Jump to content
smooi

Bad signature??

Recommended Posts

We're getting buried with what appears to be false-positive alerts on the web protection...blocking Microsoft and Google IP's and many others.

Share this post


Link to post
Share on other sites

We are having this problem too, it started after a sig. update at 7:45 am Pacific.  Even internal 172.20 addresses are being blocked.

Share this post


Link to post
Share on other sites

having same problem on my network as well, getting thousands of alerts every few minutes. This has to be a bad signature.

Share this post


Link to post
Share on other sites

just confirmed this is a bad signature. Booted up my laptop that hadn't been updated and everything worked fine. Then updated malwarebytes and the issue came up.

Share this post


Link to post
Share on other sites

Please disable the Web Protection Module, this looks like it may be the affecting module. Let us know if this helps on the affected policies.

Our research teams are working on this furiously for a resolution we should have soon.

 

 

Share this post


Link to post
Share on other sites

To clarify, for us corporate users. How is this done?

Do we "uncheck" the "Start malicious website blocking when protection module starts" in the policy or do we need to go on every machine and do this individually?

Share this post


Link to post
Share on other sites

We're getting clobbered by this as well this morning.  Confirming it appears to have started with the .07 update which pushed live around 7:45am Pt.  I've updated multiple times over the last few hours to see if the latest resolves this but no luck.  I'm on .12 now.

Tried adding exclusions for the affected IPs for Google just too cut down on the volume.  Admin panel says I have roughly 20,000 detections so far this morning.  

I'm also getting memory exhaustion alerts from several machines this is running on.  Not to mention the few users who were trying to work this morning all got freaked out.

Confirming I have switched off the Start malicious website blocking when protection module starts setting in the latest policy version and pushed it out to all online clients.  Doesn't this require a restart of the MalwareBytes client or service for this to take effect though?

Share this post


Link to post
Share on other sites

Confirming that between the latest signatures pushed out (.12) and switching off Start malicious website blocking when protection module starts and updating the policy appears to have quieted things down on our end.  Only getting alerts from machines that are still scanning from the initial outbreak of this and don't appear to be updating while those scans are still running.

KDawg, will you post when things are fully resolved and we can switch back on the Start malicious website blocking when protection module starts setting?

Thank you!

Share this post


Link to post
Share on other sites

Yes thanks alot for updating us R2 this helps us tremendously

There will be a followup to this incident

Share this post


Link to post
Share on other sites

KDawg, I'm having issues with clients talking with my manager now.  It says they are off-line.  Altiris will not communicate and web access is down.  Suggestions?

Share this post


Link to post
Share on other sites

With the memory leak endpoints may need to be restarted to accept policy changes and updated DB

Share this post


Link to post
Share on other sites

Understood and Thank you.  Once they have rebooted, I assume that I can turn off the policy against the malicious web that you suggested or is that still a threat?

 

Edited by snorris

Share this post


Link to post
Share on other sites

As I'm digging into the data a bit more I thought this part was perhaps also worth noting.  

Those machines we've switched over to the newer Cloud hosted MB service did not appear to have had this issue with the  false positive website blocked detections.  It was only running the on premise server hosted version that picked up the bad signatures and got hammered.

What is interesting is that a number of the Cloud protected endpoints did send out memory exhaustion alerts that I didn't see from the on premises protected endpoints.  But the cloud admin portal does not show any detections for today.  And the On prep shows almost 21,000 now.

Share this post


Link to post
Share on other sites

We saw this FP on certain DB versions in both products. The latest database version of each does resolve the issue.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.