Event type: Dangerous link blocked

[leandro.luccas]

Hello.

 

I had recieve a lot of alerts how below:

 

Event "Dangerous link blocked" has occurred on device  in Windows domain on quarta-feira, 24 de março de 2021 08:51:46 (GMT-03:00)

Event type:     Dangerous link blocked

Application:     Host Process for Windows Services

Application\Name:     svchost.exe

Application\Path:     C:\Windows\System32\

Application\Process ID:     1056

User:     vasconcelos (Active user)

Component:     Web Threat Protection

Result\Description:     Blocked

Result\Type:     Malicious link

Result\Name:    "http://185.38.111.1/wpad.dat"

Result\Threat level:     High

Result\Precision:     Exactly

Object:     "http://185.38.111.1/wpad.dat"

Object\Type:     Web page

Object\Path:    "http://185.38.111.1/wpad.dat"

Object\Name:     wpad.dat

Reason:     Automatic analysis

Database release date:     24/03/2021 02:10:00

 

How can I solve this alert? I can´t just disable the alert, I need solve the problem.

 

I appreciate the help.

[AMeredith]

Same problem for 2 days. Hope someone can help solve this.

Thank you

[Berny]

@leandro.luccas@AMeredith Welcome.
Please submit the dangerous link here https://opentip.kaspersky.com/  and ask for “reanalyze”.

 

[Berny]

⚠ In the meantime , from Kaspersky Virus Lab Moscow :

“Hello,
The site is blocked correctly.
Best regards 
………….……………

Malware Analyst”
 

[Aas]

Hi I have the same problem (for the past 3 days at least)!

I did a complete scan but it did not help.

Is my PC compromised ?

Thks

Aas

[Berny]

@Aas Welcome. Your PC is not infected, Kasperky blocked the malicious link.

[Aas]

Thank you Berny .

1- how to stop these alert messages? 
2- Is it an outgoing malicious link ? in that case there is a malware in the PC?

3- Or is it someone trying to attack the PC from outside?

 

[Berny]

@Aas This is an external link, can you please specify how/when  you get the alert.

[Aas]

It started March 23rd

[Berny]

@Aas Does the alert comes up spontaneously ?

[Aas]

It comes around 10times then it stops for maybe  10min then alert again … very weird.

if I had to guess I would say that the PC is compromised and trying to send info outside ... 

[Berny]

@Aas Please submit a request to Kaspersky Technical  Support:

https://my.kaspersky.com/techsupport#/requests/new

 

[DBenjaz]

Good day everyone.

 

Is there any optionon how to remove the alert at least, since we know Kaspersky has blocked the transmission.

[leandro.luccas]

Was update KES to 11.6 and executed the Advanced Disinfection technology.
But the problem persist.
I had a ticket and sent a GSI updated.
Maybe can be mor effective format the pc.

[Arjun]

Facing same problem for last  two to three months. This keeps on popping :

 

Event :    Access denied
User :    XXXXX-PC\XXXXX
User type :    Active user
Application name :    svchost.exe
Application path :    C:\Windows\System32
Component :    Web Anti-Virus
Result description :    Blocked
Type :    Malicious link
Name :    http://185.38.111.1/wpad.dat
Precision :    Exactly
Threat level :    High
Object type :    Web page
Object name :    wpad.dat
Object path :    http://185.38.111.1
Reason :    Databases
Databases release date :    Yesterday, 03-04-2021 12:03:00

[Berny]

@Arjun Welcome. Please contact Kaspersky Technical Support:

https://my.kaspersky.com/techsupport#/requests/new 

[ghalli]

Hi,

Same for me 

I scanned my PC win7 with malware byte ,Dr.web scanner and kaspersky cloud still same.

[Berny]

@ghalli Welcome. Please see the post above your post.

[ghalli]

Hi,

I found this link (http://185.38.111.1:8080 )in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Teamviewer :ProxyAutolist

[Emptycloud]

Hello, I also had this problem recently and resolved it.  My new router set the name of my home network to “domain.name” by default and the website that Kaspersky is blocking for everyone here was created to exploit routers which do so.  This article explains everything and further solutions for Windows users can be found in the comment section:  https://nakedsecurity.sophos.com/2016/05/25/when-domain-names-attack-the-wpad-name-collision-vulnerability/.

Cheers!

[aehrlich]

Good day everyone.

 

Is there any optionon how to remove the alert at least, since we know Kaspersky has blocked the transmission.

If you are not going to deal with the root of the problem, you can probably mask the alert by creating a “block” rule in “Security Controls | Web Control” for this URL.

[Emptycloud]

Should have put this in my original post but for those who don’t want to read the article I linked above or don’t care to understand the exploit and just want a solution: 

“ahmadmbaghdadi 

April 7, 2021 at 3:07 pm

The following steps work for Windows 10:

Click the Windows logo on the bottom left corner and select Settings.
Select Network & Internet.
Select Proxy from the list on the left.
Make sure “Automatically Detect Settings” is disabled.

The following steps work for Windows XP, Windows Vista and Windows 7:

Click Start or the Windows logo and then find Control Panel.
In the control panel select Network & Internet and then Internet Options.
Go to the Connections tab and select LAN Settings.
Make sure “Automatically detect settings” is disabled.”

 

Alternatively/additionally you can rename your domain name to something other than “domain.name” in your router’s settings.  (Run Ipconfig /all from a command prompt and you’ll see it listed as the DNS suffix.)

[Danila T.]

Hello,

Please see:

Link