Malware in Capture One Pro 10.2?
I would appreciate a response from Phase One, not speculation from other users.
As of installing C1P 10.2, Malware Bytes is reporting and blocking a site that is says has malware. This happens upon launch of C1P 10.2, and every few minutes afterwards. I have been using C1P since version 8 and never observed this behavior.
Can this "malicious" website be safely excluded? Can we to be assured that this is a legitimate outbound monitoring, and NOT malware?
-Log Details-
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
-Website Data-
Domain: 2f0aefe3fb994054b884b2a408e73967.monitor-eqatec.com
IP Address: 52.73.48.224
Port: [57283]
Type: Outbound
File: C:\Program Files\Phase One\Capture One 10\CaptureOne.exe
As of installing C1P 10.2, Malware Bytes is reporting and blocking a site that is says has malware. This happens upon launch of C1P 10.2, and every few minutes afterwards. I have been using C1P since version 8 and never observed this behavior.
Can this "malicious" website be safely excluded? Can we to be assured that this is a legitimate outbound monitoring, and NOT malware?
-Log Details-
-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0
-Website Data-
Domain: 2f0aefe3fb994054b884b2a408e73967.monitor-eqatec.com
IP Address: 52.73.48.224
Port: [57283]
Type: Outbound
File: C:\Program Files\Phase One\Capture One 10\CaptureOne.exe
0
-
The IP leads to Telerik Analytics - data reception which appears to be legit. However, many legit entities have suffered malware attacks / injections and this could be the case here — or it may be only a false positive. I plan to let MB keep blocking until someone comes forward to explain. Among the things I want explained: why is Phase One capturing data from us? 0 -
Agreed.
Does Phase One even read this forum?0 -
[quote="hpinson" wrote:
Agreed.
Does Phase One even read this forum?
Some of the guys drop in now and then but this is mostly a user forum. Don't expect a response unless the number of people questioning this increases substantially.
If I were so inclined I'd drop MB a line to see if this is an error on their part, but so far the inclination hasn't struck.0 -
This is anonymous usage data being collected.
This is also mentioned in the Software License Agreement, part 4:
"Phase One may collect information concerning your use patterns for the purpose of obtaining general analytical statistical data of usage to be used in connection with further development etc. of the Software. The collection of such data will be completely anonymous."0 -
[quote="Christian Gruner" wrote:
This is anonymous usage data being collected.
Thanks for the clarification and citation. It still remains to be seen whether the company Phase One pays to collect this data has been subjected to a malware intrusion. I guess someone will have to contact MB to sort this out.0 -
For the information of other users that don't want this behavior, you can set 127.0.0.1 to the domain that Capture One is calling-out to in the hosts file; this way Capture One will be contacting just your own computer rather the actual site that it intends to contact. You can see how to do this with a search. Unix, Linux and Windows all utilize similar hosts files. 0 -
Note that Malwarebytes has always had issues with false positives, report them here:
https://forums.malwarebytes.com/forum/4 ... etections/0 -
[quote="AiDon" wrote:
Note that Malwarebytes has always had issues with false positives, report them here:
https://forums.malwarebytes.com/forum/4 ... etections/
In this case Malwarebytes is correctly informing the user that a program is sending information to a remote site. I don't think anyone suspected or knew that this was happening before the MWB warning.0 -
[quote="NNN635563989771853020" wrote:
[quote="AiDon" wrote:
Note that Malwarebytes has always had issues with false positives, report them here:
https://forums.malwarebytes.com/forum/4 ... etections/
In this case Malwarebytes is correctly informing the user that a program is sending information to a remote site. I don't think anyone suspected or knew that this was happening before the MWB warning.
I believe, in the first post, Malwarebytes claims that eqatec is a malicious website ... this site is used by many applications to track applications, see it here:
http://www.telerik.com/blogs/eqatec-ana ... in-asp.net0 -
[quote="NNN635563989771853020" wrote:
[quote="AiDon" wrote:
Note that Malwarebytes has always had issues with false positives, report them here:
https://forums.malwarebytes.com/forum/4 ... etections/
In this case Malwarebytes is correctly informing the user that a program is sending information to a remote site. I don't think anyone suspected or knew that this was happening before the MWB warning.
