peb2

Hello Ron, After updating the app and grabbing the latest updates I'm still getting the notifications from a single IP. Here's my current version of the app and the website blocked notification: I've attached my latest service log as well. Thank you, -peb2 MBAMSERVICE.LOG

Actually it looks like I spoke too soon. Looking at the log I was getting hits on port 1900 all day Friday (9/21). I'm attaching my new log files: MBAMSERVICE.LOG MBAM_Scan_export_summary.txt

It looks like this has been fixed, thank you!!

Thanks for your help so far, Ron. Now I'm a little confused. What exactly would you like me to re-upload? Just the MWB scan results? Or the MWB scan results, the MWB logs, and the FRST scan results? -peb2

Also, I've attached my FRST logs: FRST.txt Addition.txt

Ron, There was a malware outbreak initially, but it was cleaned by our information security office. Here's their response: -------------------------- We did deal with a malware outbreak on these machines along with a few others belonging to the affected department. The machines were rebuilt late Tuesday afternoon and returned to service on Wednesday (9/12). We believe the outbreak started on 8/31. The packets that MalwareBytes is detecting are Universal Plug and Play (UPnP) multicast to UDP 1900. However, our logs show that these machines have been sending the multicast packets long before the malware outbreak. Which leads us to speculate that the UPnP traffic is coincidental and not caused by the malware. The malware was communicating with a specific command and control IP that we used to track the outbreak. We took XXX.X.XX.XX offline this afternoon after your last email and we're forensically examining it. So far we haven't been able to locate any of the malware that was present prior to the rebuild and our logs are not showing the command and control communication or any other signs of the malicious behavior that we observed prior to the rebuild. -------------------------- So I noticed MWB blocking the inital infection, but the problem I'm having is that post-rebuild (after 9/12) these same machines are transmitting standard UPnP traffic (over port 1900) which MWB is now reporting as malicious.

Export Summary: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/20/18 Scan Time: 2:07 AM Log File: 6411546c-bc9b-11e8-a533-f832e4728544.json -Software Information- Version: 3.5.1.2522 Components Version: 1.0.441 Update Package Version: 1.0.6923 License: Premium -System Information- OS: Windows 10 (Build 17134.285) CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 397047 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 8 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end)

Ron, Thank you. Attached are the export summary and service log from my machine. This is a line from the service log that shows the false positive: 09/20/18 " 14:37:49.471" 80541625 10f4 6c58 INFO MWACControllerCOM CMWACController::WebsiteBlockedNotificationCallback "MWACController.cpp" 1130 "Malicious Website Protection, ipBlockList, <IP REMOVED>, , 1900, Inbound, C:\Windows\System32\svchost.exe" I'll have to run the Farbar Recovery Scan Tool at COB and upload the results tomorrow. Thank you, -peb2 MBAMSERVICE.LOG

Hello MWB Specialists, I work at a university and we had several machines get infected with malware that broadcast over port 1900. Our main campus IT quarantined and removed the malware and rebuilt the 3 machine infected, but MWB 3.0 is now giving us "Website Blocked" popups whenever these machines transmit over the UPnP port. My boss and the senior faculty are all using MWB 3, so they're seeing these popups at a rate of 5 or more an hour. I've confirmed the machines are no longer infected, so is there any way to stop MWB from showing these false positive popups? ****The forum spam protection will not let me post a line from my logs. If you'd like to see any log files, let me know and I'll attach them. Thank you in advance.