Jump to content


Photo

[INFO] Malicious Website Blocking


  • This topic is locked This topic is locked
No replies to this topic

#1 TeMerc

TeMerc

    Staff

  • Moderators
  • PipPipPipPipPipPip
  • 2,019 posts
  • Gender:Male
  • Location:Phx. AZ. USA
  • Interests:Formula 1 Auto Racing, Computer Security, Entertainment, Sci-Fi, SuperHeroes

Posted 07 August 2009 - 07:14 PM

In v1.40, Malwarebytes introduced Malicious Website Blocking into Malwarebytes Anti-Malware, to prevent the user being infected in the first place. The following is information on what this does, and how it works.

What does Malicious Website Blocking do?

Malicious Website Blocking provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges, for example, NetDirekt, which is host to the Internet Service Team.

How does it do this?

When you ask your browser to connect to a website, Windows uses DNS or the HOSTS file (depending on configuration), to convert that domain name into it's corresponding IP address (e.g. example.com <> 1.2.3.4). Malwarebytes Anti-Malware intercepts the packet communications, to determine whether or not the IP address is known for malicious activity, and if so, blocks the communication.

How does it inform you?

Malwarebytes Anti-Malware informs you a malicious IP has been blocked by presenting a bubble notification at the bottom of the screen (next to the system tray).

What does this notification mean?

This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address. If this notice was presented when you were not actually doing anything on the machine, then I suggest having your computer looked at.

I got an alert and I wasn't even surfing, how's that happen?
There are many applications on your system which have access to the Net and any of these can trigger an IP alert with no browser open. Most common offenders are P2P applications and IM clients, usually an ad will trigger an alert. An advanced or premium firewall will be able to give you a list of programs which can access the Net.

I received a notification on a safe site, why?

If a notification is presented on a safe site, and the site loads, it is likely the site was loading content that is hosted on an IP known for malicious activity. In this case, the site itself will be displayed perfectly fine, with the malicious content being blocked.

If however, the site does not load, it is likely the site is also hosted on the same malicious IP address.

It is also entirely possible that the site in question, shares it's IP address with other malicious domains. IP's and IP ranges are blocked if they are either dedicated to malicious content, or have a higher proportion of malicious content, than non-malicious. So for example, if 1.2.3.4 contains 1000 sites and over 50% are malicious, then 1.2.3.4 will be blocked (and even then, if we can get the hosting company to take down the malicious sites, then even better as we do not like blocking shared IP's or IP ranges if we don't have to).

How do I disable this?

I wouldn't recommend disabling it, but if you must, you can do this by right clicking the Malwarebytes Anti-Malware tray icon, and unchecking "Website Blocking".

I got an alert for an IP or website I think is safe, how can I report it?

If you find a site being blocked, and either don't know why, or are sure it's safe, please report it to us at the Website Blocking False Positive Forum.

IMPORTANT: When posting false postive reports, please ensure you post both the IP address affected, and if applicable, the domain name (e.g. example.com).

Does the Malicious Website Blocking replace my firewall?

Absolutely NOT! The Malicious Website Blocking included in Malwarebytes Anti-Malware is NOT a replacement for your firewall.

Where do I find the Malicious Website Blocking logs?

You can find the logs for the Malicious Website Blocking facility at;

Vista users
C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs

XP Users
%AllUsersProfile%\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Note: %AllUsersProfile% refers to the location of the "All Users" Windows profile, and is usually C:\Documents and Settings\All Users\


How can I add an IP so it won't be detected and can access a site I need to?
This has now been implemented. Visit the blocked site and incur an IP block. Then right-click on the Malwarebytes Anti-Malware system-tray icon after the block notification appears, and choose Add to Ignore List and the IP.
Tom Mercado
Product Support Team Lead

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users