Jump to content


Honorary Members
  • Posts

  • Joined

  • Last visited

Everything posted by tedivm

  1. What is the firewall? What happens if you turn MBAM on and attempt to update it?
  2. Highwinds is one of our content deliver partners, and I am very confident in their security. I've personally sat down with a few of their employees, from VPs to Engineers- we have strong relationships with all of our CDNs. Their servers are setup only for HTTP and HTTPS traffic, which is what our application uses to retrieve information and updates from our servers. Our applications are client driven when it comes to their server/client communications. In other words, our application makes requests of the servers, but the servers never directly reach out to the application. From what I have read so far this strongly looks like a false positive from the firewall. We can look into this further, but to do that we need more information. What ports are being scanned, and at what rate? What firewall are you using?
  3. We're working to resolve the issue with Softlayer, but at the time I do not believe that this is a false positive. Please keep in mind we have a great relationship with Softlayer- if you check the IP address of this forum itself you'll notice it's hosted on their network. They are typically very quick with responding to these types of things, so it'll be resolved soon.
  4. It looks like the IP address will be removed in the next update (which should be in the next hour or so).
  5. I'm looking into this right now, we should have a response for you in a bit.
  6. Yesterday we had a failure with these forums (as I'm sure many of you noticed) that caused us to go offline for an extended bit of time. While we were able to correct the problem, there unfortunately was a bit of data corruption with our primary backup system and we had to dig a little deeper to properly restore things. What this essentially means is that we've lost a little over a week's worth of posts. I'd like to personally apologize for any inconvenience this has caused, and want to assure you that we're taking action to prevent this from happening again. Thanks for your understanding.
  7. We do compatibility testing all the time- our QA team constantly goes through and checks to see how we work with other vendors. Besides simple testing we also have a number of design features that make us less likely to conflict with existing software. The way we detect threats is very different than AVs, which means conflicts should happen very very rarely. Even without that a simultaneous detection should not be an issue- if it did occur the user would simple have to tell one engine to ignore it so the other can remove it. This isn't to say that problems don't ever occur, but when they do we get them cleared up very quickly.
  8. AP2012, I just wanted to let you know I'm looking into this now and will get an answer for you soon.
  9. I'm not sure what happened here- I'll speak with our support team right away to try and get this resolved. Sorry for the trouble.
  10. Hey guys, I just wanted to step in here for a second and kind of summarize things so far, as well as give you guys an idea of what's going on behind the scenes. This is a very, very tough situation. On the one hand we have a a group of websites, hosted through CloudFlare, that are actively pushing drive by exploits. What this means is that people who go to those sites are getting exploited and potentially have no idea of knowing this. On the other hand we have a lot of innocent websites which are doing nothing wrong, but are caught in the cross fire. This is a situation we have some experience with. We at Malwarebytes use Edgecast for content delivery- a service somewhat similar to CloudFlare, in that they distribute our main page to various nodes all over the world for easier delivery. We also use a multitude of other CDNs for delving updates- and sometimes they get blocked and we're caught in the crossfire as well. Its a sucky situation. Of course, we're also on the other side of this- we do the blocking when we need to. What most people don't see is the huge amount of effort we do to keep people from being blocked. The vast majority of people pushing malware out do so without knowing or intending to- something as simple as an outdated wordpress install can be the vector which an innocent site gets used to push malware. We also know that a lot of people use CDN's or shared hosts, so blocking one site could mean blocking far more. We work with a lot of CDN's and webhosts to keep them off blacklists- and we always email the abuse teams before adding them. Nine times our of ten the malware gets removed within hours or our email, and no blacklisting is required. Unfortunately there are cases were simply removing the malware isn't enough- not all websites are innocent. Some people are actually pushing the malware on purpose, so when the third party host (such as the CDN or shared web host) remove the offending URL, the people running the site simply change the URL being used. In this case we try to work with the providers to fix the issue, but if it is unable to happen we blacklist the URL. Now, I want to be very clear about something- we do not blacklist information. We are not censors- knowing how to make malware is not in itself a bad thing. If it wasn't for people learning these skills, we wouldn't have researchers protecting our users. We will not block someone just for posting information. We won't even block people for hosting malware if they're doing it safely. The thing we block is people hosting active exploits or active malware that will infect users without their knowledge. Unfortunately this CloudFlare situation has escalated further than I think anyone intended. We have a lot of respect for CloudFlare- I met Matt at DefCon last year, where he gave a fantastic talk about dealing with the Slowloris attack, as well as the challenges of hosting an activist group like Lulsec. I feel a lot of what's going on right now is more miscommunication than anything, but from my understanding Marcin and Matt are now in direct contact and this should be resolved soon. I know this is not an ideal situation, but I assure you everyone involved is doing what they feel is right to protect their users and there is no malicious intent here. We're working as quickly as we can to get this current issue resolved, and I'm hoping this will be a learning experience for future issues. We'll have an update as with more information soon.
