False Positive? Not part of .LINK gTLD BUT tagged as such by MB.

[SpacePickle]

I understand that MB is now blocking gTLD  ".link", however MB is blocking websites and marking them as belonging to the "app.link" domain when in fact I cannot find the correlation anywhere.

The site Break.com loads various background content from various Amazon owned servers that are registered to the Cloudfront.net domain.  These IP addresses are getting flagged by MB and tagged with the .link domain even though if I do a reverse lookup on these IPs they all resolve to Cloudfront with a .net TLD.  Doing a WhoIS shows the same info as well as the registered owner belonging to Amazon.  Its not just this one IP but random IPs belonging to the same network and domain of Cloudfront.net.

My DNS resolver cache also show no records for the .link domain and also shows these IP addresses as resolved from the cloudfront.net dns domain name.

Below the MB logs show the same for all these IP addresses belonging to app.link, the example below pertaining to 54.192.143.25

So my question, HOW is MB associating these IP addresses with the "APP.LINK" domain when I cannot find any correlation anywhere on my system nor via reverse DNS lookup.  IS this legit on MB's part.  Thank you kindly for some moire information in case I am missing something here.

LOG START-----------------------------------------------------------------------------------
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/30/17
Protection Event Time: 9:05 PM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2693
License: Premium

-System Information-
OS: Windows 10 (Build 14393.1593)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain: app.link
IP Address: 54.192.143.25
Port: [51740]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

LOG END-----------------------------------------------------------------------------------------

 

 

Edited August 31, 2017 by SpacePickle

[Zynthesist]

Hello,

We currently have a block on *.link due to SPAM association. 

[SpacePickle]

Respectfully That is not an answer to the question!! Cmon please read the actual post

THOSE IP ADDRESSES ARE NOT REGISTERED TO A .LINK DOMAIN

54.192.143.25 which is getting blocked has a registered DNS name of  server-54-192-143-25.sfo5.r.cloudfront.net

PLEASE EXPLAIN WHY it is getting flagged as a .LINK DOMAIN!!!

Hope the caps made the actual question i asked more visible to you. Thank you.  

 

My guess is you will not respond to this thread again since you assume you answered the question which you did not.  I may have to repost this issue to get an actual answer.

Edited August 31, 2017 by SpacePickle

[Zynthesist]

According to the log you posted the block is on app[.]link which is due to our *.link block, we are not blocking the IP.

If you have a different log showing a block on a different domain/IP then please post it so we can have a look. 

[SpacePickle]

8 minutes ago, Zynthesist said:

According to the log you posted the block is on app[.]link which is due to our *.link block, we are not blocking the IP.

If you have a different log showing a block on a different domain/IP then please post it so we can have a look. 

The IP getting blocked in the log is is 54.192.143.25 and resolves to server-54-192-143-25.sfo5.r.cloudfront.net by a ping -a reverse DNS lookup.

ping -a 54.192.143.25

Pinging server-54-192-143-25.sfo5.r.cloudfront.net [54.192.143.25] with 32 bytes of data:
Reply from 54.192.143.25: bytes=32 time=15ms TTL=246
Reply from 54.192.143.25: bytes=32 time=17ms TTL=246
Reply from 54.192.143.25: bytes=32 time=16ms TTL=246
Reply from 54.192.143.25: bytes=32 time=11ms TTL=246

it is registered to .net not .link  am I misunderstanding?   Where is MB finding a DNS entry for this IP address with a registered gTDL in the .link registry, specifically in app.link subdomain?  That is what I do not understand and you have not answered.  As I can see from the info the log info below, under Domain: it should read "cloudfront.net" not "app.link" domain.  Hope my question makes more sense to you now that I've explained it further.

 

-Website Data-
Domain: app.link
IP Address: 54.192.143.25
Port: [51740]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Edited August 31, 2017 by SpacePickle

[Zynthesist]

The IP shown in your log is not being blocked. There is no IP block. The block is occurring on app.link due to our block on *.link

The IP you listed hosts thousands of *app.link sites on it and thousands of other sites as well. We are not blocking the IP or server-54-192-143-25.sfo5.r.cloudfront[.]net

[NotDeadYet]

OK Zynthesist, we get it -- MB has decided to block all *.link URLs. Repeating that over and over again without answering the customer's question is not good business nor is it a valid technical answer.

Questions for you:

1) When will this block of an entire gTLD be lifted by MB?

2) I am getting "outbound" MB warnings about "app.link" -- let's assume that the entire gTLD of *.link is not a problem;  how do we know if we have a real problem or this is a false positive?  And not just any website --- this pops up when I go to Lifelock.com.   So, after paying MB for it's product and about $300/year to Lifelock I don't know if my financial records at risk or if someone blocked an entire gTLD.  Any ideas which it might be?

 

3) I am amazed that MB has decided to block an entire gTLD.  That's like saying may of the *.com sites are a problem, so let's just block all *.com site, like malwayrebytes.com as an example.

