Jump to content

IP Protection - Suggestions

secret365

By secret365
in Malwarebytes for Windows

 Share

Recommended Posts

whatmeworry?

whatmeworry?

Posted
Posted
If you know the source of the infections, new or not, detected already or not, then why not simply block the source?

You make a lot of good points. However, the problem with blocking the source is that often the same source apparently hosts many perfectly innocent, harmless sites as well. I'd like to see MBAM acknowledge and provide for this rather than simply branding these sites as "malicious." The creation of an exclusions list like the one MBAM makes available for malware scans would be a tacit acknowledgement that not all the sites MBAM flags are necessarily malicious. An exclusions list would also give users a more satisfactory way to deal with innocent sites than having to be continually turning IP Protection off and on.

Link to post
Share on other sites
  • Replies 132
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

exile360

exile360

Posted
Posted

The issue of blocking good sites hosted on mostly malicious domains has been addressed many times. It's not up to MBAM to police the domains, only to protect its users. If the hosting companies would respond to abuse reports of malicious and criminal activities taking place on sites they host then this would not be an issue. MysteryFCM (aka Steven Burn) who handles the database for malicious IP's as well as HPHosts always contacts the provider first to try to get the malicious sites shut down. When they don't listen or don't respond, what are we supposed to do? Just ignore it?

Again, you speak of innocent sites being blocked. The only time I saw this happen was with Windows XP and was due to a known bug that was fixed in 1.41. If you know for certain it is an FP then simply report it in the FP forum that I posted a link to and Steven will correct it, that's his job and he's here all the time checking that forum.

If it's an issue of shared IP's where a malicious site shares an IP with a safe one, then why doesn't the owner of the safe site consider that perhaps they may have picked the wrong hosting company if they're on the same block as known malware? I wouldn't want to pose a threat to my visitors if I had a site simply because my web site shared the same IP as one hosting rootkits, trojans, rogues, malicious scripts and drive-by downloads. Perhaps Malwarebytes' isn't doing what every customer wants and perhaps you see it as not being in your best interest, but what about the sites or the hosting providers who are willing to risk your PC's safety and expose you to potential identity theft simply to make a buck or save a buck?

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted
please add a exclusion list!!!, its must be a high priority! most security software has this option to exclude!

What other software is doing the exact same thing we're doing? I'm not ware of any other software that is doing the same type of targeted IP threat blocking.

You say it is a must, so please explain in detail why it's a must.

I used to agree that we should have an exclusion list but that was because there were no other options. Now that there are other options I no longer feel that there needs to be an exclusion list. It's just too easy to turn off temporarily if you want to visit a site that is on the blocked list for what ever reason. If you really visit and stay on sites that keep getting blocked then you're visiting sites that are designed to infect you. Once in a while yes a site from an ad or something may popup a block, but if you're constantly getting them then you're either running Peer2Peer software (another excellent way to get infected) or Warez or similar. If you know or are confident that a site you want to visit should not be blocked then submit a False Positive report and we'll check it out and if you're correct we'll remove it from the list. If you really just don't like it blocking so often then just turn it off permanently as it's a new feature and obviously one that you don't care for because it appears to put a damper on your browsing.

I do visit sites from time to time looking for Malware and I have to turn off the blocker to do so. Then when I'm done I simply turn it back on.

Link to post
Share on other sites
MikeW

MikeW

Posted
Posted
Doug, I agree that Bagby's message is at times overly melodramatic, but his likening MBAM's current IP Protection to the U.S.'s infamous "do not fly" list struck me as a useful comparison. Just as all kinds of innocent people have found themselves on the do-not-fly list simply because they have the same name as a suspected terrorist, so all kinds of innocent web sites have been blocked or at the very least maligned by MBAM as being "malicious sites" simply because they have the same IP address as a malicious site or have an IP that falls into a range that includes some malicious sites. In some cases, MBAM's "malicious site" pop-up occurs merely because a web site includes a link to a site whose IP address falls into one of the categories I've just mentioned. This seems to me a terribly misguided policy that may end up doing more harm than good, including to MBAM.

