Opening Password Manager triggers MalwareBytes Warning / Compromised Website


Description of the issue:
Everytime Password Manager is opened, MalwareBytes triggers a pop-up window always about IP 20.212.64.14 Outbound Port 443 being blocked because it is compromised. Sometimes it identifies only the IP & Port; sometimes it also shows this domain as well: waws-prod-sg1-097-4aa1.southeastasia.cloudapp.azure.com

I don’t know how to resolve this.

How can this issue be reproduced?

  1. Simply opening Password Manager triggers the MalwareBytes pop-up every time.

Expected result:
No MalwareBytes error when opening Password Manager.

Brave Version( check About Brave):
Version 1.73.89 (Nov 13, 2024)

Additional Information:
I did an uninstall, cleaned the registry of Brave references. Did a clean install. No error message pops up from MalwareBytes when opening the Password Manager. However, as soon as I import my passwords, the MalwareBytes error pops up.

@Beavee,
Interesting. I have MWB on my macOS machine and have never seen this particular pop up. I wonder if it’s a Windows specific issue.

Will reach out to the team about this. Just to be clear this is almost certainly a false alarm.

1 Like

Is it a static or dynamic IP? Try to restart the router and computer and see if this pop up shows up again.

1 Like

Dynamic IP. Opened router log, then opened Brave Password Manager. MalwareBytes error pop-up appeared, but no suspicious activity in router log file.

Rebooted modem & router just now. Opened Password Manager, MalwareBytes pop-up again appeared.

Here is the alternate version of the MalwareBytes pop-up:

My own humble opinion:

Somehow, something (possibly a script downloaded), might (as in maybe) be affecting the Brave Password Manager - such that, the Brave Browser Password Manager acts/attempts to connect to a Microsoft cloud server (“Azure region” server) that is in Southeast Asia. Server IP address: 20.212.64.14

My guess is, that probably should not happen.

I do not use Malwarebytes, but my suggestion is, to click on the “Manage Exclusions” button, and where you can, then ENABLE/MAINTAIN blocking of the item.

Until you learn more. And, maybe start your Windows OS machine, into Safe Mode(?) and run a complete scan.


Using the Windows OS command line (command prompt), the following command

dir /p /o:d

Provides a list of files in chronological order, for your present directory. Very handy for finding recent virus invaders and their associates, that generally appear within a certain time frame (recent).

It is a lot of work, marching through Windows OS machine directories, in particular, the BraveSoftware directory and its sub-folders:

C:\Users[UserName]\AppData\Local\BraveSoftware\

but that is a handy command for finding some things . . . that ought not be on a PC.

Another tool - Kaspersky Rescue Disk:

  1. Save the Kaspersky Rescue Disk software to a USB memory device or a CD/DVD (to learn how to do this, see support.kaspersky.com/8092).
  2. Boot up your PC – from the storage device that contains Kaspersky Rescue Disk.
  3. Update the antivirus databases.
  4. Run a system scan on your PC and then follow the instructions on your screen.
1 Like

After multiple attempts at logic to solve this, I circled back to “maybe it’s just something in the saved passwords that’s causing the issue.” It turns out, it was.

I deleted all passwords, and slowly uploaded 50 at a time, instead of the whole .csv file. I eventually isolated it to one password.

The problematic record, attached, was for a specific subdomain on .PlanetFitness.com. I don’t have a membership there anymore, so I deleted the record. (I also observe on the PF website, the member info is no longer available on that subdomain, but instead thru www.planetfitness.com/my-account/profile. )

I’m guessing that subdomain is either flagged at MalwareBytes, or it’s compromised but identified by simply loading the Password Manager which possibly does a quick online check of all domains referenced in the Password Manager upon each opening? I don’t know, but it’s fixed now. And apparently nothing glitch-y about Brave at all.

Thank you for your helpful suggestions.

2 Likes

I just did a search on Wayback Machine. The subdomain IS breached. Instead of a member sign-on page for Planet Fitness, this was captured on that subdomain in 2023:

1 Like

Very good effort to be the detective and pursue the matter. Thank you; and, for detailing the Solution.

1 Like

We have reached out to MWB and they have confirmed that they’ve removed the IP from the blocklist — fix should be live now (if not now then very shortly).

1 Like