As I recall this has been raised and discussed several times before.
Moreover many virus protection programs seem to go through phases where they identify false positives. Indeed I suspect that they sometimes do this just so you know how hard they are working for you in case you forget you have them installed.
Most likely you have a greater risk from software supplied by Microsoft, Google or other large well know vendors than you do form companies like Phase. At the other extreme there are, of course, many sites sharing "free" software that would probably be good to avoid.
Grant0 -
I just started getting this today and Malwarebyte is going nuts with the warnings.
I've never had this happen before and it's just started today after running the latest version since it came out. The same EQATEC.Analytics.Monitor.dll files are in versions 8, 9 and 10 folders, so it makes me want to be cautious about letting it have access.0 -
Adding C1 to the Malwarebytes exclusion list doesn't stop the warnings. Sigh ! 0 -
[quote="Samoreen" wrote:
Adding C1 to the Malwarebytes exclusion list doesn't stop the warnings. Sigh !
No, I'm wrong. I added the IP address and the messages are gone.
Anyway, sending data to this site should be an option, not mandatory.0 -
[quote="Samoreen" wrote:
[quote="Samoreen" wrote:
Adding C1 to the Malwarebytes exclusion list doesn't stop the warnings. Sigh !
No, I'm wrong. I added the IP address and the messages are gone.
Anyway, sending data to this site should be an option, not mandatory.
Possibly, but quite a few applications I use for many different (non image) purposes use the same or similar services.
If you wish to stop all of those then you probably need to stop using anything connected with Google or Microsoft and, I suspect, Apple as a start. They all collect apparently anonymous data.
Based on messages I get from Google I should probably stop using a phone too.
Or driving in order to avoid the registration plate recognition cameras.
Or, in the UK certainly, walking in the street without a disguise so that the face recognition in the CCTV cameras will not know who I am.
These last three points are clearly NOT anonymous ... which, in my opinion, makes concerns about anonymous collection of software usage and performance rather unimportant. Sadly.
Other opinions may of course be very different.
Grant0 -
[quote="SFA" wrote:
Possibly, but quite a few applications I use for many different (non image) purposes use the same or similar services. If you wish to stop all of those then you probably need to stop using anything connected with Google or Microsoft and, I suspect, Apple as a start. They all collect apparently anonymous data...
😕 Your arguments are rather questionable. A lot of people, governments and software companies in this world are doing wrong things. The UK is not especially a good example. This is not an excuse for others to do the same. Other photo software are also implementing a system collecting information about user actions. But they ask you whether you agree with this. If not, they don't collect anything.
It seems that with C1, you have to agree or not use the software. OK, some users may decide not to use it. That's not correct behavior. We don't even have any information about which data are sent to this remote site. And what means anonymous ?
It has also been stated that C1 allegedly needs this connection in order to facilitate updates. If this is true, there's also something wrong with this. It's another activity that should be separated from collecting user actions.0 -
[quote="Samoreen" wrote:
[quote="SFA" wrote:
Possibly, but quite a few applications I use for many different (non image) purposes use the same or similar services. If you wish to stop all of those then you probably need to stop using anything connected with Google or Microsoft and, I suspect, Apple as a start. They all collect apparently anonymous data...
😕 Your arguments are rather questionable. A lot of people, governments and software companies in this world are doing wrong things. The UK is not especially a good example. This is not an excuse for others to do the same. Other photo software are also implementing a system collecting information about user actions. But they ask you whether you agree with this. If not, they don't collect anything.
It seems that with C1, you have to agree or not use the software. OK, some users may decide not to use it. That's not correct behavior. We don't even have any information about which data are sent to this remote site. And what means anonymous ?
It has also been stated that C1 allegedly needs this connection in order to facilitate updates. If this is true, there's also something wrong with this. It's another activity that should be separated from collecting user actions.
