IP Protection - Suggestions

[Amethyst]

OK, let me amend that. I see that out of the 6 days, I have one day where an IP was blocked twice, but my son was home alone at the time and he didn't see anything. (I asked him.)

Yesterday, I briefly had the free Webroot Desktop Firewall installed on one machine and I noticed the IP protection was shut down. I mentioned this in another post, but I'll mention it here again, since the developers might be interested in that.

The log says:

11:46:03 (null) MESSAGE Protection started successfully

11:46:34 HP_Administrator ERROR IP protection failed: PfBindInterfaceToIPAddress failed with error code 87

13:43:18 HP_Administrator ERROR IP protection failed: PfMakeLog failed with error code 85

13:43:22 HP_Administrator ERROR IP protection failed: PfMakeLog failed with error code 85

13:43:55 HP_Administrator ERROR IP protection failed: PfMakeLog failed with error code 85

13:44:48 HP_Administrator ERROR IP protection failed: PfMakeLog failed with error code 85

13:45:11 HP_Administrator ERROR IP protection failed: PfMakeLog failed with error code 85

The first error message occurred when I rebooted the computer to complete the installation of Webroot Firewall.

The others occurred when I tried to enable the protection. I see there are other times, in looking at my logs, that the protection was disabled for no reason that I can figure out, like a 30 minute time period. This brings to mind another suggestion--a popup when an error has occurred or when it has been enabled.

[whatmeworry?]

What I would like to be able to do is safely test my IP protection to see if it is, in fact, working. Could you developers maybe set up a dummy page like that so we could test? Or do you already have one?

Amethyst, if you want to test Malwarebytes' IP Protection, you might go to the False Positives section of this forum and try to go to a couple of the sites people have mentioned there recently as being safe. I wouldn't suggest doing anything more than simply trying to get your browser to go to the site. Chances are that if your IP Protection is working as it should, you'll see a popup notice. If you don't get the popup on a site someone recently claimed was OK but blocked, then perhaps your IP Protection isn't working as it should be. Just be sure to try very recently mentioned sites, since presumably Malwarebytes is correcting its database on older false positives.

[swagger]

Something that might be a little more safe, is ping. Fire up a cmd prompt and ping the IP (it should return as "Destination host unreachable" or something to that effect). If MBAM is working, it will block the packets regardless of what program is trying to reach the destination. But like whatmeworry? said, I would make sure you are using known false positives that are very recent if you are going to attempt something like this.

[Amethyst]

Thanks, Whatmeworry and Swagger. I found a link from a FP post and tried that, and the IP blocker displayed. On my other computer, I also finally happened to click on a link whose IP got blocked, so I know the IP blocker is working on both of them.

A safe test link provided by MWB would be nice, though.

[swagger]

Glad to hear it worked Amethyst. Did you try it through a web browser or by pinging it? Either way should have worked, although I prefer to ping it as an extra measure of security. If I were to get through to a malicious IP using ping, all I would get back are echo replies. But through a web browser, it might return a malicious web page that contained malicious code or even worse, pop ups!

I do agree that a safe test link would be fantastic. Just to give everyone the warm fuzzy that their product is working for them if they never get any IP Protection pop ups normally.

[Amethyst]

Hi Swagger,

You're right, I should have pinged it, but I typed in a web address someone in the FP section mentioned. Next time I'll ping instead. Thanks for explaining the difference. When it comes to computers, there's always something to learn. (Every day I find out how much I don't know! )

[swagger]

No problem at all. I learn something new every single day as well. It's a constant learning process and I love it.

[Hexenmeister]

Another thing, the pop-ups are getting really annoying, the sound and the pop-up, i really have no care for the ip, so if you could put in a option to turn off the notice (silent?) that would be great.

I second this! I like the fact that MB is blocking bad IPs, but I don't need to know it every 25 seconds. That warning pops up all the time, regardless of what site's I'm visiting, so I really don't need to know that it's doing its thing, so long as it does it.

[swagger]

It's in the works... The developers are in final beta testing right now!

[deny]

If Malwarebytes pop-up prompt with Infection Detected: 88.214.226.32 (or with any other IP address) then any average user will scare and ask what's wrong here? Infection or not?

