15 replies to this topic

[swagger]

Hey all,

It's been awhile. Sorry! I've been lurking though. Anyway, I love the idea of this new IP protection module in 1.40. I have a question though. I was looking at the logs and found that MBAM blocked an IP today from China [218.15.142.41] when I wasnt even here. Steam, firefox, opera, and mirc were running but I wouldn't think any one of them would be contacting something in china. Since the logs don't record the port (maybe in the future?), is there a way I can trace back which program tried to communicate with this IP? I ran a scan with MBAM and it came back clean. Scanning with Kaspersky Online right now.

swagger

[Firefox]

I second this request......

[secret365]

The remote address:

218.15.142.41 (41.142.15.218.broad.yj.gd.dynamic.163data.com.cn) (CHINA)

[MysteryFCM]

MBAM logs the IP's blocked, but I do not believe it currently logs the application that tried connecting to it.

[AdvancedSetup]

If you're on Vista or Windows 7 then the firewall logs may show it or may be able to be configured to log it.

[swagger]

secret365, on Aug 5 2009, 10:15 PM, said:

The remote address:

218.15.142.41 (41.142.15.218.broad.yj.gd.dynamic.163data.com.cn) (CHINA)

Yes, thank you... I was able to get that via traceroute which is why I said China in my original post.

MysteryFCM, on Aug 6 2009, 04:34 AM, said:

MBAM logs the IP's blocked, but I do not believe it currently logs the application that tried connecting to it.

Very true by looking at the logs. Hence why I requested MBAM to record ports numbers as well as the IP in the future.

AdvancedSetup, on Aug 6 2009, 04:59 AM, said:

If you're on Vista or Windows 7 then the firewall logs may show it or may be able to be configured to log it.

Unfortunately, this is a XP Pro box that it happened on so I am out of luck there...

By the way, my scan with Kaspersky came back clean last night.


Edit for typo

[swagger]

Another thought, my girlfriend's older son likes to use Limewire/Frostwire against my objection when I'm not around. Is it possible that MBAM sees IPs across the whole LAN? (ie, I'm on 192.168.3.31, he's on 192.168.3.33) I doubt this is the case, but just wondering as I have no other explanation for my computer contacting that chinese IP

[MysteryFCM]

It's possible, depending on how the network is configured, but the traffic to/from the other machines on the network, shouldn't be coming anywhere near each other, unless specifically told to.

I'd recommend blocking the Limewire/Frostwire ports at the router (won't guarantee stopping it as he can simply change ports, but configuring the router to ONLY allow outgoing ports required, for example port 80 for HTTP, 443 for HTTPS, will reduce his chances of being able to ignore you, which in turn, risks the network)

[swagger]

Yeah, I could probably do that and be relatively fine. Another side effect I have noticed since the new IP protection has been implemented is 5 second delays when accessing certain websites or pinging certain IPs. That needs to become faster in future releases.. I've tested this theory vs without IP protection on and it's definitely related.

[swagger]

I guess no one is suffering from the same problems? (5 sec delay)

[AdvancedSetup]

The cheaper routers can not block most P2P traffic easily especially on a given port. If you have one of the newer or more expensive models then many of them have built in templates for blocking P2P and a lot more granular control.

[swagger]

Understandable... My router is definitely not a small business router but a high end SOHO router. Either way, I don't think P2P is related to why my desktop computer which is wired to the router and has the paid version of MBAM installed suffers from a significant delay (5 seconds) when trying to access certain websites or while pinging certain IPs.

[Beaner]

MysteryFCM, on Aug 6 2009, 01:33 PM, said:

It's possible, depending on how the network is configured, but the traffic to/from the other machines on the network, shouldn't be coming anywhere near each other, unless specifically told to.

I'm having a similar issue. Could you expand on the possiblity of networked LAN PCs having the IP block triggered? I noticed two different times that the IP Block got triggered without any aparent reason on my PC, but I did have a mapped drive to a PC that had been having a trojan issue. They both seemed to happen right as I logged into my PC, and both trying to reach similar IPs to the above mentioned IP.

Symantec and MalwareBytes scan clean, and I haven't seen any pop ups since I disconected from that mapped drive.

Thanks!!

[MysteryFCM]

This specific issue occurs because the packets to and from the infected machine (e.g. DNS [UDP], ICMP etc), are echo'd to the other machines on the network.

Your firewall will be blocking the incoming packets from the other machine, which is why you'll not see them when disconnecting from the mapped drive (the mapped drive provides a connection between the two machines, that will then allow the packets to bounce to/from each other).

[cnm]

My MBAM 1.40 doesn't record the blocked IP address in the log. The log only has scan report. Since it only appears briefly in the system tray bubble, I never know what was blocked.

[exile360]

It's in a different log, located here and listed as protection-log-yyyy-mm-dd.log:

%allusersprofile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

This log will also show any threats detected by the Protection Module and whether they were blocked, ignored or quarantined.