Troubleshooter

[peteyt]

Not sure if this would make sense in Malwarebytes as it isn't really a firewall, but I've noticed a lot of security suites adding troubleshooters and wondered if Malwarebytes would benefit from one. The idea is that if something is blocked e.g. a program, website etc. the troubleshooter is an easy way to discover if it is being blocked. Sometimes things get blocked by accident and people who aren't tech savvy might struggle finding out how to unblock them. A troubleshooter can take the complications out of this.

[exile360]

Greetings  

Are you referring to cases where something has been blocked by Malwarebytes or where it has been blocked (possibly) by an infection or damaged/modified system configuration setting (such as the HOSTS file, for example or modified proxy settings/browser settings etc.)?

[peteyt]

1 hour ago, exile360 said:

Greetings  

Are you referring to cases where something has been blocked by Malwarebytes or where it has been blocked (possibly) by an infection or damaged/modified system configuration setting (such as the HOSTS file, for example or modified proxy settings/browser settings etc.)?

By malwarebytes. Take eset which i use alongside malwarebytes. As it has a firewall the last 2 versions have also i introduced a troubleshooter so if something doesn't load and you think eset has blocked it you can open it and it will show you if anything that has been recently blocked and click unblock. Saves you having to disable stuff.

[exile360]

Ah, I see.  We have something somewhat like that for our Web protection already.  Whenever a website is blocked, you can right-click the tray icon for Malwarebytes and it lists the last IP address that was blocked and it also provides an option to add the site to your exclusions so that it will no longer be blocked.  As for everything else though, all you have to go by are the notifications and logs so yes, something like this could certainly be useful, especially if you have notifications turned off, however for the time being at least just make sure that you have Malwarebytes configured to show all notifications when testing to see if it is blocking something.

You can also check the logfiles located under %PROGRAMDATA%\Malwarebytes.  The primary one to check will be the MBAMSERVICE.LOG located within the MBAMService folder found there.  It should list everything detected/blocked by our various protection components but you can also check the other logs if any have been created for the other modules under their folders (AeDetections for Anti-Exploit detections, ArwDetections for Anti-Ransomware detections, MWACDetections for Web protection and RTPDetections for Malware protection).  The individual .JSON logs created under the individual modules' folders contain more detailed info about each block/detection event while the MBAMSERVICE.LOG file contains just a line or two about each event, providing less detail, though useful if you just need to track down the name of a particular executable or website that was blocked.  The .JSON logs can be read in a regular text editor such as notepad though you'll likely need to use the "Open with" function and select notepad to open them as they're not associated with any programs by default.

Anyway, I'll definitely pass on your suggestion to the team.  The above info was just in case you or anyone else needed to perform any diagnostics/troubleshooting in the meantime so you'd know where to find all the info.

[peteyt]

18 hours ago, exile360 said:

Ah, I see.  We have something somewhat like that for our Web protection already.  Whenever a website is blocked, you can right-click the tray icon for Malwarebytes and it lists the last IP address that was blocked and it also provides an option to add the site to your exclusions so that it will no longer be blocked.  As for everything else though, all you have to go by are the notifications and logs so yes, something like this could certainly be useful, especially if you have notifications turned off, however for the time being at least just make sure that you have Malwarebytes configured to show all notifications when testing to see if it is blocking something.

You can also check the logfiles located under %PROGRAMDATA%\Malwarebytes.  The primary one to check will be the MBAMSERVICE.LOG located within the MBAMService folder found there.  It should list everything detected/blocked by our various protection components but you can also check the other logs if any have been created for the other modules under their folders (AeDetections for Anti-Exploit detections, ArwDetections for Anti-Ransomware detections, MWACDetections for Web protection and RTPDetections for Malware protection).  The individual .JSON logs created under the individual modules' folders contain more detailed info about each block/detection event while the MBAMSERVICE.LOG file contains just a line or two about each event, providing less detail, though useful if you just need to track down the name of a particular executable or website that was blocked.  The .JSON logs can be read in a regular text editor such as notepad though you'll likely need to use the "Open with" function and select notepad to open them as they're not associated with any programs by default.

Anyway, I'll definitely pass on your suggestion to the team.  The above info was just in case you or anyone else needed to perform any diagnostics/troubleshooting in the meantime so you'd know where to find all the info.

Yeah the advantage of a troubleshooter is it doesn't just show you what is blocked like the logs but also allows you in a sense to unblock with just one click. I also hope malwarebytes considers an unblock feature in the popups at least for the web side. The tray option for the last site is only useful if you know it's there

[exile360]

Yes, we formerly had such an option, but unfortunately we got a lot of complaints about it from users who kept thinking that the pop-up with the button was us asking them if they wanted us to block it or not, so they'd click the button, excluding the website thinking they were telling Malwarebytes to block the website.  We went through several iterations of dialogues trying to solve this problem, but no matter how we worded it we ended up with the same results so we decided that it was far safer to simply require users to go through more deliberate steps when they wish to exclude something as we'd rather stay on the safer side of the equation.  Obviously that's bad if it's an FP, but it's far worse if we make it too easy where users might be more prone to accidentally clicking on it and unblocking something that's actually malicious.

[peteyt]

1 hour ago, exile360 said:

Yes, we formerly had such an option, but unfortunately we got a lot of complaints about it from users who kept thinking that the pop-up with the button was us asking them if they wanted us to block it or not, so they'd click the button, excluding the website thinking they were telling Malwarebytes to block the website.  We went through several iterations of dialogues trying to solve this problem, but no matter how we worded it we ended up with the same results so we decided that it was far safer to simply require users to go through more deliberate steps when they wish to exclude something as we'd rather stay on the safer side of the equation.  Obviously that's bad if it's an FP, but it's far worse if we make it too easy where users might be more prone to accidentally clicking on it and unblocking something that's actually malicious.

Would possibly a confirmation not work or even needing a password e.g. "This site has been flagged as dangerous and could damage your computer, are you sure you want to unblock it." You could even have it disabled by default and require the user to enable it - a lot of novice users tend not to enable stuff e.g. if it's in the advanced section.

[exile360]

I think maybe the setting to enable it is the most viable option.  That said, often times when a user is having trouble due to a website block it's because they're using an application that they know to be safe and it just happens that said application connects to one or more servers that we block.  This happens frequently with P2P (Peer-to-Peer) applications such as video games, instant messaging apps like Skype as well as filesharing applications such as Bittorrent clients and in these cases, the best course of action is actually to exclude the process from web blocking rather than excluding individually blocked websites one-by-one.  This is because, while connecting to such a server may be safe/non-malicious when using such a program, it is unsafe if the user connects to that same website using their internet browser such as when viewing a website which contains a malicious ad containing an exploit or some other form of malware/malicious content and in these cases we generally recommend that the user exclude the P2P application from web blocking so that they're still fully protected within the more at-risk applications.

As for your suggestions, I think the idea of a setting sounds like the safest option here as you are quite correct I believe in thinking that novice users tend not to manipulate settings, especially those which are "hidden" more or less by being located within an "advanced" part of the interface.