Jump to content

Malwarebytes for Mac Update Server location = Blacklisted?


Recommended Posts

I posted this on the old Adwaremedic  Blog and thought I wold post it here too.

 

 

I finally had some time to try to bypass the the updates to Malwarebytes for Mac updates that my Sophos UTM was killing. I thought the block was   in Web Protection. I did the bypass and it was still getting blocked. Then I checked Intrusion Prevention and I am getting this.

 

 

:39:44 Astaro9 snort[10923]: id=”2101″ severity=”warn” sys=”SecureNet” sub=”ips” name=”Intrusion protection alert” action=”drop” reason=”BLACKLIST User-Agent known malicious user agent – malware” group=”500″ srcip=”10.50.25.11″ dstip=”72.21.81.253″ proto=”6″ srcport=”53420″ dstport=”80″ sid=”16551″ class=”A Network Trojan was Detected” priority=”1″ generator=”1″ msgid=”0″

 

 

I question the Blacklisting and did a further IP address lookup. Why use such a dirty IP address that is filled with blacklisted sites for a name brand anti-malware company that is loaded with money and can afford a dedicated download IP that can be watched and protected vs being on scummy mass community server that who knows who “pwnd” it ? Kinda short sided and stupid I think. Where are Malwarebytes best practices?

 

https://www.virustotal.com/en/ip-address/72.21.81.253/information/

 

Is there anyway “we” or “you” can question the use of a “Typhoid Mary” community server for a direct download of security updates that I will need to SSL directly into my network. Again where are Malwarbytes best practices?

 

Thanks,

 

Mainia

 

.
 

Link to post
Share on other sites

  • Staff

It’s important to understand that any third-party CDN (content delivery network) can get improperly treated this way, simply because someone unethical has abused it. Akamai servers, for example, are used by Apple to distribute some of its content, and yet Akamai servers have also ended up getting blocked from time to time. This doesn’t make the CDN “dirty” or a “Typhoid Mary.”

For that matter, even The Safe Mac has been blocked as a “malicious” site before. So it’s important to take these kinds of alerts with a grain of salt.

That said, this is obviously not a good thing to be happening, so I've filed a report with our IT folks to see if they can sort this out.

Link to post
Share on other sites

  • Staff

More info... it looks like this is not an issue with the IP address, but a false positive on the user-agent string. (This is a string sent by every browser to identify itself, and although things like AdwareMedic and Malwarebytes Anti-Malware for Mac are not browsers, they still download files via http, and thus must send a user-agent identification string.) I suspect that this is due to the word "malware" appearing in our user-agent string (within the word "Malwarebytes").

 

I'm contacting Sophos, and would advise you to do the same for fastest resolution of this issue.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.