Jump to content

Rob1158

Members
  • Posts

    13
  • Joined

  • Last visited

Everything posted by Rob1158

  1. We had users reporting legitimate website blocks today as well. The logs show blocking. 'aadcdn.msauth.net'
  2. Any updates that can be shared here on this topic? We have noticed a number of our systems worldwide exhibiting this behavior as well. All are running Anti-Exploit 1.12.2.81.
  3. The database date on systems reporting this threat so far: 2018.03.12.02 2018.03.13.03 2018.13.13.04 2018.03.13.05 Another odd thing is that I am only seeing this threat reported on computers outside the US.
  4. This morning we had a number of computers all reporting the same threat found within about 2 hours. The threat: PUP.Optional.UpdateStarDrivers Quarantined HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{8220EEFE-38CD-377E-8595-13398D740ACE} Doing a search on the MWB forums there is an article related to UpdateStar Drivers. But the technical information in this post is not consistent with the alerts we are receiving. When I use the Goolge to search for the GUID in our alerts it comes back with being for: Microsoft Visual C++ 2008 SP1 Redistributable Package (x64). Is anyone else seeing this behavior or alerts on their systems and might this be a bad def file causing a false positive?
  5. I prefer more information that not enough, so I thank you for the wall of text. This will help us to move forward, and hopefully we will see the additional descriptive information for the web blocking in the near future. Thank you!
  6. Hi Steven, Thank you for the quick reply. Not sure if you had a chance to look at my original question or not. I had originally guessed that this was going to be the case for this specific IP. It was kind of the low hanging fruit example. So we have established that Conduit is a PUP, so why then is this IP not listed in the hpHosts database file as PUP? There is no listing for it at all. It is fantastic that you are blocking access to nefarious or suspicious sites but you really should provide your customers with the "why" you are blocking something. This way your customers can make a more informed decision if someone within the organization calls up and says that we are blocking access to a legitimate business site. Of course there would need to be more investigation performed, but as an admin I would be far less agreeable to adding an exception for a site that listed as a malware distributor versus an ad tracking site. Not having access to that contextual threat data makes decision making extremely difficult. I hope you understand where I am getting here. The next question would be what is your recommendation for finding out why Malwarebytes is blocking other IP's I receive website blocking alerts for. I have hundreds of examples as we have over 2000 manged endpoints globally and I am looking for a better way to get some context to help make those informed decisions I previously spoke about, or deciding what type of cleanup efforts need to take place. Do I need to come here to the forum each time and submit each IP for help? I thought this was what the hpHosts database was for? Thank you for your assistance with this!
  7. Thank you for the reply. Would you please message the research team and ask if they could respond here? I started this threat here at the request of business support since they could not provide me with the information I was looking for. I would prefer not to post again if somewhere else if I do not need to. The link you provided for the website blocking is for home support. I guess I did not think to look under that area since I am using the business version.
  8. Hi, I am trying to understand how the web blocking works and could use some help. How does a customer get more context (i.e. threat data) for the website blocking alerts? The notification that pops up on the endpoint and in the management console simply says malicious website blocked. The alerts do not list what URL specifically the computer was trying to reach, just the IP. This seems like a possible problem because a single IP address can host hundreds of sites. I do understand that it is not common for most larger legitimate businesses to do this but it does still happen. How does a customer determine exactly why something was blocked? Something like a category for the block such as Adware, C2C, Phishing, Malware, etc? So I thought OK, this is what the hpHosts site is for, and from looking over the site it would appear it would give you this information. I did a quick test for an IP that appeared on one of our website blocking alerts received yesterday. I searched hpHosts for IP 199.101.113.79 (which is registered to Conduit USA so it is most likely a toolbar or BHO). The results show the IP was not found in the hpHosts database and there are 0 records for history. Well doesn't that mean that the IP or URL is not a threat and should not be blocked? How do I determine why an IP was blocked by Malwarebytes? And if it is being blocked by Malwarebytes shouldn't it also be listed on the hpHosts site for customers to see? Thank you!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.