I think that giving such a warning with Infection Detected without providing any information;s is ridiculous. Probably most adequate will be possible threat from IP address xxx.xxx.xxx..xxx detected. IP address is on black list because of ... but Infection detected (in this situation false positive) does not make any sense.

After more than 1 month nothing has been changed at all. IP address 88.214.226.32 is still blocked.

It will be good that we have option to disable IP protection permanently. Right now is annoying that we must to disable IP protection each time by restarting system!?

I still do not like IP protection option and would like to disable it permanently. Please give us option for it.

[yardbird]

@ deny

quote from AdvancedSetup:

Registry Switches for Controlling IP-Blocking in MBAM 1.41

Create the indicated registry value (labeled as key | value) with the indicated data and reboot to enforce the policies below. All of the values are of type DWORD. In order to create a registry value, open the Registry Editor (Start -> Run -> regedit), navigate to the key listed, and then right-click in the right-hand panel and choose New -> DWORD.

1) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | silentipmode

Description: With a DWORD value of 1, the protection module will block and log IPs silently.

2) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | startipdisabled

Description: With a DWORD value of 1, IP blocking will start disabled on reboot, although it can be enabled subsequently.

3) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | disableipblocking

Description: With a DWORD value of 1, IP blocking will be permanently disabled (cannot be toggled).

http://www.malwarebytes.org/forums/index.p...st&p=107310

[deny]

@ deny

quote from AdvancedSetup:

Registry Switches for Controlling IP-Blocking in MBAM 1.41

Create the indicated registry value (labeled as key | value) with the indicated data and reboot to enforce the policies below. All of the values are of type DWORD. In order to create a registry value, open the Registry Editor (Start -> Run -> regedit), navigate to the key listed, and then right-click in the right-hand panel and choose New -> DWORD.

1) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | silentipmode

Description: With a DWORD value of 1, the protection module will block and log IPs silently.

2) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | startipdisabled

Description: With a DWORD value of 1, IP blocking will start disabled on reboot, although it can be enabled subsequently.

3) HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware | disableipblocking

Description: With a DWORD value of 1, IP blocking will be permanently disabled (cannot be toggled).

http://www.malwarebytes.org/forums/index.p...st&p=107310

Thanks for help but...

Instead of giving us options with new version where you as developer can implement what i have asked, malwarebytes teams give us options to play self with registry.

It is difficult to understand such a behaviour for myself and probably many others.

[exile360]

I'm not one of the developers so I can't speak for them, but I would speculate that they made these options available out of demand by users such as yourself and had they taken the time to rewrite the code for the GUI of the application to include the options it would've taken much longer for its release which would mean users such as yourself would've had to wait much longer before having the ability to modify the behavior of the IP Protection. I've no doubt that these options will likely become available in the applications interface in a later version.

[Firefox]

Just to add what exile360 stated:

It is a common practice for developers to make quick fixes due to demand from users as quick registry modifications like what the team in Malwarebytes did.

All software developers that I deal with make these sorts of fixes. They are quick and most likely fix the issues at hand, and it allows them to come up with the fixes almost immediately. Then the fix comes out on the new release at a later time.

anyway just my 2 cents worth.....

[deny]

Just to add what exile360 stated:

It is a common practice for developers to make quick fixes due to demand from users as quick registry modifications like what the team in Malwarebytes did.

Sure. It is a common practice in first days after new release but it is difficult to understand why is quick fix given to us after a couple weeks? It was more than enough time for developers to implement such a option within program instead of giving us option to play it with registry?

All software developers that I deal with make these sorts of fixes. They are quick and most likely fix the issues at hand, and it allows them to come up with the fixes almost immediately. Then the fix comes out on the new release at a later time.

anyway just my 2 cents worth.....

You have right Firefox but "the new release at a later time" seems to be very late here. Since implementing of IP protection there are two new builds of Malware's released.

[swagger]

Not to play defense here, but the IP protection feature was brand new in 1.40... They may not have had any core coding that would quick fix the problem. And they beta tested the new version for about a week or two to ensure it fixed the false positives bug and that the new registry quick fixes worked properly.

