Jump to content
pzi123

malwarebytes breaks DNS resolution

Recommended Posts

As soon as I start malwarebytes (3.0.6) the DNS resolution on my windows 10 or windows 2012r2 stops working for DNS names in DDNS domains like *.zapto.org.  The IPs returned from nslookups for my pzi.zapto.org show bogus values of 127.42.0.1.  As soon as I stop malwerbytes the nslookup returns correct external IPs.  This looks like malwarebytes is trying to protect client from connecting to DDNS IPs.

This breaks number of things. Any ideas?

Tried to work with malwarebytes support but without luck.

Share this post


Link to post
Share on other sites

Hello and Welcome!

Malwarebytes was not designed to work on a Server (in your case Windows 2012r2).  If you want to run Malwarebytes on a business  (and on  a server) you will need to use the business version and contact/post in the business section of the forum HERE

Share this post


Link to post
Share on other sites

hi Firefox!  Do you have a business version running somewhere?  Can you quickly run this from the cmd prompt: nslookup pzi.zapto.org 

 

Share this post


Link to post
Share on other sites

No I do not have access to the business version at this time, however running that on my home computer (Win7 Ultimate) with MB3 installed, I get this result.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Firefox>nslookup pzi.zapto.org

Non-authoritative answer:
Name:    pzi.zapto.org
Address:  127.42.0.0


 

Share this post


Link to post
Share on other sites

BTW pzi.zapto.org is currently being blocked by Malwarebytes...

If you want to report it as a possible false positive do so HERE

Share this post


Link to post
Share on other sites

We have 'exclusions' setting to do that - unfortunately that exclusion does not change malwarebytes behavior. We can't start posting sites to that list every time we want to exclude/allow a URL.

Share this post


Link to post
Share on other sites
15 minutes ago, pzi123 said:

We have 'exclusions' setting to do that - unfortunately that exclusion does not change malwarebytes behavior. We can't start posting sites to that list every time we want to exclude/allow a URL.

 

Find out if it is an IP block or a domain block. Switch to a different host if needed.

Share this post


Link to post
Share on other sites

As mentioned above, *.zapto.org is being blocked by Malwarebytes currently. We aren't breaking DNS resolution, that's just how we block malicious sites.

That being said, our researchers looked this over and we are unblocking the *.zapto.org domain (specific subdomains of zapto.org are still blocked). It should take around 30 minutes or so, and then perform a database update which should allow access to the site.

Share this post


Link to post
Share on other sites

thanks Devin - it works fine now. I still think that users should be able to add exclusions and that should take precedence over the white list you maintain.

Share this post


Link to post
Share on other sites
2 hours ago, pzi123 said:

thanks Devin - it works fine now. I still think that users should be able to add exclusions and that should take precedence over the white list you maintain.

You can add exclusions. Under Settings -> Exclusions -> Add Exclusion -> Exclude a Website. I believe I found your ticket that you originally were working with our support on. One that thing that should have resolved your issue after adding the exclusion (since it didn't seem to work for you) would have been to flush your DNS settings. A cached DNS resolution may cause this issue after excluding an address

Share this post


Link to post
Share on other sites

As malwarebytes provides us with such an indispensable service we techies should help them in implementing the right solutions. Here the idea to take over the DNS resolution on windows and point it to invalid local address is maybe the first thing you could think of.  Unfortunately it is not ideal - the user of malwarebytes gets stunned and has no idea what just happened. What I would suggest is:

1. instead of using that 127.42.0.0/? use a valid malwarebytes IP that points to a URL with explanation.

2. change the logic in malwarebytes software to allow the user to add exclusion that would allow to connect to the black-listed URL anyway

Share this post


Link to post
Share on other sites
17 hours ago, pzi123 said:

1. instead of using that 127.42.0.0/? use a valid malwarebytes IP that points to a URL with explanation.

2. change the logic in malwarebytes software to allow the user to add exclusion that would allow to connect to the black-listed URL anyway

1. I'm sure there are reasons for using a local DNS cache instead of a web based one, for one, what happens in this scenario if someone blocks that explanation URL?

2. As I mentioned, this should be working, and we are tracking the issue internally with some scenarios where we were able to replicate. You are correct, users should most definitely be able to exclude IP addresses from being blacklisted. In seems this only has issues in specific scenarios

@schmak01 we are working on your issue as well, I may have some follow up questions after I perform some more testing

Share this post


Link to post
Share on other sites

Hi, I just wanted to chime in because I am having a similar issue. When Web Protection is on it causes DNS issues similar to the above pings on our internal network.

This is a Windows 7, Domain joined PC, MBAM 3.0.6.1469.

Share this post


Link to post
Share on other sites

After installing MBAM on a different PC I realized mine hadn't and wasn't upgrading to 3.1 (I had a 3.0.x version installed still). I downloaded the latest installer and tried using that to update and it told me I had previous install that wasn't complete and I needed to restart. This message did not go away after 3 reboots so I uninstalled the application rebooted and finally was able to install version 3.1.

As it stands removing and installing the newer application seems to have fixed the problem for me. I will reply back or create another thread if the issue happens again.

Share this post


Link to post
Share on other sites

I don't think anything changed. Still the whole DNS lookup is going through Malwarebytes proxy at 127.42.x.x. If your destination is on the black list like all DDNS domains. etc. and it is not on the exception list that is centrally maintained your connection will fail.  Your domains status on the exception list may be unstable and you see that failures. I just did the dns lookup for my zapto.org and it returns local proxy but the ping still works since proxy finally return the right address:

 

Peter@pzi-s3:~$ nslookup
> pzi.zapto.org
Server:         192.168.77.3
Address:        192.168.77.3#53

Non-authoritative answer:
Name:   pzi.zapto.org
Address: 127.42.0.1
> exit

Peter@pzi-s3:~$ ping pzi.zapto.org

Pinging pzi.zapto.org [127.42.0.0] with 32 bytes of data:
Reply from 67.190.20.39: bytes=32 time=1ms TTL=63
Reply from 67.190.20.39: bytes=32 time=2ms TTL=63
Reply from 67.190.20.39: bytes=32 time=1ms TTL=63
Reply from 67.190.20.39: bytes=32 time=1ms TTL=63

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.