I totally agree. At the very least users should be able to turn off IP blocking completely without have to mod the registry.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted
At the very least users should be able to turn off IP blocking completely without have to mod the registry.

Agreed and that is in the works. We simply needed a quick method to allow this while we work on obtaining the proper language strings from all the available languages before we can modify the GUI to allow this. So please be patient and hopefully it will be there within the next version or two.

Thanks.

Link to post
Share on other sites
MikeW

MikeW

Posted
Posted
Agreed and that is in the works. We simply needed a quick method to allow this while we work on obtaining the proper language strings from all the available languages before we can modify the GUI to allow this. So please be patient and hopefully it will be there within the next version or two.

Thanks.

Thanks, good to hear this is in the works

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
Agreed and [turning off IP blocking completely] is in the works. We simply needed a quick method to allow this while we work on obtaining the proper language strings from all the available languages before we can modify the GUI to allow this. So please be patient and hopefully it will be there within the next version or two.

Ron, why do you support the ability to turn off IP Protection completely but do not support having an exclusion list? An exclusion list would give users the ability to continue IP Protection while still having a hassle-free way to visit innocent sites that for one reason or another MBAM wishes to block? Often MBAM blocks sites because they share an IP number with known malicious sites, or the innocent site's IP number simply falls into a range of IPs known to include malicious sites. But if the only site I visit with that IP is an innocent one, why shouldn't I be able to do so without having to keep turning IP Protection on and off or forego IP Protection completely? An exclusions list would give me flexibility while at the same time protecting me from truly malicious sites.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
How can you verify that one site is safe that's normally blocked while another is not? That's why I don't like the idea of whitelisting.

If you read the messages that have been sent to the forum about this issue, you'll see MANY messages asking why sites that people have used frequently or sites that they run are being blocked. MBAM's answer almost always is that the organization that hosts that site also hosts a number of malicious sites with the same IP number or in the same range of IP numbers, so MBAM is blocking them all. Sites that people have used without problems and even sites that they run are being blocked even though not even MBAM is claiming that these sites are malicious.

Most security applications include provision for a whitelist. I tell my firewall and my anti-virus which applications and files to trust. Even MBAM has an ignore list for its malware scans. All I'm asking for is a similar feature for IP Protection, so MBAM can continue to use whatever criteria it deems most appropriate to block websites while permitting users to exempt sites they know and trust.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Ok, I can understand that. I still don't like the idea of permanent whitelisting though, because ignoring a single instance of a file is very different from ignoring an IP. If I ignore ComboFix with my AV for example, it won't ignore every instance of a file called ComboFix.exe that I encounter, nor will it even ignore an identical file if I download it again 2 seconds later. That's what worries me, however your complaint is legitimate that safe websites are getting caught in the crossfire here, which is most unfortunate.

On the plus side however if you take a look at this thread it appears that because of this side effect and policy to block certain ranges and providers, that some of the hosting companies are finally starting to respond to MysteryFCM's complaints about some of the malicious sites that they host and taking them down. The only time he will block an entire range or provider is in a case where he can get no response when he repeatedly reports abuse and they have large numbers of malicious IP's in their range. In my opinion results like this will make the net a little bit safer, at least for a while, for everyone, not just MBAM's users, but MBAM users are the ones who finally got the attention of the hosting providers.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
Ok, I can understand that. I still don't like the idea of permanent whitelisting though, because ignoring a single instance of a file is very different from ignoring an IP. If I ignore ComboFix with my AV for example, it won't ignore every instance of a file called ComboFix.exe that I encounter, nor will it even ignore an identical file if I download it again 2 seconds later. That's what worries me, however your complaint is legitimate that safe websites are getting caught in the crossfire here, which is most unfortunate.