[exile360]

To add, rewriting the GUI, and including the complete translations for the new entries for all of the available languages that MBAM supports would take much longer than a few weeks. It would likely take months.

[Bagby]

I think there's more than that to be done. Much more.

Here in the USA, we've saddled ourselves with this evil thing called a "no-fly list". Nobody knows who is responsible for this list, or how you get on it, nor how you can get off it, or who you can sue for being put on it by mistake. The list has included young (like, too young to walk) children, politicians, and many completely innocent people. But if you're on this list, you're not allowed to board an airplane. And you can't get off the list.

MAMB hos this secret no-fly list equivalent in their IP blocker. It needs to become completely transparent, with editable whitelists and blacklists, opt-out features and an explanation of why default blacklist sites are there.

Years ago, a misguided organization called "blackhole" was created with the idea of isolating malicious sites. It was extended to email. Unfortunately it wasn't policed adequately, and addresses could be added in direct violation of its stated policies. To some users, "spam" included any email they didn't want now, even if they had signed up for it in the first place. To others, if they had any trouble removing themselves from a list they'd signed up for, well, that was now spam too.

Using that list meant that other members of those lists, who did want that email, found it blocked. Things like job listings from HotJobs (then a viable organization) were being blocked because somebody somewhere was too clueless to figure out how to resign from the list, so decided to report it as spam to get it blocked. The list allowed this. HotJobs had to regularly demonstrate, AGAIN, that they weren't spammers and in the meantime people weren't seeing job listings.

A blocklist is a weapon. If you can get a competitor's site onto the list, they can be badly hurt by it. Sure, you can say you're sorry and take them off of it after enough complaints, but the damage is done and you can't undo it or make it right again. A blocklist can all too easily become an instrument of oppression whether you intended it that way or not.

You need to be terribly careful with a blocklist. You need to make it as open and as transparent as you possibly can, and you need to police it regularly, more often than daily. You need to make absolutely certain that every site on it belongs there, and you need to stand up for your mistakes when you make them instead of hiding behind anonymity. It's a full time job for more than one person, just to manage such a list adequately. Many have tried this and failed miserably.

Anyone can already get most of this blocking functionality in the freeware PeerGuardian2. Anyone who wants it should install that. (I don't recommend it, I think this, like email blacklists, is a dead-end approach and have long ago uninstalled PG2 myself.) Malwarebytes should give this up, not try to go head-to-head with Bluetack/PG2 et al., in their area of specialization, and go back to malware. Malwarebytes doesn't have the time or the people to do this right, and it's better not done at all than done poorly.

Thankfully, there's the registry edit so I can completely disable IP blocking in MAMB, but I think Malwarebytes should pull the IP blocking feature out of all future releases. This isn't their arena and they aren't equipped to compete in it.

[Swandog46]

Don't you think you're being a little melodramatic, Bagby?

Look, let me clear up what I see as a major misconception surrounding IP blocking.

MBAM is not designed to be an all-purpose block-anything-you-want-and-only-the-things-you-want IP filtration system. For that you can use other freeware software that already exists, namely a firewall, or PeerGuardian (like you mentioned). We are an anti-malware solution, and we block IPs that we see serving malware, when our researchers troll the web doing their anti-malware research. We cannot and will not publish the contents of our IP database in plaintext any more than we will publish the rest of our database, because if we did, the malware authors would know exactly whether and how they are being blocked, and would take steps to circumvent it.

There is a pretty easy way to determine whether a site is being blocked -- try to ping or visit it. There is also a readily accessible place to report false positives -- this forum, where as you can see, you can interact directly with the researchers who maintain the database, and discuss why an IP is blocked and whether it might be unblocked. So that addresses the "secrecy"/transparency and the "you can't get off the list" issues.

You don't like the functionality? Fine -- feel free to disable it. We don't recommend it, but it's your prerogative.

We are happy to hear feedback and to continue discussing ways to improve the product. We do so, every day. We try our best to take this feedback into account. On these forums you can interact directly with the people who write Malwarebytes. What other major security vendor offers that?

Certainly there is always room for improvement. But we think proactive, aggressive IP blocking falls squarely within our mandate, and helps keep our users safe. We are sorry if you disagree.

