Downloaded files identified as dangerous

Downloaded files identified as dangerous

by Javier Tejera -
Number of replies: 12

Moodle 3.9.3.

Since 3 days ago, all files downloaded from our Moodle are identified as dangerous and being blocked by Chrome out of the blue. This never has happened in the last 3 years. 

Email notifications are also being identified as spam (never happened before). We changed the SMTP client (to AWS SES) like 4 weeks ago, but it is working like a charm, and I suspect downloaded files and email notifications are not related (but maybe they are!). I have updated the TXT files, so in the next 24h email issue should be solved, but no idea what to do regarding the files.

Any guidance much appreciated!


Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Ken Task -
Picture of Particularly helpful Moodlers

So do other browsers - FireFox, Safari - have issues as well?  Or just Chrome?

Version of Moodle could stand update. smile

Have you run a virus checker on moodledata/filedir/?

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Downloaded files identified as dangerous

by Javier Tejera -
Hi Ken,

I tried on Chrome, Firefox and Brave. However, Safari does not have issues.

Indeed, we need to update Moodle version, planning to do it soon.

We have scanned the whole moodle (obviously including moodledata/filedir/) and nothing suspicious was detected.

Perhaps the only option is updating Moodle, but everything was working perfectly fine so far. No idea why this is happening now, and it's generating lots of confusion among students.

Any other idea perhaps?
Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Unless you know this particular issue has been reported on your release and known to be solved in your target release, just upgrading hoping an acute issue vanishes brings seldom success - more often newer issues.
big grin

Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Downloaded files identified as dangerous

by Javier Tejera -
Thanks, Vishvanath. You are totally right, and I cannot find any information related to this issue in any version, so I guess upgrading shouldn't be the focus ;)

Any other tentative ideas? I have run out of them!

Thanks.
Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Ken Task -
Picture of Particularly helpful Moodlers

What does "I have updated the TXT files" mean?  Is that the type of file students have been reporting issues?   What's contained in them?

Deeper dives and more details/info collected from students having the issues are then in order, don't you think?   Anything in common?

Web server logs to see students browser info - assuming you have such logging turned on and have access to those logs.   Access coming from certain providers/ip networks?

Student operating systems are?

Version of Chrome students are using, their settings for such things,

All courses, some courses? Certain file types or all file types?   In the moodle check config of mimetypes for those file types.

Got CloudFlare?

Linux?  Got moosh installed?

file-datacheck

Go through all files in Moodle data and check them for corruption. The check is to compare file's SHA to their file names.

moosh file-datacheck

No magic bullets here ... and we haven't seen a ton of 'me too's'  ..... soooooo????   Deeper dives! :|

'SoS', Ken


Average of ratings: -
In reply to Ken Task

Re: Downloaded files identified as dangerous

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
>>>> Email notifications are also being identified as spam (never happened before). We changed the SMTP client (to AWS SES) like 4 weeks ago, but it is working like a charm, and I suspect downloaded files and email notifications are not related (but maybe they are!).

You changed Site administration > Server > Email > Outgoing mail configuration to something AWS 4 weeks ago and these warnings started to appear 3 days ago? Then agree that the SMTP can't be the cause.

>>> I have updated the TXT files, so in the next 24h email issue should be solved,

You mean Site administration > Users > Accounts > User default preferences (defaultpreference_mailformat)? Has it solved mails being tagged spam? By whom? What are the mail domains of the recipients?

> but no idea what to do regarding the files.
>>>> all files downloaded from our Moodle are identified as dangerous and being blocked by Chrome out of the blue

What exactly does Chrome show? Can you post a screen-shot?
Average of ratings: -
In reply to Visvanath Ratnaweera

Re: Downloaded files identified as dangerous

by Javier Tejera -
Thanks Ken and Visvanath. 

Our Moodle is on Linux - don't have moosh, but will give it a try.

Agree that SMTP can't be the cause. I mentioned it because dangerous files and emails identified as spam started to happen at the same time. I wanted to say TXT records (DNS), apologies. I've updated the SPF, DKIM and DMARC, and now waiting for propagation - hope this solves the email issue.

Regarding dangerous files, when downloading a file from our Moodle, this is what happens:

Chrome:

Brave:
Firefox:
Safari: no issues.

This happens with all files (word, pdfs, etc.). Interestingly, if using the branded mobile app or accessing these browsers via smartphone, they are not identified as dangerous.

Of those accessing via desktop, 90% of them are using Chrome (version 93.0 onwards) and Windows 10.
Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Ken Task -
Picture of Particularly helpful Moodlers

Ok, Linux ... but there are different distro's and while similar there are some suttle differences which might be in play here!

Have anything in front of your Moodle?   Zscalar/CloudFlare ... similar?

In your geo location, is there any service where users/networks could report malicious servers (not that yours is ... kinda like 'blackhole' services for email)

Is your server using any Oauth2 or other authentication services for accounts ... I know that sounds like a stretch, but with Google, as an example, one has to verify server ownership with Google.

Know of any other moodle servers (entities that use Moodle) in your geolocation?   Are any of them experiencing the same issue?

'SoS', Ken


Average of ratings: Useful (1)
In reply to Ken Task

Re: Downloaded files identified as dangerous

by Javier Tejera -
Solved.

Moodle was fine, but Google identified malicious files and links. The home directory was scanned and we couldn't find any issues whatsoever. We contacted Google via Google Search Console and requested a review. It was approved in around 12 hours and now everything is working perfectly fine.

Google didn't give us more info so I don't really know why the site was identified as dangerous.
Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Ken Task -
Picture of Particularly helpful Moodlers

Congrats!   Ain't that 'special'! :|  One would think a brief explanation would be in order.

Site wasn't set to be open to Google search, was it?

For others that might experience similar, mind sharing how you interacted with Google to get the issue resolved?

I did find this:

https://transparencyreport.google.com/safe-browsing/search?hl=en

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Downloaded files identified as dangerous

by Javier Tejera -
Thanks Ken sonrisa I have to say that the amount of time I spent on this was ridiculous...

Our domain is linked to Google Workspace. I just logged in to Google Search Console with the Google Workspace admin account and checked the security issues (Links to harmful downloads and Harmful downloads were shown, see here) and requested a review. This article explains the process quite well.

The review was just a paragraph, something along the lines of "The site has been scanned using two different virus scanners and no suspicious files have been found".

Before reaching this point, the TXT records were updated including DKIM, DMARC and SPF (some of them were missed/incorrect); so maybe this was relevant as well.

This week we had a significant big spike in traffic (around 4x assignments and email notifications), so I suspect this is related, but that's a pretty big suspicion, I can't really tell.



Average of ratings: -
In reply to Javier Tejera

Re: Downloaded files identified as dangerous

by Ken Task -
Picture of Particularly helpful Moodlers

Thanks for links and explanation.   Makes sense ... kinda ... if part of Google Workspace is like any server hosted on any network not wanting to become the next 'AOL' of old and home to a spam king/queen - or now-a-days, 'bad actor/ neighbor'.

And yes, errant entries in those TXT records could have been a factor.

'SoS', Ken


Average of ratings: -