3 replies to this topic

[TeMerc]

In v1.40, Malwarebytes introduced IP Protection into Malwarebytes' Anti-Malware, to prevent the user being infected in the first place. The following is information on what this does, and how it works.

What does IP Protection do?

IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges, for example, NetDirekt, which is host to the Internet Service Team.

How does it do this?

When you ask your browser to connect to a website, Windows uses DNS or the HOSTS file (depending on configuration), to convert that domain name into it's corresponding IP address (e.g. example.com <> 1.2.3.4). MBAM intercepts the packet communications, to determine whether or not the IP address is known for malicious activity, and if so, blocks the communication.

How does it inform you?

MBAM informs you a malicious IP has been blocked by presenting a bubble notification at the bottom of the screen (next to the system tray).

What does this notification mean?

This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address. If this notice was presented when you were not actually doing anything on the machine, then I suggest having your computer looked at.

I got an alert and I wasn't even surfing, how's that happen?
There are many applications on your system which have access to the Net and any of these can trigger an IP alert with no browser open. Most common offenders are P2P applications and IM clients, usually an ad will trigger an alert. An advanced or premium firewall will be able to give you a list of programs which can access the Net.

I received a notification on a safe site, why?

If a notification is presented on a safe site, and the site loads, it is likely the site was loading content that is hosted on an IP known for malicious activity. In this case, the site itself will be displayed perfectly fine, with the malicious content being blocked.

If however, the site does not load, it is likely the site is also hosted on the same malicious IP address.

It is also entirely possible that the site in question, shares it's IP address with other malicious domains. IP's and IP ranges are blocked if they are either dedicated to malicious content, or have a higher proportion of malicious content, than non-malicious. So for example, if 1.2.3.4 contains 1000 sites and over 50% are malicious, then 1.2.3.4 will be blocked (and even then, if we can get the hosting company to take down the malicious sites, then even better as we do not like blocking shared IP's or IP ranges if we don't have to).

How do I disable this?

I wouldn't recommend disabling it, but if you must, you can do this by right clicking the MBAM tray icon, and unchecking "IP Protection".

I got an alert for an IP or website I think is safe, how can I report it?

If you find a site being blocked, and either don't know why, or are sure it's safe, please report it to us at the False Positive Forum.

IMPORTANT: When posting false postive reports, please ensure you post both the IP address affected, and if applicable, the domain name (e.g. example.com).

Does the IP Protection replace my firewall?

Absolutely NOT! The IP Protection included in Malwarebytes Anti-Malware is NOT a replacement for your firewall.

Where do I find the IP Protection logs?

You can find the logs for the IP Protection facility at;

Quote

Vista users
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

XP Users
%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Note: %AllUsersProfile% refers to the location of the "All Users" Windows profile, and is usually C:\Documents and Settings\All Users\

How can I add an IP so it won't be detected and can access a site I need to?
This has now been implemented. Visit the blocked site and incur an IP block. Then right-click on the Malwarebytes system-tray icon after the block notification appears, and choose Add to Ignore List and the IP.

[AdvancedSetup]

Registry Switches for Controlling IP-Blocking in MBAM 1.41

Create the indicated registry value (labeled as key | value) with the indicated data and reboot to enforce the policies below. All of the values are of type DWORD. In order to create a registry value, open the Registry Editor (Start -> Run -> regedit), navigate to the key listed, and then right-click in the right-hand panel and choose New -> DWORD.

1) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | silentipmode
Description: With a DWORD value of 1, the protection module will block and log IPs silently.

2) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | startipdisabled
Description: With a DWORD value of 1, IP blocking will start disabled on reboot, although it can be enabled subsequently.

3) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | disableipblocking
Description: With a DWORD value of 1, IP blocking will be permanently disabled (cannot be toggled).

[GT500]

Note that, on 64-bit editions of Windows, the registry values that AdvancedSetup mentioned are located in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware

[AdvancedSetup]

Here is a Windows installer to create the IP Policy shortcuts.
It basically runs the REG command line tool and sets the registry values or removes them.

Caveats:

1. Only installs on x86 (32 Bit)
2. Only tested on English XP/Vista Operating Systems (may work on non English but preliminary tests indicate it does not work on other languages)
3. Assumes user did not change default installation path: C:\Program Files\Malwarebytes' Anti-Malware
4. Users on Vista will need to either have UAC disabled (not recommended) or right click on the desired shortcut and chose Run As Admin
5. Reboot is required for most of these changes to function
6. User must have Admin rights to run the installer

If you hover your mouse over the shortcut it also has a tooltip description of what it does.

This will also create an entry in Add/Remove to uninstall the shortcuts when the GUI is updated to support this on it's own which is expected to be released in the next release version of MBAM.

Attached Files

•  mbam_ip_policy_shortcuts.zip   154.28K   1105 downloads