Hi,
we are testing Malwarebytes 4.6.3 and on a Windows 2016 server with IIS we see a couple of inbound detections per hour on port 80 (malware, compromised and trojan).
Port 80 and 443 are forwarded to this server, and in the IIS logs we see attempts to find specific folders or php files, which is normal when running a web server.
The message RTP detection of a trojan horse sounds like an attempt to get something installed (detection of a trojan), but it seems to me that Malwarebytes is using an IP blacklist to block incoming and outgoing traffic. When I tried to browse to the same IP, I get the website blocked message and a notification of outbound port 80 instead of inbound. Also an inbound RTP of a compromised website look more like an IP filter.
To be sure we did a full scan with both defender and malware, adwcleaner and nothing was found. The server runs all latest patches and there are no IIS extension installed.
Is it correct those messages are triggered from a IP blacklist?
Rene
