Jump to content

Why so many FP in "Websites blocking"


popescu1

Recommended Posts

Hi,

 

Over 80% of sites /IP reported here as "false positive" are, indeed, false positive and "will be removed on next update"

 

Why so many? From where did you get the initial database with so many FP's???

 

I browse various forums but I NEVER seen any other Antimalware with so many FP.

To make things worse, the "web protection" cannot be disabled , even though ads insignificant value to overall protection.

 

 

Link to post
Share on other sites

While some can be falsely accused, in many of the cases malicious activity has been found to be taking place so that address is blocked.  The address may represent one or more hosts.  All you need is one bad apple and all the hosts on that address are tainted.  Eventually the site may "clean up the act" and when the malicious activity has been found to have stopped or has been reported to have been addressed then an IP block can be lifted.  There are too numerous companies using a myriad of policies around the world.  Therefore there is no cohesion in process of malicious reports and abuse.  Some may create a ticket and other may ignore the reporter.  That means an IP address can be blocked and an Abuse report is filed but due to a lack of feedback there is no way to no is the reported site has corrected the malicious activity or not.  In those cases one waits until a False Positive query is posed.  The researchers check and if the malicious activity is see to have halted or a report is received giving an "all clear" then the site block can be lifted.

 

That ways so many sites can be unblocked upon a request a False Positive query.  It becomes the impetus of a reexamination.  It takes the human touch and is labour intensive.  Therefore many are not really False Positives but cases where an address is seen to be no longer malicious.

 

When dealing with a trojan and signatures, malware doesn't start out being malware but somewhere along the line it stops being malicious.  IP address blocking can be done because there is malicious activity at the address and then undone because the problem has been mitigated.

Link to post
Share on other sites

Hi David,

Thank you for your answer!

While the explanation provided is on academic level, the result is a fact of life : MBAM has way too many FP"s blocking websites and IP's , most of the time not confirmed by ANY other AV on Virus total.

Just having a zillion of sites on your database and waiting for customers to report FP's is not a feasible option. In addition , MBAM has a strange way to create a database, sites as those mentioned here being ignored:

http://malwareurls.joxeankoret.com/normal.txt

I used , for a while MBAM with NOD32; I never had a FP from NOD 32, while I had over 12FP's from MBAM in less than 4 months (I checked them , one by one, on Virus Total)

In addition having each and every site scanned by both an AV and MBAM will considerably slow down the surfing pleasure and sooner or later the user will get frustrated with MBA and will try to disable the website blocking...

But wait..., we cannot do that.

Link to post
Share on other sites

While the explanation provided is on academic level, the result is a fact of life : MBAM has way too many FP"s blocking websites and IP's , most of the time not confirmed by ANY other AV on Virus total.

What I stated is not "on academic level" it is based upon actual experience and knowledge of the subject matter.  One has to put this into perspective that it is not a black and white issue.  It is grey scale and varies on a weighting scale.  The position of which changes black to white as a function of time and malware plays a part of a determination but is not the only reason for blocking a site.

 

I'm sorry but the concept of a False Positive with IP address blocking is not the same as with malware.  As I have elucidated, a site can be blocked Today and unblocked Tomorrow.  Not because of it falsely being blocked but because the problem associated with that IP has been mitigated.  Just as as much that a block can be lifted, an IP block can just be easily reinstated based upon new malicious activity.  It is not a case of a False Positive but one of a change of status.

Link to post
Share on other sites

  • Staff

Hi,

 

Over 80% of sites /IP reported here as "false positive" are, indeed, false positive and "will be removed on next update"

 

Why so many? From where did you get the initial database with so many FP's???

 

I browse various forums but I NEVER seen any other Antimalware with so many FP.

To make things worse, the "web protection" cannot be disabled , even though ads insignificant value to overall protection.

 

First off, where did you get these figures? Just because you see our replies saying "... will be removed on the next update" does not mean it was a False Positive. We are not at liberty to divulge what we identified and blocked on a particular IP or range. In some cases, doing so would entail us committing a criminal act especially when it involves CP which ESET, Virus Total or others would not flag.

 

While I admit there will be some False Positives happen very occasionally, this is not the norm. We are human after all and mistakes can and do happen at times.

 

I think you are confusing AntiVirus with AntiMalware. There is a difference between the two. ESET, Kaspersky, Norton, etc., are all AntiVirus software. We specialise in detecting and removal of malware that current AntiVirus software generally may not yet detect.

 

Web protection can be disabled. Simply right click the taskbar icon on your desktop and untick "Malicious Website Protection" (Not advised).

Link to post
Share on other sites

Just because you see our replies saying "... will be removed on the next update" does not mean it was a False Positive.

Is hard to believe that you will remove the detected item to make a favor the user...so, yes, the detected item will be removed because was a false positive

 

I think you are confusing AntiVirus with AntiMalware. There is a difference between the two. ESET, Kaspersky, Norton, etc., are all AntiVirus software.

