Simon_T
Members-
Posts
16 -
Joined
-
Last visited
Reputation
0 NeutralRecent Profile Visitors
1,300 profile views
-
lxde.org, forum.lxde.prg, blog.lxde.org and wiki.lxde.org are blocked with a fraud warning. Reports attached. lxde.org.txtforum.lxde.org.txtblog.lxde.org.txtwiki.lxde.org.txt
-
seclists.org (45.33.49.119) is blocked with a Trojan warning. seclists.txt
-
The site rammichael.com (104.31.93.187) is blocked with a Trojan warning. Is this a false positive? Detection report attached.mbam_rammichael.txt
-
Excubits Bouncer demo detected as Generic.Malware/Suspicious
Simon_T replied to Simon_T's topic in File Detections
Is there any update on when this will be fixed? The same detection still occurs. New log attached. bouncer.txt -
blogs.adobe.com (67.222.101.124) is blocked. [Log attached] mban_adobe.txt
-
Replying to attach the log which I missed from my first post. Also, these command-line chess programs don't seem to fit the PUP criteria listed in https://www.malwarebytes.com/pup/ fire_mbam.txt
-
The 32-bit (Fire_4_w32.exe) and 64-bit (Fire_4_x64.exe) versions of the Fire 4 chess program are detected as PUP.Optional.Amonetize. The attached .rar is the original archive which is available via the chesslogik website. Fire_4.rar
-
Malwarebytes Anti-Malware returns a loopback address for a blocked site, for example, > nslookup icons.newsblur.comServer: 192.168.0.1Address: 192.168.0.1#53Non-authoritative answer:icons.newsblur.com canonical name = icons.newsblur.com.s3.amazonaws.com.icons.newsblur.com.s3.amazonaws.com canonical name = s3-1-w.amazonaws.com.Name: s3-1-w.amazonaws.comAddress: 127.42.0.10A loopback address is still returned even after a web exclusion has been added for the domain. I propose that the correct IP address should be returned after a web exlusion has been added. Returning the bogus IP address for a whitelisted domain causes problems in other software such as the ABE (Application Boundaries Enforcer) feature of the Firefox NoScript extension as can be seen in this log excerpt [ABE] <LOCAL> Deny on {GET http://icons.newsblur.com/11111.png <<< http://newsblur.com/ - 3}SYSTEM rule:Site LOCALAccept from LOCALDenyReturning the correct IP address of whitelisted domains would be logical and obviate the need for workarounds in unrelated software such as NoScript.
-
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
Examining the DNS traffic with Wireshark shows the correct IP addresses being returned from the server which suggests that the results are being intercepted. -
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
The result from the DNS server is intercepted and modified so could be logged. -
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
Yes I'm sorry I was sloppy in my description. I meant that DNS lookups were intercepted and a loopback IP address was returned rather than the lookups actually being blocked. It was these resolutions to loopback addresses that I was requesting to be logged. After reading your responses I can see this might not be desirable. Thanks for your explanations. -
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
No I don't get a notification for the nslookup. Neither is anything logged but my suggestion is that the returning of an incorrect IP address (127.42.0.0 in this case) should be logged to help the user if this causes a problem. -
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
That doesn't seem to be happening here. For example, if I check a blocked domain from the command prompt nothing appears in the "Daily Protection Log" in the History area of MBAM. C:\>nslookup voxility.comServer: UnKnownAddress: 192.168.0.1Non-authoritative answer:Name: voxility.comAddress: 127.42.0.0However a block is logged if I attempt to view the page in Firefox: <record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.508852+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="13d5c441-59fb-4d81-8bd5-ef0bb6c6f6ba" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.543874+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3a82995b-c24c-4de2-955f-4d8ee471b2fa" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.704479+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="2935a267-2ec3-4c4a-b7b5-def57904d9b2" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63778"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.756515+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3ade6e68-17c2-4ee4-a180-f0c990970776" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63780"></record> -
MBAM Premium Suggestion: Log blocked DNS lookups
Simon_T replied to Simon_T's topic in Malwarebytes for Windows Support Forum
I gave the SOCKS proxy as example of where blocking occurs with no logs. I'm not asking for protection in that specific scenario. I'm sorry for not being clear. My suggestion is that there should be an option to log blocked DNS lookups to help the user find the problem in any situation where this protection feature of Malwarebytes stops a program working normally.