When everyone (or almost everyone) is doing the same thing it becomes the new "normal".
I gave UK examples simply because I am more aware of what happens in the UK. Things may be a little different in other countries - but not much different I would guess.
As for choices - again in the UK experience, 20 years ago a newly elected political party caught the imagination by offering "choices" for everything. Even things like health about which the average person most likely knows very little.
The effect was to convince people they had "control" over their lives when in fact they were steadily being stripped of the choices they once had but rarely used.
You mention that other applications offer the choice of allowing information to be shared. What sort of information?
Personal data? Or anonymized data about how the software is being used and how well it is performing on different hardware, operating systems and so on?
Do you have a choice on both?
Apart from using your bandwidth to send small amounts of data, if the information is truly anonymized how might that be damaging to you?
Do you have a mobile phone? How do you deal with personal privacy when you have that switched on?
I'm am drifting off topic for this forum so I will leave people to think about their own concerns and position on the matter.
Grant0 -
Capture One is the only software that causes this warning to appear. 0 -
FWIW, the warnings seem to have ceased on my system. 0 -
[quote="Filthy Lucre" wrote:
FWIW, the warnings seem to have ceased on my system.
This is not the case for me. If I remove the exclusion for Telerik/equatec, I get the warnings back.0 -
[quote="Samoreen" wrote:
This is not the case for me. If I remove the exclusion for Telerik/equatec, I get the warnings back.
MB3 just updated and it is no longer blocking C1.0 -
[quote="SFA" wrote:
As for choices - again in the UK experience, 20 years ago a newly elected political party caught the imagination by offering "choices" for everything. Even things like health about which the average person most likely knows very little.
The effect was to convince people they had "control" over their lives when in fact they were steadily being stripped of the choices they once had but rarely used.
Fully agree mate.
I'd go as far as say that anything good a labour government does, is a distraction for something else to be taken away.0 -
[quote="gusferlizi" wrote:
[quote="SFA" wrote:
As for choices - again in the UK experience, 20 years ago a newly elected political party caught the imagination by offering "choices" for everything. Even things like health about which the average person most likely knows very little.
The effect was to convince people they had "control" over their lives when in fact they were steadily being stripped of the choices they once had but rarely used.
Fully agree mate.
I'd go as far as say that anything good a labour government does, is a distraction for something else to be taken away.
Sadly it seems to be a concept that has been widely adopted by political parties of all leanings and in many areas of the globe.
There are, of course, other areas that make little or no attempt so sucker their populations into acquiescence as other methods are employed to attempt opinion management.
The puzzle is that the concept is too psychologically smart to have have been internally conceived by a political party - leaving me wondering about the origin of the idea.
In the context of the concerns of the original post, the worldwide web is a remarkable thing and I can recall the time in its early days when some of my more technically oriented colleagues discovered the fun to be had "talking in tech" across the world if you had the knowledge and enough interest to want to be involved. That was 30 years ago.
Nowadays it is more like "Hotel California" - you can choose to check out but you can never leave.
So one has to decide whether the best option is to try to fight to be invisible or accept and embrace the automatic inclusion that perhaps gives some access to information about and maybe some form of control over one's own "data".0 -
[quote="SFA" wrote:
...
You mention that other applications offer the choice of allowing information to be shared. What sort of information?
...
Grant
An example, from the DxoOptics Pro web-site:
DxO OpticsPro Edition/Version
Status of activation
DxO OpticsPro Language
DxO OpticsPro Number of Startups
Operating System
System language
Processor type and number of cores
Processor Clock Speed
Ram installed
GPU type and OpenCL ability
GPU RAM
Monitors Size and Resolution
And yes, you can opt in or out as you please.
Cheers,
Mogens0 -
[quote="mli20" wrote:
[quote="SFA" wrote:
...
You mention that other applications offer the choice of allowing information to be shared. What sort of information?
...
