Trojan: 1.0.26\go-ipfs_v0.21.0_windows-amd6

Facing numerous blocks by my active firewall with Malwarebytes when the Brave browser is opened. The directory with its file persistently restores itself after deletion: lnbclahgobmjphilkalbhebakmblnbij\1.0.26\go-ipfs_v0.21.0_windows-amd64

IPs are blocked of various kinds but do repeat themself at some point. Not sure if an extension is at the guilt or if it’s the actual browser, please advise.

Malwarebytes

-Log Details-
Protection Event Date: 24/07/2023
Protection Event Time: 10:02
Log File: PRIVATE.json

-Software Information-
Version: 4.5.33.272
Components Version: 1.0.2069
Update Package Version: 1.0.72887
Licence: Premium

-System Information-
OS: Windows 11 (Build 22621.1992)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\lnbclahgobmjphilkalbhebakmblnbij\1.0.26\go-ipfs_v0.21.0_windows-amd64, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 5.199.162.220
Port: 1466
Type: Outbound
File: C:\Users\admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\lnbclahgobmjphilkalbhebakmblnbij\1.0.26\go-ipfs_v0.21.0_windows-amd64

(end)

Why this specific part in Brave Browser throws up a Trojan alert all the time?

@z2lby8qny Sorry nobody got to you on your question this week. It is currently Friday night and Support isn’t generally active here over the weekend. I’ll tag in @Mattches, Browser Support, in hopes he can check in with you when he gets back after the weekend. Just allow him some time to catch up with everything tagged.

In terms of what’s being shown, it’s just showing you the location that it’s detecting an issue. If you do have a trojan, it just means that’s where it was trying to hide. But it could also be that you’re seeing a false positive in Malwarebytes.

Only because Malwarebytes detects something doesn’t mean it is something bad and automatically there is something wrong with Brave because the master Malwarebytes said so. Malwarebytes just like any other antimalware or antivirus or whatever have a lot of false positives, and in this case if they are detecting those IPs as malicious or bad, sounds like Malwarebytes has something against P2P internet.

Well, anyway, the reason you get that is because YOU Enabled IPFS, specifically the Brave local IPFS node in brave://settings/web3 → Method to resolve IPFS resources. If you disable it or set it to ask, you can go close the browser and then you can remove the folder lnbclahgobmjphilkalbhebakmblnbij and brave_ipfs and done.

For the way IPFS just like Tor, and VPN or whatever, the files and the connections might get flagged by dumb ‘security suites’, but in this case is ‘mostly safe’, at least the binary, because the IPFS is still P2P, which means your IP can be tracked and all that, you can read all the privacy issues about it here https://support.brave.com/hc/en-us/articles/360051406452-How-does-IPFS-Impact-my-Privacy- which will always preserve when it comes to Peer-to-Peer systems, but it’s not like your computer has something malicious or or doing something out of the ordinary or they can hack you or something. There is risk since you are connecting to random peers, but nothing to really worry, especially if you are not even using IPFS of course.

But it is not even a normal extension like the IPFS companion is, this local IPFS node is a component installed by Browser and downloaded only through Brave servers like Tor is, it is the IPFS client inside Brave, that means you don’t have to install it and use it inside the browser, and when you install the companion and it is set to ‘ask’ it will ask you if you want to use the gateway or the local node, then your profile will just use the binary it stored in User data and done. But if it was a normal extension it would be in User data → Default/Profile1,2,3,etc → Extensions and not right in the User Data, which only Brave can make use of it, because Only brave can download it and only brave can set it up the way it is set it up for each Profile.

So yeah, just disable it if you don’t care or use IPFS, then when you remove it it shouldn’t be restored again.

You an always go to brave://ipfs-internals/ and see information about it and get the information of all the peers and all that, but that’s why so many connections being done when starting Brave, and why the folder gets restored after you delete it and all that.

1 Like