Why Does MBAM Service Keep Dialing Out?

[DonZ]

Win 7 x64 SP1, MBAM Pro 1.51.1.1300

I keep seeing outbound connection attempts for mbamservice.exe on TCP ports 80 and 443. I have unchecked the "report usage statistics" option. Updating is set to once a day.

So why is mbamservice dialing out all the time? Why is it dialing out to Amazon servers?

I paid for a MBAM Pro license. In my book that means no tracking!

[screen317]

I believe the information in this topic by MBAM staff member tedivm will answer your question:

http://www.wilderssecurity.com/showthread.php?t=302968

Essentially, when Report Usage Statistics is unchecked, you aren't sending back data about your OS, language, etc., but the server is keeping a running client count when the program is triggered via a scan, update, etc. It shouldn't be happening often.

Please let us know if any further clarification is required and we will do our best to assist you.

How often is it happening for you?

[tedivm]

Anything on port 80 is going to be related to updates. There are a lot of different support files that exist, so when people check for updates there may be a couple of connections.

Stuff that goes over the 443 port to the Amazon servers is related to either license enforcement or statistics collection. There are basically three groups of statistics we collection. Each of these categories collects information about the mbam client itself (which I'll describe once below), as well as their own particularly data-

• License Enforcement - this is pretty obvious, but our program connects to servers to verify it's license. This also lets us track which licenses happen to be pirated the most.
  
• Client Statistics - this group helps us make the product better. With anonymous statistics enabled it will send us some information about the operating system (version, language
  
• Detected Malware - with anonymous statistics enabled the mbam client will tell us what it found on different machines, allowing us to track our detections and the spread of new malware.
  

Each of these categories is kept separate for privacy reasons- license data isn't correlated with malware data or client data, so we can't tell what specific people are infected by what, or who has what operating system..

When you connect to an http server- whether by mbam connecting for updates or firefox browsing this site- you send along a user agent that contains program and version information about the client. This allows the server to server custom responses to clients that may need it (very helpful for backwards compatibility). The MBAM user agent also gets stored by some of these statistics.

mbam - consumer_free (scanner) - base:1.51.2.1300 - rules:7919

As you can see this contains some information that is useful for us but otherwise pretty boring- this user agent describes someone using our free consumer product, and what versions they have.

Keeping a running count of the active clients doesn't require any of these statistics, as it can be done through the logs on our update servers. Regardless of whether anonymous statistics is enabled or not, connecting to our servers is also going to leave a log- and that log contains an ip address and user agent. We have to keep these logs for a short time- they're useful for dealing with ddos filtering, among other things- but we like to get rid of them as quickly as possible, since a person's ip address can be somewhat identifying and we take privacy seriously. In order to speed this up we decided to not use those logs for processing the client count at all, but to instead have the client ping the stats server with an empty message when an update occurs (but only once per day). If anonymous statistics is enabled then that empty ping contains the client statistics data, such as the operating system. Since none of our statistics servers store the ip address itself, this lets us strip out identifying information quicker than we could if we relied on the http logs themselves.

In the future there are other pieces of data we would like to collect- download speeds and errors. This would allow us to better select CDN partners and identify problems with the client easily. Of course these would both require anonymous statistics to be enabled.

If you (or anyone else) has any questions about this I'll be happy to answer them.