Hi, I am trying to understand how the web blocking works and could use some help. How does a customer get more context (i.e. threat data) for the website blocking alerts?
The notification that pops up on the endpoint and in the management console simply says malicious website blocked. The alerts do not list what URL specifically the computer was trying to reach, just the IP. This seems like a possible problem because a single IP address can host hundreds of sites. I do understand that it is not common for most larger legitimate businesses to do this but it does still happen.
How does a customer determine exactly why something was blocked? Something like a category for the block such as Adware, C2C, Phishing, Malware, etc?
So I thought OK, this is what the hpHosts site is for, and from looking over the site it would appear it would give you this information. I did a quick test for an IP that appeared on one of our website blocking alerts received yesterday. I searched hpHosts for IP 199.101.113.79 (which is registered to Conduit USA so it is most likely a toolbar or BHO). The results show the IP was not found in the hpHosts database and there are 0 records for history. Well doesn't that mean that the IP or URL is not a threat and should not be blocked?
How do I determine why an IP was blocked by Malwarebytes? And if it is being blocked by Malwarebytes shouldn't it also be listed on the hpHosts site for customers to see?
Thank you!