Simon_T

lxde.org, forum.lxde.prg, blog.lxde.org and wiki.lxde.org are blocked with a fraud warning. Reports attached. lxde.org.txtforum.lxde.org.txtblog.lxde.org.txtwiki.lxde.org.txt

seclists.org (45.33.49.119) is blocked with a Trojan warning. seclists.txt

The site rammichael.com (104.31.93.187) is blocked with a Trojan warning. Is this a false positive? Detection report attached.mbam_rammichael.txt

Is there any update on when this will be fixed? The same detection still occurs. New log attached. bouncer.txt

The demo of Excubits Bouncer is detected as Generic.Malware/Suspicious. hxxps://excubits.com/content/files/bouncer_demo.exe Scan log and zipped executable attached. bouncer_demo.txt bouncer_demo.zip

blogs.adobe.com (67.222.101.124) is blocked. [Log attached] mban_adobe.txt

Replying to attach the log which I missed from my first post. Also, these command-line chess programs don't seem to fit the PUP criteria listed in https://www.malwarebytes.com/pup/ fire_mbam.txt

The 32-bit (Fire_4_w32.exe) and 64-bit (Fire_4_x64.exe) versions of the Fire 4 chess program are detected as PUP.Optional.Amonetize. The attached .rar is the original archive which is available via the chesslogik website. Fire_4.rar

Malwarebytes Anti-Malware returns a loopback address for a blocked site, for example, > nslookup icons.newsblur.comServer: 192.168.0.1Address: 192.168.0.1#53Non-authoritative answer:icons.newsblur.com canonical name = icons.newsblur.com.s3.amazonaws.com.icons.newsblur.com.s3.amazonaws.com canonical name = s3-1-w.amazonaws.com.Name: s3-1-w.amazonaws.comAddress: 127.42.0.10A loopback address is still returned even after a web exclusion has been added for the domain. I propose that the correct IP address should be returned after a web exlusion has been added. Returning the bogus IP address for a whitelisted domain causes problems in other software such as the ABE (Application Boundaries Enforcer) feature of the Firefox NoScript extension as can be seen in this log excerpt [ABE] <LOCAL> Deny on {GET http://icons.newsblur.com/11111.png <<< http://newsblur.com/ - 3}SYSTEM rule:Site LOCALAccept from LOCALDenyReturning the correct IP address of whitelisted domains would be logical and obviate the need for workarounds in unrelated software such as NoScript.

Examining the DNS traffic with Wireshark shows the correct IP addresses being returned from the server which suggests that the results are being intercepted.

The result from the DNS server is intercepted and modified so could be logged.

Yes I'm sorry I was sloppy in my description. I meant that DNS lookups were intercepted and a loopback IP address was returned rather than the lookups actually being blocked. It was these resolutions to loopback addresses that I was requesting to be logged. After reading your responses I can see this might not be desirable. Thanks for your explanations.

No I don't get a notification for the nslookup. Neither is anything logged but my suggestion is that the returning of an incorrect IP address (127.42.0.0 in this case) should be logged to help the user if this causes a problem.

That doesn't seem to be happening here. For example, if I check a blocked domain from the command prompt nothing appears in the "Daily Protection Log" in the History area of MBAM. C:\>nslookup voxility.comServer: UnKnownAddress: 192.168.0.1Non-authoritative answer:Name: voxility.comAddress: 127.42.0.0However a block is logged if I attempt to view the page in Firefox: <record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.508852+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="13d5c441-59fb-4d81-8bd5-ef0bb6c6f6ba" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.543874+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3a82995b-c24c-4de2-955f-4d8ee471b2fa" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.704479+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="2935a267-2ec3-4c4a-b7b5-def57904d9b2" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63778"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.756515+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3ade6e68-17c2-4ee4-a180-f0c990970776" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63780"></record>

I gave the SOCKS proxy as example of where blocking occurs with no logs. I'm not asking for protection in that specific scenario. I'm sorry for not being clear. My suggestion is that there should be an option to log blocked DNS lookups to help the user find the problem in any situation where this protection feature of Malwarebytes stops a program working normally.