Jump to content

Outbound Connection Blocked


Recommended Posts

HI,

Hopefully this is an easy question for the Malwarebytes experts. 

I am running Malwarebytes Premium version 3.3.1 on my windows 7 box.  I've noticed when surfing on some websites; yahoo.com for example, I will receive a malwarebytes pop-up in the lower right corner advising of an outbound connection attempt which was blocked.  The most recent example of this happened just before composing this forum question.  I was in my yahoo mail account(yes I still have a yahoo mail account) with the yahoo's homepage still in the background.  I was reading an e-mail when the notification popped up in the lower right corner.   It said an outbound connection attempt was blocked.(or something to that nature).  I went in to review the MB protection logs and it tells me that the Category is Unknown, Domain was verification.mytbar.com , it listed an IP address and the type was Outbound.  It also listed the file and gave the path to the chrome.exe file location.  I was using the Chrome browser at the time.  I've seen this behavior before in the past and usually perform a thorough scan using several malware and anti virus tools to see if anything is detected.  I've never find anything.  Today I ran the URL through Zulu to see what its rated at.  The URL came back as benign.  

What I would like to know is exactly what is the process that MB is performing here?  Is MB protecting me from a possible "re-direct" to the site verification.mytbar.com, which it sees as malicious and blocks?  Would this behavior be linked to a malverstisment on the webpage I'm visiting?(yahoo in this case)  I can just have a webpage open for a period of time, and one of these messages will pop up.  I believe it to be something embedded in the page which triggers the event.  An advertisement of such, maybe one that updates and changes periodically which is why the event only happens at certain times and not others.  I'm not running any add-ons, I've got java deactivated on the browser.  Can you please explain the behavior of MB that I'm seeing.  A better understanding of the application will help me understand the situation at hand.

 

 

Thank you for your time .

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Thank you for the automated reply.  I'm not looking for troubleshooting help at this time.  I just wanted to find out a little bit more of the process behind the scenario I described and the behavior of MB in the process.  Maybe I can make it a little bit easier to follow what I'm looking for.  Let me break it down this way for a better understanding.

1.  When I visit a website, sometimes MB will fire off a message at the lower right corner of the page saying that it blocked an Outbound Connection attempt.  This may happen immediately once I arrive on a page, or after a period of time.  It can vary

2.  Is this event triggered by something embedded on the page, such as an advertisement?

3. In the protection log, the event as a Website Blocked event.  The log further describes the Category which is always Unknown, the domain, IP address, port, and the location of the file responsible.

4.  The responsible file is always the browser's executable file..i.e.chrome.exe

5.  What i am figuring is that there is something embedded in the page that is triggering the event such as an advertisement.  MB may see this trigger as potentially malicious activity based on information it may have on the source.  i.e. list of potentially dangerous IPs or domains etc. Hence the reason it blocks it. 

6.  Nothing seems to become of this.  Nothing is ever found when scanned with the latest adware, malware, and virus scanning tools including MB with rootkit scanning enabled.

So my question is whether my understanding of the situation is correct.  That MB is blocking the attempt based on the information i described above.  If not, can you enlighten me?

 

Link to post
Share on other sites

17 minutes ago, becomer said:

So my question is whether my understanding of the situation is correct.  That MB is blocking the attempt based on the information i described above.  If not, can you enlighten me?

#5 is correct.  It also can be from an add-on in the browser.

I personally ad Ublock orgin to my browser and it blocks it before MB even sees it.

Link to post
Share on other sites

Thank you Porthos for the information.  So what you're saying is what I expected.  The issue has nothing to do with something malicious on my system, but rather on the webpage I'm visiting. Hence the reason nothing is found during when I scan afterwards.  MB is being proactive and stopping whatever malicious activity is embedded in the page before it can do what its intended to do. I use to run an ad blocker, until I found out that many ad blockers collect personal information and store it on their servers without the users knowledge or authorization.  

Link to post
Share on other sites

46 minutes ago, becomer said:

uBlock Origin has been working great!  I've been putting it to the test on  sites I've known to see the aforementioned behavior, and haven't seen one blocked redirect attempted being made.  Good stuff thus far!

I am glad my suggestion is working for you. :)

Link to post
Share on other sites

Hi ephyfe, 

I've experienced the same thing which is why you found my post.  After doing a bunch of research, I've come to understand the process a lot better.  I have found in my case that it had nothing to do with my system, but rather something embedded on the pages I visited most likely the ads.  It was random a lot of the time because the ads changed quiet a bit from page to page.  Some even changing with each page refresh and time intervals.  I would park on a page and watch the ad change after a certain period of time.  Like the ad on the scoreboard at a baseball game just for reference.  Over time the ad would change and that was all it took for MB to fire off a message stating it blocked an attempt to redirect.  MB was protecting me from being diverted to a potential malicious site.  Unfortunately web-masters don't always catch when a malicious ad is placed on their webpage.  From what I've read, it's most likely because the advertiser modified the original ad after it was originally posted.  Until its caught, it will remain there.  Again, just what I've learned.  MB knows this behavior because it uses a "blacklist" of potentially harmful ips and websites to avoid.  So its doing its job. In my experience with Yahoo, they need to be contacted and alerted to potentially harmful content on their page. 

I can't say for sure that you have nothing to worry about with your system, because I don't know anything about it. But i do know mine.  And before I knew how the operation worked, I was reformatting my computer each time MB was flagging a redirect attempt even though scans with all the latest malware and virus detection software out there found nothing.  It was piece of mind for me.  I have clean system images so the chore wasn't really too much of a big deal.  So that's how I know there was nothing on my system causing this behavior.

Last night I tried uBlock Origin out for the first time.  I went back to all the pages that flagged a MB response in the past.  Not one redirect occurred.  Not one MB prompt was fired off. That's because uBlock Origin was blocking most of the ads on the page from loading, so there were no chances of any malvertisements(malicious ads) acting rowdy while I was on the page.  I went all over Yahoos page and found no ill behavior.  I even tried it on other pages as well.  Anywhere I ever got a page redirect prompt from MB, I went. If you have nothing to loose, I'd advise you to try it.  You could even use the process of elimination method.  Scan your system and make sure its clean.  Then go onto yahoo's page and see if MB fires off a warning.  If it does, close the page and rescan your system. If nothing is found, go get the uBlock Orign add-on for MS Edge and install it.  Repeat the process by going back to the same yahoo page before and see if the same behavior occurs.  For me, it did not.  And I used right out of the block setting with uBlock Origin during my test.  And I haven't had another occurrence since.  And I always did with yahoo before.  I hope this helps

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.