Grant
An example, from the DxoOptics Pro web-site:
DxO OpticsPro Edition/Version
Status of activation
DxO OpticsPro Language
DxO OpticsPro Number of Startups
Operating System
System language
Processor type and number of cores
Processor Clock Speed
Ram installed
GPU type and OpenCL ability
GPU RAM
Monitors Size and Resolution
And yes, you can opt in or out as you please.
Cheers,
Mogens
So technical rather than personal information.
Assuming anonymised data, which aspects of those pieces of information might one regard as unacceptable to share?
It's a serious question. It looks quite innocuous to me but there may be some aspects of the content that reveals more information useful to some types of people than I am aware of.
Grant0 -
[quote="SFA" wrote:
Assuming anonymized data, which aspects of those pieces of information might one regard as unacceptable to share?
It's a serious question. It looks quite innocuous to me but there may be some aspects of the content that reveals more information useful to some types of people than I am aware of.
It's not the right question. Which kind of information may or may not be shared is a personal or organizational matter and cannot be enforced as a general rule that applies to everyone regardless of their needs, environment, own security rules, etc. This decision belongs to the user. Period.
I have the feeling that you're trying to justify something that is fundamentally not acceptable.0 -
[quote="Samoreen" wrote:
[quote="SFA" wrote:
Assuming anonymized data, which aspects of those pieces of information might one regard as unacceptable to share?
It's a serious question. It looks quite innocuous to me but there may be some aspects of the content that reveals more information useful to some types of people than I am aware of.
It's not the right question. Which kind of information may or may not be shared is a personal or organizational matter and cannot be enforced as a general rule that applies to everyone regardless of their needs, environment, own security rules, etc. This decision belongs to the user. Period.
I have the feeling that you're trying to justify something that is fundamentally not acceptable.
Hmm.
My Bank, a bank I have used for some decades, regularly sends me reminders that I must help them with their "security" by providing 3 or 4 pieces of information - email address and that sort of thing - plus advise them how much I earn every year.
I can think of no good security reason why I should have to provide that income information to them.
However if they asked me for the technical information above regarding the configuration of the computing device(s) I most often use to connect to on-line banking I could not really see a problem with it, though of course in a sense that would not really be anonymized data.
The authorities realise that the majority of people have neither the skills nor the intention of spending their entire lives, device by device, app by app managing what information they pump out to the world.
Sharing your concerns one might choose to operate mainly off-line - but that makes people in authority suspicious about motives and in any case it is becoming increasingly difficult to operate off-line. Bank, for example, have no interest in keeping local banking operations running. They tell us that more and more people only "bank" via the internet - sharing thier data as they go. That is not optional these days.
Thus whilst I sympathise with your opinion for really personal information my observation is that the horse that used to live in that stable escaped some time ago and taking time to try to shut the door now is pointless. When the subject matter is of a technical nature rather than personal, as in the list above, closing the door seems to have little point whilst sharing the data at least offers some potential for understanding any technical matters that regularly occur, performance bottlenecks and other matters that, when reported and analysed at scale, may help to improve a product with hours of time and costs expended on Support Cases. Reporting in Tech terms is potentially so much more effective than reporting in local language for common technical matters.
Or at least that it the theory.
I still don't see that I need to be asked about sharing this sort of information.
DxO OpticsPro Edition/Version
Status of activation
DxO OpticsPro Language
DxO OpticsPro Number of Startups
Operating System
System language
Processor type and number of cores
Processor Clock Speed
Ram installed
GPU type and OpenCL ability
GPU RAM
Monitors Size and Resolution
Or whatever equivalents are requested by individual application developers.
So, to summarize, I can agree with you in principle even though I think the point may already be lost for the future but I see nothing contentious to be concerned about in the contents of the data that is likely being shared. There is far more that could be gleaned from a log file, for example.
If I was concerned I would abandon use of mobile phones and never touch any products from Apple or Google and, most likely, Microsoft as well. It would also seem wise to go back to shooting film.
I would much prefer it if my observations were wrong but I don't think they are - at least not substantially wrong. And as far as I can see the data collection industry is far more likely to grow rapidly than it is to shrink.
Just my opinion.
Grant0
Post is closed for comments.
Comments
26 comments