Jump to content

'Don't show any more alerts for this IP address'


LDTate
 Share

Recommended Posts

Request from a MBAM customer:

 

All it needs is a button on the popup that says 'Don't show any more alerts for this IP address'. I am not looking for a workaround – I am looking for a FEATURE in MWB that will help me to not see all those alerts from the same IP address. I can't imagine ANYONE wants to see that alert flash, over and over. Please ask the product manager to ADD this feature request to his list.

I am trying to solve a problem that is CAUSED by MWB, and I'm looking to MWB to FIX it.

Regards,

John

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

While I agree that this is a scenario that needs to be addressed, I'm not onboard with the proposed solution of absolutely disabling all future alerts for a given IP/URL block, only because frequent/repeated blocks to/from the same malicious server could indicate the presence of malware on the system, either in the form of a Trojan or other malware trying to phone home (contact the C&C server for instructions), to exfiltrate data from the system (i.e. keyloggers and other threats which attempt to steal data), or to download other threats (i.e. a downloader Trojan/worm), or a malicious web browser plugin connecting to a blocked site so enabling customers to basically pretend the block event isn't happening by concealing all future alerts about it seems to be the wrong approach in my opinion.

Instead, I'd propose a sort of middle ground where perhaps after a certain number of blocks to/from the same malicious server we offer to update and run a scan for malware and if that comes back clean, offer to provide free diagnostics/malware removal assistance services (via one of our support channels where we already do things like this, such as here on our forums as well as via email) to verify that the system is not infected, and if it is, to of course get the system cleaned up, all free of charge (we do not charge for these services).

And finally, in order to make it less annoying and address the initial issue of too many duplicate alerts, we could instead reduce the frequency of them, only showing an alert every n# of instances following the first one or two block events and/or have a timer which prevents us from displaying a duplicate block alert within a certain timeframe (i.e. no more than n# of duplicate block alerts within a 60 second timeframe or similar).

One or a combination of any of the above would be better in my opinion than simply providing a means of deliberately ignoring a repeating block event alert because that's just hiding the symptom of a larger potential issue rather than dealing with and resolving it in my opinion.

Edited by exile360
Link to post
Share on other sites

Rather than display a dialog box, I would like to have the program modify the ip address of suspect sites to 127.0.0.1 and append that to the hosts file. A notification that the hosts file, or the ability to view or modify it from inside malwarebytes would be pretty useful, IMO.

Link to post
Share on other sites

  • Staff

Honestly, there wouldn't be too much difference.  We are blocking the site, we're simply doing it via a different method (incidentally, using the HOSTS file to block sites doesn't actually block all connections to/from a site the way that a WFP filter does, which is what Malwarebytes is using).  Additionally, if too many sites are entered into the HOSTS file and the DNS Client service is active (which it is by default on all current Windows versions) then you'll experience major performance issues (high CPU usage) which can actually lock up the system depending on how powerful/fast the hardware is.  Also, using our method, we actually are redirecting the blocked sites.  It redirects to our block page when viewed in a browser, but regardless of whether a browser is being used, the connection is still blocked.  We also block both domans as well as IP addresses, something that isn't possible using a HOSTS file (they can only block domains).

The purpose of the notification is simply to make the user aware that an attempt to connect to a potentially dangerous website occurred and that Malwarebytes blocked it.  This information is useful for multiple reasons including to let them know that Malwarebytes is doing its job and has detected/blocked something potentially malicious (the same reason we alert whenever an exploit, ransomware or other malware is detected/blocked) and because it can also sometimes indicate the presence of a larger issue, such as a Trojan/downloader trying to "phone home" or download other threats or indicate the possible presence of a malicious browser plugin, DNS hijacker or other such threat so when repeated alerts are seen and there's no good explanation for it (such as an active P2P app, like a Bittorrent client running etc.), it could be a sign that the system needs to get checked as it may be under attack and/or already infected.  That's the main reason why it makes me nervous not to show at least some sign that a block incident has occurred, especially when it's a constant/frequent identical alert, as those can often indicate exactly the types of scenarios I described and those are not situations that it is wise to ignore.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.