Portscanned from MBAM update sites

[fredster2]

I just installed MBAM on a new PC, after installing a Firewall, and when I tried to update MBAM, I immediately was portscanned by both update sites: hwcdn.net (69.16.175.42) and 72.21.81.253 (as reported by the firewall).  So either the MBAM I downloaded from the official site has been directed at hacker sites, or the legitimate update sites have been taken over.  I guess I'll have to download updates manually (if I decide to still trust MBAM).

[Firefox]

Hello and

Malwarebytes uses many update servers throughout the world. As I am not on the staff I can not confirm if these IP's are from the update servers.

Since you have added a "firewall" perhaps if you add an exclusion to your firewall for Malwarebytes updates, it may solve your issue.

Please exclude the following item from your Firewall Software (not sure what version of you are using):

Note:Add the following as a trusted site:

data-cdn.mbamupdates.com

Please post back and let us know how it went.

[David H. Lipman]

... I immediately was portscanned by both update sites: hwcdn.net (69.16.175.42) and 72.21.81.253 (as reported by the firewall). 

 

That's a misinterpretation of that data.  Assuming they were Malwarebytes' related content delivery sites to obtain signatures, they did NOT "port-scan" your computer.  Port-Scanning is the deliberate process of going through the full-range or subset of ranges of TCP and/or UDP ports on a particular Internet Protocol address.  Presumably a WAN address.

[shadowwar]

hwcdn is one of our many content delivery network  (cdn) for updates.

 

It is the legit site to obtain updates.  Mbam is asking for acccess to those sites and your firewall is wanting to know if it should allow. I doubt its a port scan as david said.

[fredster2]

Wow, all three of you assumed I was clueless and reporting an outbound access attempt  by my firewall as a portscan.

 

I get multiple access requests all day from various applications, including MBAM, and either grant or refuse them, and that's NOT what I'm talking about here.  My firewall specifically alerts to me portscanning attempts with a popup saying "portscan attack from IP XXX and then blocks all communication for a certain duration".  This happens rarely, perhaps once every few weeks, but happened twice, within a few minutes from both of the MBAM update sites I mentioned in the original post.

 

I'm quiet surprised that a company selling a commercial product would have the attitude of assuming I'm an idiot rather than immediately taking action, such as

* remove the sites I mentioned from their update program, or at least

* investigate them and put in safeguards to ensure these sites are not taken over

 

hwcdn is one of our many content delivery network  (cdn) for updates.

 

It is the legit site to obtain updates.  Mbam is asking for acccess to those sites and your firewall is wanting to know if it should allow. I doubt its a port scan as david said.

I gave MBAM access to these sites, after which I was portscanned, which is not normal behavior.  I am not portscanned by Avast update sites or microsoft update sites.

 

That's a misinterpretation of that data.  Assuming they were Malwarebytes' related content delivery sites to obtain signatures, they did NOT "port-scan" your computer.  Port-Scanning is the deliberate process of going through the full-range or subset of ranges of TCP and/or UDP ports on a particular Internet Protocol address.  Presumably a WAN address.

No, it looks like you are the one doing the misinterpreting.  I'm well aware of what port-scanning is, and how it differs from giving apps outbound access through my firewall.  I gave MBAM outbound access to the update sites, and then was portscanned, which caused my firewall to completely shut off communication (for everything).  I perhaps the company that wrote my firewall are confused when they pop up a "port scanning attack" dialog?

 

Hello and

Malwarebytes uses many update servers throughout the world. As I am not on the staff I can not confirm if these IP's are from the update servers.

Since you have added a "firewall" perhaps if you add an exclusion to your firewall for Malwarebytes updates, it may solve your issue.

Please exclude the following item from your Firewall Software (not sure what version of you are using):

Note:Add the following as a trusted site:

data-cdn.mbamupdates.com

Please post back and let us know how it went.

 

Again, you're confusing outbound access with being portscanned.  I gave MBAM outbound access, otherwise I could've have been port-scanned as those sites wouldn't know my IP.

[David H. Lipman]

Please provide Firewall logs and/or PCAPs.

[shadowwar]

Yes if you can please provide logs of this i will have someone look into it.

 

This is not our personal cdn but a 3rd party company that provides content for thousands of companies.

 

The reason we discounted this is the odds of this being a malicous port scan from them is next to none but i will have someone double check if you can provide us some logs to go on.

 

Thanks.

[tedivm]

Highwinds is one of our content deliver partners, and I am very confident in their security. I've personally sat down with a few of their employees, from VPs to Engineers- we have strong relationships with all of our CDNs. Their servers are setup only for HTTP and HTTPS traffic, which is what our application uses to retrieve information and updates from our servers. Our applications are client driven when it comes to their server/client communications. In other words, our application makes requests of the servers, but the servers never directly reach out to the application.

 

From what I have read so far this strongly looks like a false positive from the firewall. We can look into this further, but to do that we need more information. What ports are being scanned, and at what rate? What firewall are you using?

[fredster2]

I saved a few firewall logs which show IP addresses and ports, including the ports that were scanned to trigger the attack, but I wasn't running wireshark and don't have any actual packet captures.  Should I post the logs to this thread or email them to your support?  The only really interesting part is the protection log which indicates:

 

2013/11/30 21:00:24   detected scan packet: 53371; packet recv TCP 72.21.81.253:80 -> 192.168.1.102:53371 (40) [ ACK ]

2013/11/30 21:00:36   detected port scanning: 53371, 53377, 53378, 53379, 53380, 53381, 53382; packet recv TCP 72.21.81.253:80 -> 192.168.1.102:53382 (40) [ ACK ]
2013/11/30 21:00:36   Attack SCAN (53371, 53377, 53378, 53379, 53380, 53381, 53382) detected from 72.21.81.253 {host blocked for 5 min} [000001B5]
2013/11/30 21:02:00   detected scan packet: 53390; packet recv TCP 69.16.175.42:80 -> 192.168.1.102:53390 (40) [ ACK ]
2013/11/30 21:04:19   detected port scanning: 53513, 53516, 53519, 53522, 53525, 53528, 53531; packet recv TCP 69.16.175.42:80 -> 192.168.1.102:53531 (40) [ ACK ]
2013/11/30 21:04:19   Attack SCAN (53513, 53516, 53519, 53522, 53525, 53528, 53531) detected from 69.16.175.42 {host blocked for 5 min} [000001B6]
2013/11/30 21:05:36   intruder 72.21.81.253 unblocked [000001B5]
2013/11/30 21:09:19   intruder 69.16.175.42 unblocked [000001B6]

 

The other log file is a basically just a serious of details of when I allowed or blocked MBAM from accessing various IPs.  (I first allowed it, then blocked it as I was trying to figure out what was going on.)  If you want more details of my firewall configuration and security we should probably take this offline.

[tedivm]

What is the firewall? What happens if you turn MBAM on and attempt to update it?