MBAM blocking

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
When browsing in FireFox (winXP) I have received several messages from
MBAM saying that it is blocking access to 82.128.92.182  "Type:
outgoing".  I assuming "outgoing" means outgoing from FireFox.  Is
that the case?

Also, how can I find out what site 82.128.92.182 is?

Thanks.
--
Work is the curse of the drinking class.

Re: MBAM blocking

On 3/28/2011 9:54 AM, Caesar Romano wrote:
Quoted text here. Click to load it


  Take a look at MBAM's protection logs and find the IP-BLOCK entry. It
should list the IP address that was blocked and the process that
attempted the connection. If it is firefox.exe then the page you were
viewing probably had an exploit on it that was trying to use firefox to
connect out.


Quoted text here. Click to load it


  That IP address is assigned to an ISP in Lagos, Nigeria. A free
utility program for looking up IP addresses is IPNetInfo:

http://www.nirsoft.net/utils/ipnetinfo.html


--
Are we having fun yet?

Re: MBAM blocking

wrote Re Re: MBAM blocking:

Quoted text here. Click to load it

Thanks Whoever (and Charlie) for the comments.  I got a few another
block notices from MBAM:

08:06:16    DuraHaven    IP-BLOCK    83.128.92.182 (Type:
outgoing)
08:06:18    DuraHaven    IP-BLOCK    83.128.92.182 (Type:
outgoing)

Those two entries are from the protection log, but they don't show a
process that is attempting the connection.  I'm using the latest MBAM
and have also scanned with SAS-portable downloaded today.  MBAM found
nothing that I wasn't aware of. SAS found a bunch of tracking cookies
(or whatever they're called) and I quarantined them.  Other than that,
nothing else.  We'll see if the tracking cookie removal helps.
--
Work is the curse of the drinking class.

Re: MBAM blocking

Caesar Romano wrote:

Quoted text here. Click to load it

Quarantining cookies is futile.  Whatever sites created them before will
create them again when you revisit those sites.  Cookies are .txt files
and are NOT malware.  Quarantining text files is ridiculous.  Just
delete the cookies (use your web browser's flush temp file cache
function).

Re: MBAM blocking

Quoted text here. Click to load it


(In addition to Vanguard LH)

You can take care of cookies in Firefox by:
- Options
- Privacy
- Accept third-party cookies, Keep until: "I close Firefox"
 and also
- Clear history when Firefox when closes
can be useful in this respect.
(but check the settings.)

I do so in Firefox (now 4.0)

(see you in ACFu)
 ;-)

--
Fred W. (NL)

Re: MBAM blocking

Hello, Whoever!

jY0kp.5594$sj5.4969@newsfe09.iad
On Mon, 28 Mar 2011 10:30:40 -0400:

Quoted text here. Click to load it

Ops... I just said the same thing. <grin>

--
With best regards, gufus.  E-mail: stop.nospam.gbbsg@shaw.ca



Re: MBAM blocking

On Mon, 28 Mar 2011 08:54:57 -0500, Caesar Romano wrote:

Quoted text here. Click to load it

I suggest you get MBAM to do a full search of your PC without delay. I'd
bet it finds something 'interesting'.

Re: MBAM blocking

Caesar Romano wrote:

Quoted text here. Click to load it

http://www.dnsstuff.com/tools/whois/?ip=82.128.92.182

http://www.liveipmap.com/ shows the same location as the domain
registration but also notes it is an open proxy.  That means you don't
know the actual source or target.  The entire URL would be needed to see
where the outgoing connection was going as it may include parameters to
tell the proxy where to redirect.

I doubt MBAM cares about where any web browser connects.  It would
interfere with YOUR choices of where to connect and you are initiating
the outbound connection.  It's possible Firefox gets used as a child
process loaded by the source program to make a connection on its behalf.
You could use SysInternals TCPview to see what process is making the
connection; however, that tool isn't of value for a quick or one-time
connect as the connection would come and go too fast and TCPview doesn't
have a logging facility for you to check.  You could use Wireshark to
monitor your network traffic.

