decide whether the content is worth reading. „Short question“, „Help“, „Nothing works“ are rather not helpful subjects...
THX!
With HTTPS disabled you will still get pattern blocking if you request a resource via HTTP.
I just learnt that this is only correct if pattern filtering is active for the device itself. Otherwise, with HTTPS disabled, you only get domain filtering.
@mainzelm that was my understanding as well, that´s why i was wondering about the blockscreen.
I will test again, when i am at home and post a screenshot.
@random my main thing was not the false positive of the list, but the fact that the pattern blocker works even when https is disabled.
@ulmisch You are invited to change the subject according to what you meant. Sorry if I got you wrong...
I just wanted to make sure, people are not lost with "strange discovery" as subject - thinking of the mars rover 😉
@ulmisch Hm, but why do you think this is caused by the DuckDuckGo lists?
Have you tried to flush the DNS cache or reboot the eBlocker?
Best regards
Martin
@ulmisch Maybe the new analysis tool (Settings > Blocker > Analysis Tool) shows something helpful?
@ulmisch I've tried to reproduce your experience - to no avail. webfail.de loads perfectly.
I'm running eBlockerOS 2.5.3 on Raspi 4. Only originally supplied lists plus fingerprint23 from @mainzelM
Here is what I did:
- I've added the duckduckgo malware list (using this URL) to the malware PATTERN blocker (as the list is in easylist format)
- I go to http://webfail.de - no problem
- I switch of HTTPs for my device. Go to the same site. No problem.
- I reboot everything (client, eBlocker, even the router): no problem.
I'm very sorry, but could you please name step by step what you do to reproduce the issue. (And if you have added other lists please name them as well, so we get the same environment).
Talking about environment I wonder about this:
I am using eBlocker 2.5.3 running on a Raspberry 4 with Raspi Os.
What do you mean by "Raspi Os". Is this a somewhat modified system and not the original eBlockerOS image you are using?
@benne i´m sorry. Of course i am using the official 2.5.3 eBlocker image.
We have the same environment, but i installed more of the duckduckgo lists (maximum, alltracking)
As mentioned the false positive is not my concern. I am wondering that this site (there are more!) is blocked by pattern blocker even without activating https.
For my understanding this may be caused by interfering blocklists (maybe during your dedup and verification process). I wil test by deactivationg every other additional list.
Nevertheless this should not happen when using domain blocker only....
cu
@ulmisch There are two malware blocker lists. One for pattern one for domains. If you switch off https and you visit an https site the domain blocker kicks in. I've verified this a couple of times - but bugs are everywhere, of course 😉 That's why I try to drill down to replicate the issue.
Could you please share your list of malware domain blockers as I suspect the culprit here. That's at least what the error message suggests. The "webfail" domain must be on some list - and I couldn't find it in the duckduckgo list I've used - so let's check where it gets added.
As a test for "same environment": Please remove/disable all lists besides the original eBlocker lists and repeat the steps I took above. I wonder what the outcome will be...
And would you please also share your DNS firewall settings - just to be sure about your environment.
Thanks for your help!
@benne i have done the test with he ddg malware list as the only list. there is no other list active, not in domain blocker or pattern area. https is disabled.
No change.
I have added some more examples.
As you see these sites are all http addresses and are blocked by the malware pattern blocker of eBlocker.
Without the ddg malware list everything works.
http://darebee.com/workouts.html
http://www.r-l-x.de/forum/forum.php
@mainzelm i think you will know it 😉
https://raw.githubusercontent.com/mainzelM/ddg-tr-as-easylist/master/easylist/topsites/malware.txt
@ulmisch Strange. I can‘t reproduce this either. All websites load via http (https switched off) and ddg malware easylist added. s. attached.
It would be great if you‘d share a diagnostics report (settings>system) via support at eblocker.org. Maybe we can find some hints.
Quick answer to @benne‘s question would be great: what‘s your DNS setting.
http addresses and are blocked by the malware pattern blocker
Sorry, I can‘t follow. How do you come to this conclusion?
None of the shared website is on the malware list of eBlocker nor ddg.
I guess it‘s some other (mis)configuration happening here. Or please help with a reasonable conclusion for your claim.
@random I know it's strange.
Because of your different findings I made a fresh install without any customization except setting the dns firewall custom dns server list to random order and installing the ddg malware list.
Again the same effect.
Misconfiguration is not valid because of the fresh start.
Strange
@ulmisch Can you switch on the new analysis tool (Settings > Blocker > Analysis Tool) for the device of your web browser, trigger the problem, and post a screenshot of the recorded connections?
@mainzelm i have done this already. Unfortunately the report remains empty.
There is a bug take a look here: https://eblocker.org/community/bugs-features/eos-2-5-x-beta-test-bugs-issues-only/paged/3/#post-1584
cu
@ulmisch Ok, I did not see you mentioning that the recording is empty.
The bug you refer to is (IMHO) mainly a UI glitch, the tool itself works (at least for me).
If domain blocking is used, it also makes sense that the analysis tool does not record anything, but as we are not sure what is going on in your environment, I just wanted to be sure.
Best regards
Martin