  11. I am *really* sorry that it appears we are not paying attention to this- I assure you we are. Unfortunately the timing kind of sucked- on Friday we had a bit of downtime (as I'm sure some of you noticed) as we had to deal with the largest DDoS we've faced to date. Since then Ted and I have been working on making sure our infrastructure is stable (which, with the exception of some forum downtime on friday, I'm happy to say we've been fairly successful doing). During the next week I will be compiling a list of all of your complaints, recommendations and comments about the new forum theme and any functionality changes. Once that list is in place we'll work with our theme designers to get those changes implemented as quickly as possible. Again, I'm sorry for the trouble here. To be perfectly honest, we are all getting tired of all the trouble that comes with each IPB update, and we'll be working to find some solutions to make this less rocky in the future. Thanks for your patience and bug reports! Robert
  12. We couldn't for backwards compatibility reasons.
  13. You could use two different browsers, with one logged into each account. If you're using Chrome (or another browser with a privacy mode) you could log into one account regularly and go into "incognito mode" to log into the other.
  14. For the last day we've been dealing with some issues in the South East regions of the US where deliverability- of both our website and updates- was slow or in some cases nonexistent. We have routed around the issue and should be good now, but if anyone is still seeing issues they should contact us. Sorry for the inconvenience on this.
  15. Are you getting the exact same error code as JonathanPDX was? The 407 indicates that you may be running through a proxy server, and that it is what is denying access to the updates.
  16. Anything on port 80 is going to be related to updates. There are a lot of different support files that exist, so when people check for updates there may be a couple of connections. Stuff that goes over the 443 port to the Amazon servers is related to either license enforcement or statistics collection. There are basically three groups of statistics we collection. Each of these categories collects information about the mbam client itself (which I'll describe once below), as well as their own particularly data- License Enforcement - this is pretty obvious, but our program connects to servers to verify it's license. This also lets us track which licenses happen to be pirated the most. Client Statistics - this group helps us make the product better. With anonymous statistics enabled it will send us some information about the operating system (version, language Detected Malware - with anonymous statistics enabled the mbam client will tell us what it found on different machines, allowing us to track our detections and the spread of new malware. Each of these categories is kept separate for privacy reasons- license data isn't correlated with malware data or client data, so we can't tell what specific people are infected by what, or who has what operating system.. When you connect to an http server- whether by mbam connecting for updates or firefox browsing this site- you send along a user agent that contains program and version information about the client. This allows the server to server custom responses to clients that may need it (very helpful for backwards compatibility). The MBAM user agent also gets stored by some of these statistics. mbam - consumer_free (scanner) - base: - rules:7919 As you can see this contains some information that is useful for us but otherwise pretty boring- this user agent describes someone using our free consumer product, and what versions they have. Keeping a running count of the active clients doesn't require any of these statistics, as it can be done through the logs on our update servers. Regardless of whether anonymous statistics is enabled or not, connecting to our servers is also going to leave a log- and that log contains an ip address and user agent. We have to keep these logs for a short time- they're useful for dealing with ddos filtering, among other things- but we like to get rid of them as quickly as possible, since a person's ip address can be somewhat identifying and we take privacy seriously. In order to speed this up we decided to not use those logs for processing the client count at all, but to instead have the client ping the stats server with an empty message when an update occurs (but only once per day). If anonymous statistics is enabled then that empty ping contains the client statistics data, such as the operating system. Since none of our statistics servers store the ip address itself, this lets us strip out identifying information quicker than we could if we relied on the http logs themselves. In the future there are other pieces of data we would like to collect- download speeds and errors. This would allow us to better select CDN partners and identify problems with the client easily. Of course these would both require anonymous statistics to be enabled. If you (or anyone else) has any questions about this I'll be happy to answer them.
  17. How come I don't see Marcin Kleczynski in there?