So what extensions have you installed into Firefox?  You sure MBAM is
issuing the alert?  It isn't a firewall product.

Re: MBAM blocking

Re: MBAM blocking:

Quoted text here. Click to load it

I think it's MBAM.  This is from the MBAM protection-log file:

08:06:16    DuraHaven    IP-BLOCK    83.128.92.182 (Type:
outgoing)

The items I moved to SAS quarantine were called tracking cookies.
There were 211 of them.

So far, the IP-Blocks from MBAM have stopped.  I'll have to wait to
see if they return.  Thanks for the comments.
--
Work is the curse of the drinking class.

Re: MBAM blocking

Caesar Romano wrote:

Quoted text here. Click to load it

You never mentioned if you are using the free or paid (Pro) version of
MBAM. Some features are available only in the paid version.

While they don't mention it on their web site as a feature of MBAM (even
for the paid Pro version), there appears to be an IP Protection feature
in MBAM (don't know if it's both the free and paid versions).  In their
forums, users discuss the IP Protection feature of the Pro (paid)
version.  So maybe MBAM has a blacklist of "bad" IP addresses.  The one
you mentioned before is listed as an open proxy which is often used by
trolls, malcontents, scammers, phishers, and malware authors to hide to
where they come from or to where their malware connects.

For example, http://forums.malwarebytes.org/index.php?showforum=42 is
their forum where you report false positives by their MBAM program, and
IP addresses is one type you can report as a false positive (i.e., to
get their IP blacklist updated).  I have the free version of MBAM.
Under its Protection tab in its GUI, it shows the paid Pro version
includes "Automatic Malicious Site Protection".  Guess IP blacklisting
is part of that protection.

So like IE with its Smartscreen filter (of blacklisted sites), MBAM has
its own blacklist of IP addresses.  So you or something on your host
tried to connect to a server that is MBAM's IP blacklist.  Hope they
have the resources to keep an IP blacklist up to date.

Too bad they don't tell you which process (or even the process ID) was
making the connection.  When you look in your web browser, do you see an
MBAM add-on, plug-in, or extension listed?  If so then maybe you or a
parent process calling the web browser as a child process is making the
connection to the "bad" site.  Some security programs, like Online Armor
(and maybe Comodo), can let you restrict who gets to load the web
browser.  That is, they'll prompt you when a process attempts to load
the web browser as a child process when you haven't previously
authorized that access.

Re: MBAM blocking

Re: MBAM blocking:

Quoted text here. Click to load it

Thanks for the helpful comments.  I'm using the paid (Pro) version of
MBAM.
--
Work is the curse of the drinking class.

Re: MBAM blocking


Quoted text here. Click to load it

He has to be using the paid version. The feature he specifically
mentions having a problem with is only activated when the software is
registered. In free version mode, it will not remain resident.
 
Quoted text here. Click to load it

This feature has been mentioned on MBAM's forum, and has been available
for nearly two years now. I'm surprised you were unaware of it.
 
Quoted text here. Click to load it

They do.
 
Quoted text here. Click to load it

His logfile should have reported that.

--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: MBAM blocking

Dustin wrote:

Quoted text here. Click to load it

I have only used the freeware version of MBAM.  So far, I have not yet
had need to visit their forums to get help on the product; however, even
if I did visit there doesn't mean that I would remember discussions
about a feature that isn't in the version that I have.  Too bad they are
better detailed in just what their product includes for security
features.  Users shouldn't have to visit forums trying to find out what
features are in a product.

Quoted text here. Click to load it

He gave an example of the logfile entry.  Doesn't mention what process
attempt to make a connection the blacklisted IP address.  Maybe he
trimmed the logfile entry.  Maybe multiple lines are added per event and
he only showed us one of them; i.e., another line as part of the same
event might've mentioned the process making the connection.

