9 replies to this topic

[Conable]

When I first started to notice the IP blocks I didn't think much of them..since they surfaced while I was running a file sharing client..

Now that the feature had been implemented in Malwarebytes for awhile I'd like to make some requests..

I want to know 2 things..

Who the IP address belongs to & ideally why it was blocked..

And what process on my local machine is attempting the connection..

Unreasonable?

[yardbird]

How are you! Please see this post for an answer to your question: http://www.malwareby...showtopic=21076

EDIT: If the IP blocked it is malicious IP addresses.. and as for who it belongs to, you would have to do a search on that for example: this site: http://www.projectho...g/search_ip.php



Post back if you have any comments or questions.... regards..

[Conable]

Thank you for your reply :-)

In my opinion..identifying what process attempted to make contact would be instrumental in helping capable users detect local rogue applications..

Quote

Where do I find the IP Protection logs?

Vista users
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

XP Users
%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Note: %AllUsersProfile% refers to the location of the "All Users" Windows profile, and is usually C:\Documents and Settings\All Users\

--- Will these Logs tell me the process attempting to access the blocked IPs?

Quote

What does this notification mean?

It simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address.

--- This is just great..What I'd like to know is what browser..IM..P2P..attempted to access a malicious IP address

[yardbird]

Conable, on Sep 15 2009, 05:12 PM, said:

Thank you for your reply :-)

In my opinion..identifying what process attempted to make contact would be instrumental in helping capable users detect local rogue applications..


--- Will these Logs tell me the process attempting to access the blocked IPs?


--- This is just great..What I'd like to know is what browser..IM..P2P..attempted to access a malicious IP address

Well you know where the logs are and 1 will be created each time you boot up in a plain txt file. It will log the IP address's

Quote

Will these Logs tell me the process attempting to access the blocked IPs?

If I read this right, it might be for the developer team to explain it?
Whatever browser you use, if you land on a malicious website, (I never use IM) it will flag as IP Block.. I hope this helps...

[exile360]

No, the logs will not tell you what process tried to access the IP's unfortunately. That would be more the job of a software firewall to serve such a function, something that Malwarebytes' Anti-Malware isn't.

[yardbird]

exile360, on Sep 15 2009, 06:57 PM, said:

No, the logs will not tell you what process tried to access the IP's unfortunately. That would be more the job of a software firewall to serve such a function, something that Malwarebytes' Anti-Malware isn't.

Thank you exile360! I had to think about that one for a second...regards..

[MysteryFCM]

To clarify, the IP Protection facility cannot currently tell you what process is attempting to connect to the IP being blocked as the API used, does not provide that information on XP, only on Vista/Windows 7. You'd be best off using a firewall to determine what is connecting to where.

As far as who owns the IP, you can use the following site (note: the site is run by me) to determine this, and in most cases, it will also tell you why it's blocked (just pop the IP into the search box on the site);

http://hosts-file.net

[Conable]

Alright..it's been made pretty clear the blocking is it's own function..separate from Why Where & What..

It's also been made apparent those functions are not currently implemented..& from the sound of it..will never be..

If I started to use a software firewall..I would move to using that exclusively..but I don't like things like ZoneAlarm..

Why & Where aren't nearly as important to me as What either..

Thanks for talking shop all the same :-)

[yardbird]

Glad you got your questions answered! I use a AV/Firewall software by Trend Micro, & and motorola router with a firewall built in that pupy also.... Please post back with any issues, comments or questions.. someone will always be here...regards...

[exile360]

Yes, I can give you the Why though. The sites being blocked are known to host malware, meaning MBAM is protecting you from potential infection by cutting it off at the source. While this can prevent say, a new trojan from getting onto your system, it can also block a trojan that's already present on the system from phoning home, potentially at least. It doesn't identify the program communicating, but even a software firewall wouldn't do you any good in most such scenarios anyway, given that the majority of modern trojans are injected into legitimate processes and hidden using rootkit technology, so likely all you'd see as the process name in the log if MBAM did tell you what program it was would be something like svchost.exe which you certainly don't want to delete.