So please don't paint us as some fly-by-night conspiracy operation. Our job is to keep our customers safe on the internet, and we try our best to do that, the best ways we know how.

[whatmeworry?]

Doug, I agree that Bagby's message is at times overly melodramatic, but his likening MBAM's current IP Protection to the U.S.'s infamous "do not fly" list struck me as a useful comparison. Just as all kinds of innocent people have found themselves on the do-not-fly list simply because they have the same name as a suspected terrorist, so all kinds of innocent web sites have been blocked or at the very least maligned by MBAM as being "malicious sites" simply because they have the same IP address as a malicious site or have an IP that falls into a range that includes some malicious sites. In some cases, MBAM's "malicious site" pop-up occurs merely because a web site includes a link to a site whose IP address falls into one of the categories I've just mentioned. This seems to me a terribly misguided policy that may end up doing more harm than good, including to MBAM.

[exile360]

I see your point, but I beg to differ. If you look at the way the IP's are researched and reported to the domains they belong to, they are provided ample time to get rid of the malicious sites that have been proven to be hosting malware, not just malware that MBAM already detects, but constantly morphing malware and new malware that nobody detects. This pushes MBAM in the direction of being, as Swandog stated, proactive, which is the next progressive step for MBAM in my opinion, since all along its strongest trait was it's heuristics which to this day is unmatched as far as I'm concerned. I've seen no other vendor on the web be so successful against new variants of existing threats. The malware writers are catching on to this fact, so now they block MBAM from running completely (have a look in the HijackThis/MalwareRemoval forum if you don't believe me). The next step is to create something that MBAM doesn't detect, which they've also been doing, but MBAM catches up quickly because they keep track of where it comes from. Why not use that knowlege to the users' advantage? If you know where it comes from in the first place, and you know it's the same guys writing the garbage that's trying to kill MBAM and every other security tool that's likely to be able to stop it, if not now, in the near future when someone finds a sample, then why not take the next step and just stop it before anyone running MBAM can become infected by it in the first place? It's a preemptive move in a war that for far to long has been reactionary, that's why the AV's failed and that's why MBAM exists to begin with. AV's never prevented the first people from getting hit by anything, only after enough users got infected would they realize a threat existed and respond by creating definitions. If you know the source of the infections, new or not, detected already or not, then why not simply block the source?

[AdvancedSetup]

There is a mechanism to allow you to visit site X if you want to. Right click over the MBAM icon and un-check the IP Protection wait a second and then reload the page or application to visit that IP. Very easy, very quick for the more advanced users that want to, yet it still protects the new computer user that might not have as much knowledge and is simply wanting to be protected.

Having both a temporary and permanent disable feature allow YOU to decide how you want to use the feature.

[Firefox]

Well I can see his point, but I for one prefer to have it enabled. I sure don't want to be searching the web and get hit by a fly by download that may have been on that page. Far as I am concerned, if the page gets blocked, I shouldn't have been then in the first place probably. And if I know its really a safe site, I can always temporary disable the feature.

[whatmeworry?]

There is a mechanism to allow you to visit site X if you want to. Right click over the MBAM icon and un-check the IP Protection wait a second and then reload the page or application to visit that IP. Very easy, very quick for the more advanced users that want to, yet it still protects the new computer user that might not have as much knowledge and is simply wanting to be protected.

Having both a temporary and permanent disable feature allow YOU to decide how you want to use the feature.

Thanks, Ron, for your response. I'm aware of this feature, and I've been using it a lot. That's part of what upsets me--that so many harmless, innocent web sites are being blocked and/or unjustly accused of being "malicious." The fact that I can get around MBAM's erroneous accusations by continually turning the IP Protection off and on doesn't seem to me a satisfactory solution for two reasons. One is that it's a bother to be continually having to do this; an exclusions list like the one MBAM permits for malware scans would be much better. The other reason is that I hate to see so many harmless sites unjustly accused of being malicious. Such accusations reflect badly on MBAM, I think. Since I really like MBAM and want to see it do well, I don't want to see it do something that I fear is counterproductive.

[exile360]

If you find a false positive with the IP Protection please refer to this post: IP Blocking False Positives and post the info here: False Positives. They get corrected very quickly.