Re: MBAM blocking

Re: MBAM blocking:

Quoted text here. Click to load it

Thanks for the comments guys, but no, I did not trim anything from the
log file entries.  What I posted here was what was in the log file.
Here's the entire protection-log-2011-03-28.txt (I have deleted
excessive blank space between the columns below to avoid line wraping.
As you can see, there is no ID info about the process that is trying
to get out.

However, since I ran SuperAntiSpyware and removed 211 tracking cookies
(I think that's what they were called) the problems has stopped.

07:56:47  DuraHaven  MESSAGE Protection started successfully
07:56:51  DuraHaven  MESSAGE IP Protection started successfully
08:06:16  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:06:18  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:06:19  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:06:21  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:06:22  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:06:25  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:16:26  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:16:28  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:16:32  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:26:26  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:26:28  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:26:32  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:36:26  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:36:28  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:36:32  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:46:28  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:46:31  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:46:35  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:56:27  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:56:30  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
08:56:37  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
09:06:28  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
09:06:30  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
09:06:34  DuraHaven  IP-BLOCK  83.128.92.182 (Type: outgoing)
09:08:56  DuraHaven  IP-BLOCK  83.128.92.182 (Type: incoming)
09:08:58  DuraHaven  IP-BLOCK  83.128.92.182 (Type: incoming)
09:09:02  DuraHaven  IP-BLOCK  83.128.92.182 (Type: incoming)
09:44:54  DuraHaven  MESSAGE Protection started successfully
09:44:58  DuraHaven  MESSAGE IP Protection started successfully
09:52:50  DuraHaven  MESSAGE IP Protection stopped
09:52:54  DuraHaven  MESSAGE Database updated successfully
09:52:55  DuraHaven  MESSAGE IP Protection started successfully
10:14:48  DuraHaven  MESSAGE IP Protection stopped
10:14:51  DuraHaven  MESSAGE IP Protection started successfully
10:14:51  DuraHaven  MESSAGE IP Protection stopped
10:14:54  DuraHaven  MESSAGE IP Protection started successfully
10:14:54  DuraHaven  MESSAGE IP Protection stopped
10:14:57  DuraHaven  MESSAGE IP Protection started successfully
19:25:20  DuraHaven  MESSAGE Protection started successfully
19:25:24  DuraHaven  MESSAGE IP Protection started successfully
--
Work is the curse of the drinking class.

Re: MBAM blocking


Quoted text here. Click to load it

Well, the site clearly tells you what the differences are between the
two. That is, paid and freeware versions. I'm pretty sure all the
descriptions tell you the differences... Yep, they do...

Do note that the real-time protection is restricted to the paid version,
as is the scheduler for updates and scans. Overall, though, Malwarebytes
Anti-Malware is a responsive malware remover that does what it should
with a minimum of fuss.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4 -
10804572.html


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: MBAM blocking

Dustin wrote:

Quoted text here. Click to load it

Please show where the free vs. pay version comparison mentions the IP
blacklisting feature.  Just show where is this comparison page.  From
the home page (malwarebytes.org), please show the link navigation that
takes the user to where these differences are *clearly* delineated with
sufficient details that the user knows what each feature actually is.
I've seen way too many install scripts offer to include some component
which the user hasn't a clue belongs in the product or is some
ancilliary or fluff that got bundled in, and if it is a component of the
product there isn't enough detail for the user to make an educated
selection as to whether or not to include it.  Spouting "Protection
Module" tells users absolutely nothing about a component *name* when
nothing of it is described at the web site.

There isn't even a download for the manuals for the users to dig into
and compile their own comparison between free and payware versions.  
The product page (for both free and payware versions) list few of the
features in one or the other (but doesn't say which is in which):

http://malwarebytes.org/mbam.php

•Malwarebytes' Anti-Malware protection module (requires registration)

Oh, and that's supposed to give all those details.  Uh huh.