Thanks for your response. I'm not sure I see how what you call "permanent whitelisting" is different from a user's temporarily turning off IP Protection in order to go to a web site he or she trusts. I think you're implying that the site can change, and if a whitelisted site changes, the user can be attacked by the changed site. That's true, but the same thing is true if the user temporarily turns off IP Protection to go to a trusted site and then finds that it has changed. The site can do the same harm whether it is listed on a whitelist or is accessed by temporarily turning off IP Protection. Frankly, though, this scenario seems a little extreme. I have been surfing the web for probably 15 years, and I have never been harmed by any site I have visited (knock on wood :) ). It's true that there are many potential dangers in using the Internet, but one should worry primarily about those that are reasonably likely. If I were to try to protect myself against all possible dangers, I should probably turn off my computer.

On the plus side however if you take a look at this thread it appears that because of this side effect and policy to block certain ranges and providers, that some of the hosting companies are finally starting to respond to MysteryFCM's complaints about some of the malicious sites that they host and taking them down.

I had seen that thread and was struck by the fact that apparently a substantial amount of the information MBAM was using against that hosting company was outdated or incorrect, and that the company, which claimed to keep careful records, had no record of messages from MBAM. Be that as it may, I think hosting companies will be as likely to respond to MysteryFCM's complaints whether or not there is a whitelist option. That option merely makes using IP Protection less of a hassle for MBAM's users and thus means more of us are likely to keep it turned on all the time.

Link to post
Share on other sites
Swandog46

Swandog46

Posted
Posted
I'm not sure I see how what you call "permanent whitelisting" is different from a user's temporarily turning off IP Protection in order to go to a web site he or she trusts. I think you're implying that the site can change, and if a whitelisted site changes, the user can be attacked by the changed site.

It's more than that. When you whitelist an IP permanently, you are whitelisting more than the single domain www.safe.com that resolves to that IP. It might be that your visit to www.safe.com would be perfectly safe, but another domain www.unsafe.com that resolves to the same IP would not be. Since you whitelisted the IP for safe.com permanently, you also whitelisted unsafe.com permanently. If you temporarily disabled IP blocking, went to safe.com, turned IP blocking back on, you would at least know that you would not be affecting blocking of other domains on the same IP.

Link to post
Share on other sites
swagger

swagger

Posted
Posted
Frankly, though, this scenario seems a little extreme. I have been surfing the web for probably 15 years, and I have never been harmed by any site I have visited (knock on wood :) ). It's true that there are many potential dangers in using the Internet, but one should worry primarily about those that are reasonably likely. If I were to try to protect myself against all possible dangers, I should probably turn off my computer.

I had seen that thread and was struck by the fact that apparently a substantial amount of the information MBAM was using against that hosting company was outdated or incorrect, and that the company, which claimed to keep careful records, had no record of messages from MBAM. Be that as it may, I think hosting companies will be as likely to respond to MysteryFCM's complaints whether or not there is a whitelist option. That option merely makes using IP Protection less of a hassle for MBAM's users and thus means more of us are likely to keep it turned on all the time.

Have you heard of drive by downloads? A site that you think is safe can be injected with malicious code and you can become infected just by visiting that website. :/ How likely is it? I don't know the numbers but it is possible. However, I do agree that if you are looking for absolute protection from the internet, you should turn you computer off.

It's more than that. When you whitelist an IP permanently, you are whitelisting more than the single domain www.safe.com that resolves to that IP. It might be that your visit to www.safe.com would be perfectly safe, but another domain www.unsafe.com that resolves to the same IP would not be. Since you whitelisted the IP for safe.com permanently, you also whitelisted unsafe.com permanently. If you temporarily disabled IP blocking, went to safe.com, turned IP blocking back on, you would at least know that you would not be affecting blocking of other domains on the same IP.

To simplify what Swandog said, more than one website can be housed on the same web server and IP address. If you unblock what you think is www.safe.com (which is really 1.1.1.1) and in turn think you are protected from www.unsafe.com (which is also 1.1.1.1) because its a different domain, guess what? You can become infected. Domains are for humans... We can remember names better than we can remember numbers which is what the computer reads... So don't be misguided by just looking at the domain name. What's important is the IP address that domain resolves to.

