Jump to content

MBAMservice.exe is sending data


Recommended Posts

Suddenly Mbamservice.exe (MAlwarebyte Service) is sending a lot of data. using tcpview, I managed to identify where he was sending this data:

 

Domain ID: 197784869_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2016-05-05T23:11:06Z
   Creation Date: 2005-08-18T02:10:45Z
   Registry Expiry Date: 2020-01-16T04:59:59Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2083895740
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: R1.AMAZONAWS.COM
   Name Server: R2.AMAZONAWS.COM
   Name Server: U1.AMAZONAWS.COM
   Name Server: U2.AMAZONAWS.COM
   DNSSEC: unsigned

it's eating all my wireless connection.What is going on? And how can i stop this?

(Malwarebytes VErsion: 3.3.1.2183 ; Components pack: 1.0.262 ; Update pack: 1.0.3820)

Link to post
Share on other sites

sending data to s3-1-w.amazonaws.com (52.216.90.155, 52.216.226.72, 52.216.229.187)

WHAT is this?

I have closed the 3 connections was sending data (Mbamservice.Exe) with tcpview, but the process restart few minutes later.

Edited by Fatcap
Link to post
Share on other sites

I'm using chrome, by doing some queries on the forums and this amazonaws address, I thought it might be from a corrupted extension or favorite. I have uninstalled google chrome, and reinstalled. I will only install the μBlock origin extension.
I also did a full MBAM scan, as well as Adware, with no negative results.

Link to post
Share on other sites

No, i'm a premium user since 5 years. Never had this strange issue before.

Was not my first scan. I know Mbam is sending some data to cloudfront.net

(   Name Server: NS-1306.AWSDNS-35.ORG
   Name Server: NS-1597.AWSDNS-07.CO.UK
   Name Server: NS-418.AWSDNS-52.COM
   Name Server: NS-666.AWSDNS-19.NET) when scanning, but this curious sending data was not during scan.

And, when scanning there's only a small amount of data sent and receive to the cloud.

In any case I watch if this strange process is reviving

 

 

Link to post
Share on other sites

  • Staff

Got it.  

the scanning connections is when we check with our cloud-powered file reputation service (mostly for whitelisting).

the not during scan connections are telemetry information that we collect to aggregate all user scan activities to mostly determine when do people usually do scan, or checks for license validation etc.  

you can actually turn this off from Settings->Application->Usage and threat Statistics 

hope this helps

-jong

Link to post
Share on other sites

One more time, today, Mbam service is sending data to s3-1-w.amazonaws.com

62706    ec2-54-71-61-169.us-west-2.compute.amazonaws.com    https

62691    s3-1-w.amazonaws.com    https

and its eating all my bandwith

 

It's sending more than 30 MB. Is this normal?

Edited by Fatcap
Link to post
Share on other sites

 

62706    ec2-54-71-61-169.us-west-2.compute.amazonaws.com    https

62691    s3-1-w.amazonaws.com    https

MBAMService.exe    3136    TCP    192.168.1.93    62934    52.216.0.144    443    FIN_WAIT1    2 013    9 297 876    4    51    
MBAMService.exe    3136    TCP    192.168.1.93    62995    52.216.64.184    443    FIN_WAIT1    121    1 267 018    7    3 009    

Can someone help me?

Edited by Fatcap
Link to post
Share on other sites

Malwarebytes is always going to send data back and forth.

On 1/30/2018 at 5:16 PM, jprism said:

scan connections are telemetry information that we collect to aggregate all user scan activities to mostly determine when do people usually do scan, or checks for license validation etc.  

You cant run the premium with out the constant checks for validation and database updates that happen several times a day.

 

Link to post
Share on other sites

Is it uploading more than 30MB data? It's eating all my bandwith.When that happens, my connection is unusable

Are this servers yours? : 

 ec2-54-71-61-169.us-west-2.compute.amazonaws.com    https

s3-1-w.amazonaws.com    https

It never happen in 5 years.

If it's happen again , i will use Smartsniff to see what is outgoing.

Thanks for reply. 

(I uninstalled and reinstalled MBAM, made a Mbamclean, deleted the remaining folders, and reinstalled to the latest version. I also disabled the sending of statistics data.) I will watch this!

Edited by Fatcap
Link to post
Share on other sites

3 minutes ago, Fatcap said:

Is it uploading more than 30MB data? It's eating all my bandwith.

Are this servers yours? : 

 ec2-54-71-61-169.us-west-2.compute.amazonaws.com    https

s3-1-w.amazonaws.com    https

It never happen in 5 years.

If it's happen again , i will use Smartsniff to see what is outgoing.

Thanks for reply. I will watch this!

Did you run a packet sniffer?

 

Link to post
Share on other sites

No. i will do it,the next time this happens.

from your post, I had uninstalled and reinstalled Mbam, the trouble was not repeated, but six hours ago it happened again. So I uninstalled, cleaned and reinstalled without downloading Smartsniff. But if it comes back, I capture.

Link to post
Share on other sites

  • Staff

Hi @Fatcap

Yes, the servers you mentioned are ours and it is part of our telemetry collection.  What i think you are experiencing is that when we find malware, PUPs and other suspicious EXE files, we sometimes send this back up to our servers and these files are uploaded to the aws server you mentioned.  We only collect application/EXE files only for tracking purposes and to improve detections.

Below is a snippet of our privacy policy (https://www.malwarebytes.com/privacy/)

Malware and PUP Data

We collect data about the malware and PUPs that are detected by our products. We collect:

  • The vendor name of the malware or PUP removed

  • An encrypted description of which database rule was used to remove the malware or PUP in question

  • Artifacts detected as malware, PUPs, or suspicious files

  • Information related to detected artifacts

Why?

So our malware intelligence team can track malware and PUP outbreaks and improve the efficacy of Malwarebytes products.

 

Hope this helps and my apologies for the late reply.

 

-jong

Link to post
Share on other sites

Okay. I thank you very much for telling me this.
That reassures me a lot.
I was very concerned about these outgoing connections.
I disabled data collection, because when that happens, my data rate is extremely low (ADSL)
So knowing this, is it better for you to activate it?
In case the answer is positive, I would let this process go to the end.

An option that would be interesting for the user, would be to be able to program a specific schedule, for example during an unused PC.
 

Another big thank you. And, better late than never ^_^

Edited by Fatcap
Link to post
Share on other sites

  • Staff

Hi @Fatcap

>> So knowing this, is it better for you to activate it?

Do you mean if i advise for you to activate data collection?

If that was your question, let me start off by saying that its your data and Malwarebytes respects whether you want to share it or not.

For me, personally, i do encourage that you enable and send back information.  This way, if we have these data in house, future updates to the MB product would have some knowledge about your system, thus minimizing the chance of incompatibility or problems when we deploy updates.

but again, its your call :-).

 

>> An option that would be interesting for the user, would be to be able to program a specific schedule, for example during an unused PC.

Thank you! This is a great suggestion and ill relay this to the team so we can put it in our development list.

 

Thanks again for your understanding and patience with us.

-jong

Link to post
Share on other sites

For now I have disabled data collection, and apparently the problem no longer occurs. if in a few days, the problem does not reappear, I would certainly reactivate this, knowing now that these connections are safe! However I would check how long the process takes, and the amount of data sent.

Edited by Fatcap
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.