4) Is it only Malwarebytes that is blocking an entire gTLD, and if so which of your competitors products would be your recommended alternative?  This is a serious question; MB has - for reasons you have not explained - blocked and entire gTLD and as a customer I need to explore other options that don't take a "shotgun" approach to this as yet unexplained problem or concern that apparently only Malwarebytes.com has.

[Porthos]

Those are advertisements being blocked. Many ad's carry malicious scripts that can infect a system.  I personally don't see those unless I turn off the Ublock in my Firefox. 

They can also be caused by an add-on in Chrome or Firefox. 

[NotDeadYet]

Porthos -- a much better answer than Malware Intelligence Analyst Andres Ortiz provided; probably because you read the question and understood what was being asked.   While answer like yours should come from the company we're paying Malwarebytes for, do you happen to know what add-ons to Chrome (either specific ones or an answer along the lines of "they all seem to be related to adds on from <insert name of software publisher or company / or they seem to do with scanning software or free disk utilities or...>.  You get the idea -- some general guidance that we can use as a starting point.

I was a big advocate of Malwarebytes when it first came out;  more answer like those from Malware Intelligence Analys Andres Ortiz, , and it may be wise to start looking at alternatives.  Do you have any other malware detection programs you or your customer's have had better luck with, better support, etc?

Thanks.

 

[Porthos]

3 minutes ago, NotDeadYet said:

Do you have any other malware detection programs you or your customer's have had better luck with, better support, etc?

I have been using Malwarebytes since before it was Malwarebytes. I have 8 years of happy clients on MB. I don't work for the company but I support them because my clients and myself have never been failed by it. 

I am sorry you feel the way you do. And it is your decision to install any thing you want and I respect that. 

[leo3487]

I dont understand why block an entire gTLD

I understand (in half) when you block an IP due a malware file or link, or also a shared IP due % of bad sites is bigger than inocent sites

But block a gTLD? Domains using this can be at different IP, different servers, no related one to another and even no at real risk to be infected by bad sites (if are at different servers)

[NotDeadYet]

leo3487 --

I don't understand that either... but apparently all Malware Intelligence Analyst Andres Ortiz, Malwarebytes Staff, can do is reply over and over again that Malwarebytes isn't blocking any specific IP address but "only" the "*.link" gTLD.

Sort of like saying Malwarebytes is "only" blocking internet traffic from Europe and Asia to minimize the number of ads people see.

Can  Malware Intelligence Analyst Andres Ortiz, Malwarebytes Staff can we get a reply from Andres's first line supervisor for a clearer explanation of this issue as well as any training, coaching and counseling planned for Andres in order to improve his reading comprehension skills and overall customer interactions skills?  Can we also get an explanation from the top level manager of Malwarebytes support organization explaining why and when a gTLD is deemed "unsafe" by Malwarebytes?

This would be like Nortron blocking all *.com URLS because Malwarebytes.com was sending out too many ads to by their product, or Microsoft blacklisting Malwarebytes.com for "suspicious activity of an unknown nature".

Before retiring, I did technical support since 1970 -- yes, the earth was still cooling, the dinosaurs roamed the land, and Pluto was both a Disney character and a planet in our solar system.  Our focus was on product that worked, answers that made sense, and not considering a new GUI as a major improvement to help our "brand".

Remember -- we pay for this stuff; they work for us.

Andres' manager may want to take him off-line for a while to protect the Malwarebytes brand.

Bottom line - on a scale of 1 to 5, Andres' answer is as far below zero as the numbering system goes.

[NotDeadYet]

12 hours ago, Porthos said:

I have been using Malwarebytes since before it was Malwarebytes. I have 8 years of happy clients on MB. I don't work for the company but I support them because my clients and myself have never been failed by it. 

I am sorry you feel the way you do. And it is your decision to install any thing you want and I respect that. 

Porthos -

I feel sorry for Malwarebytes -- I actively worked to move my customers from other products to Malwarebyte when it first appeared as a product (and in combination with the earlier versions of ESET my customer left the shop problem free).

My issue is that "support experts" aren't reading the questions we paying customer submit.  Your shop's reputation is as stake as well -- what if you're customer read the back and forth non-answer provided by Malware Intelligence Analyst Andres Ortiz, Malwarebytes Staff and walked back into your place of business with the "WTF?" look on their face?

The other beef I have is when a company sells you a product or service and says "ask the community" for help, which is another way of saying "we need to reduce support costs, you're on your own -- ask others who have no clue what the real problem is."

I'm sticking with MB, again it's good.  But  Malware Intelligence Analyst Andres Ortiz, Malwarebytes Staff should demand better training from management before the next performance appraisal.  I really suspect the issues are  "reading comprehension" and "customer facing skills".

When I managed a development team, any engineer who found a problem (not in there own code, but some other part of the application) was given $1,000 plus a tax-adder.  Much cheaper to solve it in the engineering group than all of the costs - most of them impossible to track - if the bug got out.  Zero hope of every quantifying lost revenue and customer dissatisfaction.   Always easier to keep a happy customer.

[MysteryFCM]

The block was placed on the .link gTLD due to the sheer volume of malicious domains (vs non-malicious), just as we do with other gTLDs (e.g. .science).

For reference: