Jump to content

MBAM Premium Suggestion: Log blocked DNS lookups


Recommended Posts

  • Root Admin

Well by using a SOCKS proxy (depending on what is used and how) it can potentially bypass our filter driver. We'd probably need to get more information and usage on this in order to say for sure if we can support what you're asking for or not. Not saying we'd add the feature only that more information is needed to confirm the issue at hand.

Link to post
Share on other sites

I gave the SOCKS proxy as example of where blocking occurs with no logs. I'm not asking for protection in that specific scenario. I'm sorry for not being clear.

 

My suggestion is that there should be an option to log blocked DNS lookups to help the user find the problem in any situation where this protection feature of Malwarebytes stops a program working normally.

Link to post
Share on other sites

That doesn't seem to be happening here.

 

For example, if I check a blocked domain from the command prompt nothing appears in the "Daily Protection Log" in the History area of MBAM.

C:\>nslookup voxility.comServer:  UnKnownAddress:  192.168.0.1Non-authoritative answer:Name:    voxility.comAddress:  127.42.0.0

However a block is logged if I attempt to view the page in Firefox:

<record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.508852+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="13d5c441-59fb-4d81-8bd5-ef0bb6c6f6ba" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.543874+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3a82995b-c24c-4de2-955f-4d8ee471b2fa" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63776"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.704479+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="2935a267-2ec3-4c4a-b7b5-def57904d9b2" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63778"></record><record severity="debug" process="C:\Program Files (x86)\Mozilla Firefox\firefox.exe" LoggingEventType="0" datetime="2014-03-26T01:16:39.756515+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="SIMON-PC" last_modified_tag="3ade6e68-17c2-4ee4-a180-f0c990970776" subtype="Malicious Website Protection" direction="Outbound" domain="voxility.com" ip="109.163.224.34" malwaretype="IP" port="63780"></record>
Link to post
Share on other sites

And you get a blocked notification when you preformed the nslookup?

 

because I sure didn't.  I only received one when I attempted to visit voxility.

 

No popup == no log entry.

No I don't get a notification for the nslookup. Neither is anything logged but my suggestion is that the returning of an incorrect IP address (127.42.0.0 in this case) should be logged to help the user if this causes a problem.

Link to post
Share on other sites

  • Root Admin

Not sure if I fully agree with that or not.  I can see both sides of the coin so to speak.  Certainly don't want web browser activity to allow it but possibly diagnostic tools should be allowed but that is a slippery slope to be sure.

 

On another note I noticed this in your reply and  though it's valid to not publish the name of the DNS server it's not common for many.

 

Server:  UnKnown

Link to post
Share on other sites

DNS lookups which are blocked by MBAM Premium should be logged.

 

At the moment trying to access a blocked website in Firefox through a SOCKS proxy doesn't produce any logs or notifications even though a fake IP address is returned by the DNS lookup.

 

 

No I don't get a notification for the nslookup. Neither is anything logged but my suggestion is that the returning of an incorrect IP address (127.42.0.0 in this case) should be logged to help the user if this causes a problem.

 

Therein lies the confusion.  According to your first post it sounds like you're requesting all blocks be logged.  Which they are

 

The actual error seems to reside in the fact that the Malicious Website protection module does not block all programs attempting to gather information about a blocked IP address, as we cannot get the MWP to log an attempt to access the malicious IP because nslookup is not actually attempting to access said site, but is merely returning a query result from the DNS server, which will not cause a reaction unless the IP address of the DNS server being queried is in the block list.

Link to post
Share on other sites

Therein lies the confusion.  According to your first post it sounds like you're requesting all blocks be logged.  Which they are

 

Yes I'm sorry I was sloppy in my description. I meant that DNS lookups were intercepted and a loopback IP address was returned rather than the lookups actually being blocked.

 

It was these resolutions to loopback addresses that I was requesting to be logged. After reading your responses I can see this might not be desirable.

 

Thanks for your explanations.

Link to post
Share on other sites

The actual error seems to reside in the fact that the Malicious Website protection module does not block all programs attempting to gather information about a blocked IP address, as we cannot get the MWP to log an attempt to access the malicious IP because nslookup is not actually attempting to access said site, but is merely returning a query result from the DNS server, which will not cause a reaction unless the IP address of the DNS server being queried is in the block list.

 

The result from the DNS server is intercepted and modified so could be logged.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.