Link to post
Share on other sites
Firefox

Firefox

Posted
Posted

Drive by downloads are a pain and they exist. I know that for a while www.foxnews.com was infected cause I had some users that, that was the only site they visit, and all of them got hit on the same day. I called foxnews.com and they corrected the issue.

so I say leave it on.....

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted
Drive by downloads are a pain and they exist. I know that for a while www.foxnews.com was infected cause I had some users that, that was the only site they visit, and all of them got hit on the same day. I called foxnews.com and they corrected the issue.

so I say leave it on.....

Firefox, though I appreciate the problem you've mentioned (where a formerly trusted site becomes temporarily infected), having IP Protection on is no guarantee of being protected against such an occurrence if the IP had been OK until then. People can be infected by such an infected site before MBAM learns that the IP has become malicious.

Link to post
Share on other sites
whatmeworry?

whatmeworry?

Posted
Posted

Thanks very much, Doug and Keith, for your helpful responses. I clearly need to understand this issue more fully. I thought that if I whitelist a site, I'd whitelist the name, even though I realize that the DNS server will turn that into an IP number. However, from what you've both said, I gather that I'd have to whitelist an IP number. Is that correct? But even if that's the case, I'm still unsure how that's any more problematic than turning off IP Protection to go to what I think is www.safe.com. In this case too, the DNS server will translate the address I type (www.safe.com) into an IP address.

Also, if www.safe.com shares the same IP number with www.unsafe.com, why is it that I NEVER have been taken to www.unsafe.com when I've asked to go to www.safe.com? And not just me. All the people who have been complaining about not being able to reach certain valued, trusted web sites (www.trustedwebsite.com) have apparently also never had the experience of being taken anywhere but to that site when they've typed in www.trustedwebsite.com.

Thanks in advance for your help with this.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Yes, unfortunately, that's the limitation of IP based blocking when several sites share the same IP's :) . If it were a hosts file, you could block it simply based on the name of the website and exclude a specific site by name instead of IP. That type of site-specific whitelisting would be fine, but due to the nature of the IP Protection, it doesn't work out that way :) .

Link to post
Share on other sites
MikeW

MikeW

Posted
Posted
Yes, unfortunately, that's the limitation of IP based blocking when several sites share the same IP's :) . If it were a hosts file, you could block it simply based on the name of the website and exclude a specific site by name instead of IP. That type of site-specific whitelisting would be fine, but due to the nature of the IP Protection, it doesn't work out that way :) .

Exactly so, which is why I think IP blocking is the wrong approach. To many safe sites will be blocked erroneously, and if you turn it of to visit the site you are open to the bad sites again. IMHO Host files are a much more flexible way to go.

Each to their own, but I will stick with Mbam without IP blocking and carry on using a good host file.

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Unfortunately in many cases, malware makers swap domain names or have many in clusters that are similar, often sharing IP's to host their malware. Often they'll hack a legitimate site or ad on a legitimate site that will attempt to execute a drive-by or exploit that comes from their own server. If you block the IP address, the threat is blocked. If you only block the domain name, it may not be, as they could've used an alternate. That's the failing of HOSTS files. I admit that HOSTS files come in handy, and I use a rather large one myself, but the IP Protection has its place as a layer of protection as well, at least in my opinion it does.

Link to post
Share on other sites
MikeW

MikeW

Posted
Posted
Unfortunately in many cases, malware makers swap domain names or have many in clusters that are similar, often sharing IP's to host their malware. Often they'll hack a legitimate site or ad on a legitimate site that will attempt to execute a drive-by or exploit that comes from their own server. If you block the IP address, the threat is blocked. If you only block the domain name, it may not be, as they could've used an alternate. That's the failing of HOSTS files. I admit that HOSTS files come in handy, and I use a rather large one myself, but the IP Protection has its place as a layer of protection as well, at least in my opinion it does.

I accept your point. However, just feel that IP blocking is to broadbrush and far to many good sites are being unfairly blocked. Guess this will all end up as user choice, and its good to have the options.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.