  18. Is the problem that you can't log into the reseller panel? We have a link to the Reseller Login on every page of our main site now, between "Home" and "Languages". If the problem is something else please let me know.
  19. Why? Releasing new products isn't something that can be done overnight- it involves research, development, quality control and just a lot of work in general. Trust me when I say you'd probably be a lot angrier if we released a rushed and broken project.
  20. This is something that has been brought up before and which is being looked at internally. It is a lot more complicated than it seems, for a number of reasons.
  21. Your firewall should allow all connections to *.mbamupdates.com, as there are more subdomains than just "data-cdn.mbamupdates.com" that get used in the update process.
  22. At no point will MBAM be bundled with a toolbar and search engine changer- especially not one that you have to opt out of. CNET is currently pushing out our legitimate installer, and as long as they are one of our official mirrors that will not change.
  23. Honestly, security (and computers in general) is such a big field that you're not going to get everything right away. The best thing to do is lay down a solid foundation in computers themselves (by building, maintaining and fixing computers to get the hardware and os side down, and doing some development to understand how that works). I'm sure people here can recommend some great books, websites and other resources to get you started. Once you have a solid foundation, pick something that interests you and research it. If you want to learn about DOS then look into networking and scaling server side applications. If you want to learn about malware then look into operating systems and reverse engineering. To understand how to break security you need to first understand how to build it.
  24. Feel free to post the full IP address. Edgecast is one of our CDN providers. Just because the IP address was registered in RIPE doesn't mean it is located in Europe- as a global company Edgecast subnets their blocks into quite a few different chunks. If you have any issues with slow downloads please send along a traceroute (you can open a ticket with support if you don't want it posted on the forums). Of the three IP addresses you listed only one of them belongs to us- One of them belongs to L3 (which means it could be issued out for residential or commercial usage elsewhere), while the other looks to be on a residential machine. This is pretty suspicious and it would not surprise me if you were infected with something- you are most likely right about the trojan trying to phone home. I'm going to defer to one of the client side guys on this one as well.
  25. Are you getting any notifications about blocked IP addresses from our protection module? It is very possible that you're attempting to ping systems which we have blocked for hosting malicious software. I'm not sure what you mean by "high addresses", so I'll just explain what network connections you should be seeing. There are basically two groups- 1. Updates occur over port 80 and can be to literally hundreds (if not thousands) of different IP addresses. This is because we push our traffic through Content Distribution Networks- this allows us to distribute the updates globally, and with connections to many different ISPs, so that our users (such as yourself) can get the quickest possible updates. These CDN's are constantly reworking the routes- if machines are down, overloaded or somehow degraded then they'll route to other machines which aren't. We also monitor performance ourselves to let us switch which cdn is active in different regions based on our own experiences. These updates are very innocuous- the client is simply checking the various files it needs to see if updates are available, and then pulling them down to apply them. 2. Dynamic communications and statistics happen over port 443 (the ssl port). If you have the option for sending anonymous statistics enabled in your preferences then MBAM will send us a list of anything detected during a scan, as well as some very generic information about your system- operating system version, architecture (32 or 64 bit), language that mbam runs- all of this can be turned off by disabling anonymous statistics. MBAM also sends it's version information to us on a regular basis. This information is vital to making a great product. The version information lets us know when we can retire support for older versions without hurting you guys, while the operating system data lets us know how to deploy resources affectively. The language information, as I'm sure you can guess, is very helpful when we're figuring out new languages to add (we added Vietnamese in the most recent version!). There are also two special cases of network connections- if you're running a trial or have a registered product then MBAM will occasionally talk to this server to pull down relative information it may need. If you have an active trial then the client checks in with the server to see how long the trial is enabled for, and if the product is registered it checks in with the license. I'm not sure why this would be the case, or if these are even our connections. I handle all of the server side stuff, not the client side, so I'll grab someone who can give you a more detailed answer than I could. We've been utilizing the CDN's for years now, so you'd see different ip addresses during each update. The free version updates in the same way as the paid, and handles statistics in the same way as well, so I don't see why you would notice any differences. We do have limits in how often we connect to the servers, so it is possible that you just didn't see them before. Still, it sounds like something unusual may be happening here, so if you have any more information on this I'd be happy to help narrow down the possible causes.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.