•Ignore list for both the scanner and Protection Module.

Oh, and since it doesn't say "registration" it doesn't appear that is
only in the payware version, plus it doesn't say WHAT is ignored.
Sounds like a simple exclusion list of files or folders.

For someone that has never possessed any copy (free or paid) of
Malwarebytes, the description at the web site is rather vague.  For
someone that has only used the freeware version, there is no info at the
web site that specifies just exactly what features (and describes them)
would be available with the payware version -- other than a vaguely
described "protection module" (which the reader has to interpret means
the on-access/realtime scanner).

The product isn't sold based on its web site.  It's sold mostly by word
of mouth, often when someone reports a problems and someone suggests
using this product as a possible solution, or by users that research a
lot before buying a product.  There's little to glean from the web site
to convince potential buyers that this is a wonderful product.  Read
with a subjective eye, the web site has more hype than details.
Potential buyers shouldn't have to resort to perusing forums or reviews
to first decide if a product is a candidate.  Those are used after the
product becomes a candidate to weight the decision to buy.  The product
may be very good but it isn't supported by an equally good web site.

"Protection Module"
"Ignore list"

Which one includes IP blacklisting?  How would the user know?  What *is*
the Protection Module?  If IP blacklisting is part of the Protection
Module, just what does that mean to the user trying to decipher what
this product does?  How does it work?  How often updated?  How to report
falsely accused sites?  How to add sites?  How are sites added?  Whose
blacklist are you using?  It seems a lot of this important info the user
needs to know in choosing security software is missing.  I don't buy
into blackbox software.  If it isn't just as protective with full
disclosure of its operation then it isn't a strong product.  No useful
description of the product at its web site, no good list of features, no
good delineation of what is in the free versus paid versions, no details
of the features but instead blackbox naming schemes.  The product may be
very good (at what it does) but it isn't very well described.

Re: MBAM blocking


Quoted text here. Click to load it

While I appreciate this long tirade of yours, The fact the IP module is
resident (wouldn't work to well otherwise, me thinks) should have been
a clue that the pro version has it and the free version ehh, doesn't...
 
Quoted text here. Click to load it

Yep. It protects you from malware it knows of as well as IP blocking;
which you can optionally turn off.
 
Quoted text here. Click to load it

This is really something you should bring to the attention of the
webmaster.
 


--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: MBAM blocking

Dustin wrote:

Quoted text here. Click to load it

Then don't claim the web site explains the differences and the features
when it doesn't.  Don't lie and others won't point it out.

Quoted text here. Click to load it

You made a big deal that the user was already told about the differences
between free and paid versions.  Now you're backing off because there is
no such info at the web site.

Quoted text here. Click to load it

It wasn't the webmaster that made claims that the differences were
defined where a user could find them at the web site or that there was
some page that detailed what were all the features.  That was all your
claim.

Re: MBAM blocking


Quoted text here. Click to load it

I wouldn't be so quick to claim I was lieing or otherwise trying to
mislead anybody. That isn't the case here.
 
Quoted text here. Click to load it

I didn't make a "big deal" about anything. I simply commented that he
had to be using the registerd version, as it's using something which is
resident and is not available in the freeware version.
 
Quoted text here. Click to load it

If your going to attribute me, please do so correctly. I did state the
differences (while not detailed to your satisfaction) are available on
the site. I even quoted one of the most popular ones where people pull
files from. It clearly states the freeware version doesn't include
resident protection. Now, here again is where common sense would come
in handy for you; In order for the IP blocker to be of any use, it has
to be resident; right? So... Which version is more likely to have this
feature? C'mon, you can do it!


 



--
If today was your last day... and tomorrow was too late...
could you say goodbye to yesterday?

Re: MBAM blocking

Dustin wrote:

Quoted text here. Click to load it

Dustin said, "Well, the site clearly tells you what the differences are
between the two".  Dustin has a significantly different definition of
what constitutes "clearly".

Site Timeline