Jump to content

Malwarebytes and Webroot question.


Recommended Posts

Welcome to Malwarebytes !

An attempt has been made by software present on your computer to contact a website which is suspected to be malicious in nature. The attempt has been blocked. This detection occurred as a function of real-time protection. This notification provides information which may help you to determine whether the connection should or should not be allowed. You may click the Manage Web Exclusions link to configureMalwarebytes Anti-Malware to allow access to this website.

Link to post
Share on other sites

Thanks for the quick reply yardbird.

I understand everything you posted except for;

'Software present on your computer' I have not made any changes in months. Do you know what type of software?

Also what has this got to do with Webroot?

I googled click.watchjmp.com but can't really determine what it is. Maybe a phishing site?

It also comes up randomly while surfing so maybe I have malware on my PC that Malewarebytes is not picking up?

Thanks again for your assistance.

 

Link to post
Share on other sites

IP blocks can indicate a number of things:

  • They could indicate that MBAM is doing its job of blocking bad content on websites.
  • In some cases the blocks are a false positive.
  • However, they can also be a sign of infection, especially if the blocks are outgoing and if they occur when no browsers are open.

--> There is more information about the IP blocking module in the in the Help Desk topics HERE and HERE and HERE, and in the FAQ - Section G.

On the other hand, if you think the IP blocks might be a false positive, then please read this pinned topic before starting a new topic in the Website Blocking False Positives sub-forum.

Alternatively, if you think you might be infected, based on the IP blocks and/or other suspicious computer behavior, then please read the following for the available options to have a malware expert assist you with the cleaning process Available Assistance For Possibly Infected Computers.

Link to post
Share on other sites

Hi, @Athalwolf.  We had a user report the same incident (website and IP) in another thread, and I originally thought it was advertising, as evidenced in this thread:

However, in seeing your screenshot, I now see that it is WebRoot itself causing the issue and making the connection to that IP.

I would recommend that you follow the advice from Yardbird in the next to last paragraph, reading the pinned topic and reporting it as a false positive.  Please read the pinned topic first to get an idea on how to make the report.  One of the developers will come back and help you out on this issue there.

I'll let the other user know that I've advised you to do this.

Link to post
Share on other sites

Awesome.  It may be as I initially surmised for the other user, now that I think about it again - the domain name, particularly the clickjmp part of it, strongly indicates to me that it is advertising related.  Does WebRoot show you advertising?

 

Link to post
Share on other sites

It's a False Positive as WRSA.exe is WSA's main process and would show being used checking the site in question with it's Web Filter Extension. You can check Websites manually here: http://www.brightcloud.com/tools/url-ip-lookup.php

Also Webroot is Cloud Anti-Malware and it uses the Amazon network!

Thanks,

Daniel :)

 

2016-04-17_19-27-30.png

2016-04-17_19-28-42.png

Link to post
Share on other sites

8 hours ago, Athalwolf said:

Also what has this got to do with Webroot?

Basically what is going on here is that Malwarebytes is doing its job blocking advertising on web sites.  The reason its showing as Webroot is because Webroot is filtering your traffic to the internet so it shows it as the one in the process accessing the site.

Link to post
Share on other sites

8 hours ago, Athalwolf said:

Long-time pro user here. i have been getting this pop up several times a day for a week. Can someone please explain what is going on?

Thanks

 

 Untitled.png

The block only appears to be coming from WSA.

Some AVs, including WSA, Kaspersky and others, filter network traffic.  So, the IP block displayed by MBAM appears to come from the AV (in this case WSA), when it does not.

It does appear that it *might* be a false-positive, but VirusTotal does list MBAM's hphosts as flagging the site:
https://www.virustotal.com/en/url/8c5ab5bf59007be8b5b6d1170ca929aa13872c72cf0a2a77f0b4ac7a2e38852d/analysis/

For prompt attention by the Research Team, I suggest following up with the other, related thread in the F/P section HERE
And it would help to see the OP's entire protection log.

Thanks,

P.S. Alas, nearly all of the links quoted in this reply HERE are outdated and dead.  The verbiage in that particular reply appears to have been copied from old "canned" code in a very old, now-outdated reply to another thread from many years ago.  So, while the intent of the post is admirable, most of the content therein no longer fully applies.;)

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.