I am not confusing anything; I was referring strictly to Website blocking , which is determined by a match in the database and not an active mechanism

 

Web protection can be disabled. Simply right click the taskbar icon on your desktop and untick "Malicious Website Protection"

This was required multiple times on the forum but was never implemented; while Web protection can be disabled, the icon will change the color and any other ulterior problem will be "masked" by this change in color; in addition , you will get that nagging message "protection disabled" when you start the computer

If MBAM is intended to be used with an AV, most , if not all AV's have already a malicious Website Protection, based on well known and maintained databases;

There is no need for MBAM to reinvent the wheel again and to create its own database ( I was told that only 2 people are assigned to this task)

Remove this "website protection" from the product or give an opportunity not to install it during installation and live the AV in charge to do its job. Already too many users are irritated by this "website protection' and this was mentioned multiple times on the forum.

Thanks!

Link to post
Share on other sites

Is hard to believe that you will remove the detected item to make a favor the user...so, yes, the detected item will be removed because was a false positive

 

 

You just don't get it.  You are commenting based upon misunderstanding.

 

As I have already stated, an IP block can be removed or re-added based upon status.

 

Yesterday an IP block was instituted on IP_Addess_X  for malicious activity.

Today the IP is unblocked because the malicious activity.on IP_Addess_X  has been mitigated.

Tomorrow the IP block was re-instituted on IP_Addess_X  for new malicious activity.

 

It was not a reason that a False Positive was fixed that the site became unblocked.  It was a change of status.

 

If IP_Addess_X has many collocated hosts HOST_A may be the cause Today and IP_Addess_X gets blocked.  Later HOST_A corrects the issue, like in a case of a site compromise with it now hosting Invisible IFrames, and IP_Addess_X gets unblocked.  Later HOST_B  on IP_Addess_X is acting maliciously and now IP_Addess_X  gets blocked again.

Link to post
Share on other sites

I do understand that "an IP block can be removed or re-added based upon status"

But is MBAM job to determine the change in the status ( that's why we have multiple updates per day) and not waiting for an user to signal it as a FP.

Is not enough to initially create a huge database, block everything and wait for users to complain.

I understand that is difficult, but either do it right or do not do it at all and leave this job for a better equipped player ( the AV, for example)

Link to post
Share on other sites

The problem is not with Malwarebytes per se.

 

It is a manual job.  If one tracks 10 malicious IPs then you can keep on top of each and every one.  But when you have a thousand you just can't.  There is no time to do it.  If a Hosting Company, Service Provider or other replies back to Malwarebytes indicating a mitigation of the problem then Malwarebytes' can act on it.  However in all too many cases they don't respond, reply or update the status on an Abuse Complaint.  Thus the IP block may languish until there is impetus to recheck its status.

 

EDIT:

 

Unless there is an alteration in the question concerning the faux perception, its EoD for me.

Link to post
Share on other sites

The problem is not with Malwarebytes per se.

 

There is no time to do it.

This is not what a paying customers is expecting "There is no time for it"; once I paid for a product I expect that product to be maintained and delivered to me in an working shape.

If the approach is "cooperative", let's find together the malicious items because "we do not have time" , the product should be free

Link to post
Share on other sites

  • Staff

I do understand that "an IP block can be removed or re-added based upon status"

But is MBAM job to determine the change in the status ( that's why we have multiple updates per day) and not waiting for an user to signal it as a FP.

Is not enough to initially create a huge database, block everything and wait for users to complain.

I understand that is difficult, but either do it right or do not do it at all and leave this job for a better equipped player ( the AV, for example)

 

You don't really understand or you would not be forcing the issue with counter arguements.

 

The multiple updates are because we constantly do checks on those that are blacklisted to add and remove entries. As such, with a database that runs into millions of entries, it is not a quick process. The False Positive reporting was put in place to help us in this task.

 

I don't think you really fathom the amount of work and time it takes to maintain this database and keep it accurate as practicably possible. When we list IP's or domains, they are accurate at the time of listing. As David has already said it is rapidly changing. You can sing all you like about other Security vendors and their ability to have an accurate database but I can assure you, they have the same problems as us.

Link to post
Share on other sites

  • Staff

This is not what a paying customers is expecting "There is no time for it"; once I paid for a product I expect that product to be maintained and delivered to me in an working shape.

If the approach is "cooperative", let's find together the malicious items because "we do not have time" , the product should be free

 

That is not what David implied. Malwarebytes does maintain and deliver a fully working product. The proof is in the satisfaction and growing number of customers. Obviously we can't please everyone.

 

If you want a free product, we supply that too. If you are not happy with the paid version, you are entitled to revert back to the free version. Rest assured, we do our best to protect our customers.

 

We have answered your questions fully and now regard this topic as closed.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.