Website blocking- How do I know why a site was blocked?

[Rob1158]

Hi, I am trying to understand how the web blocking works and could use some help.    How does a customer get more context (i.e. threat data) for the website blocking alerts?  

The notification that pops up on the endpoint and in the management console simply says malicious website blocked.   The alerts do not list what URL specifically the computer was trying to reach, just the IP.  This seems like a possible problem because a single IP address can host hundreds of sites.  I do understand that it is not common for most larger legitimate businesses to do this but it does still happen.  

How does a customer determine exactly why something was blocked?   Something like a category for the block such as Adware, C2C, Phishing, Malware, etc? 

So I thought OK, this is what the hpHosts site is for, and from looking over the site it would appear it would give you this information.  I did a quick test for an IP that appeared on one of our website blocking alerts received yesterday.  I searched hpHosts for IP 199.101.113.79 (which is registered to Conduit USA so it is most likely a toolbar or BHO). The results show the IP was not found in the hpHosts database and there are 0 records for history.  Well doesn't that mean that the IP or URL is not a threat and should not be blocked? 

How do I determine why an IP was blocked by Malwarebytes?   And if it is being blocked by Malwarebytes shouldn't it also be listed on the hpHosts site for customers to see?  

 

Thank you!

 

[exile360]

Greetings,

While I do not know when this capability will be added into the business products, they are introducing more explanatory/contextual information to web blocks for the consumer version of Malwarebytes 3 very soon (currently included in the most recent beta).  That said, there still will be cases where only the IP address is shown because sometimes a web block occurs when a program is attempting to connect directly to a server based on its IP address, not through a specific URL/domain name.

As for hpHosts, it's possible that either the site hasn't been added to the hpHosts database yet or that the entire block of IPs is being blocked due to frequent abuse/lack of enforcement of appropriate/legal rules of conduct for clients (i.e. malware friendly networks etc.).

You may also wish to inquire about this with our Research team directly.  You may do so by posting a new topic here or if you wish, I can message a member of the Research team to respond here.

[Rob1158]

Thank you for the reply.  Would you please message the research team and ask if they could respond here?  I started this threat here at the request of business support since they could not provide me with the information I was looking for.  I would prefer not to post again if somewhere else if I do not need to.   The link you provided for the website blocking is for home support.  I guess I did not think to look under that area since I am using the business version. 

[exile360]

Certainly, @Zynthesist @Dashke @MysteryFCM could you please assist us with information regarding the following IP address please?:

199.101.113.79

Edited February 15, 2018 by exile360

[MysteryFCM]

The IP is blocked because they (Conduit) are dedicated to serving PUPs

[Rob1158]

Hi Steven,

Thank you for the quick reply.   Not sure if you had a chance to look at my original question or not.   I had originally guessed that this was going to be the case for this specific IP.  It was kind of the low hanging fruit example.  So we have established that Conduit is a PUP, so why then is this IP not listed in the hpHosts database file as PUP?  There is no listing for it at all.  It is fantastic that you are blocking access to nefarious or suspicious sites but you really should provide your customers with the "why" you are blocking something.   This way your customers can make a more informed decision if someone within the organization calls up and says that  we are blocking access to a legitimate business site.  Of course there would need to be more investigation performed, but as an admin I would be far less agreeable to adding an exception for a site that listed as a malware distributor versus an ad tracking site.  Not having access to that contextual threat data makes decision making extremely difficult.  I hope you understand where I am getting here.  

The next question would be what is your recommendation for finding out why Malwarebytes is blocking other IP's I receive website blocking alerts for.  I have hundreds of examples as we have over 2000 manged endpoints globally and I am looking for a better way to get some context to help make those informed decisions I previously spoke about, or deciding what type of cleanup efforts need to take place.  Do I need to come here to the forum each time and submit each IP for help?  I thought this was what the hpHosts database was for? 

Thank you for your assistance with this!

 

[exile360]

I'll do my best to provide as many answers as I can based on my own knowledge (up until recently I myself was an employee of Malwarebytes and I have some rather extensive knowledge of the company's past history and policies).

• First off, while it is true that the support knowledgebase points you to hpHosts as a reference point for finding additional info on blocked sites in Malwarebytes, it isn't actually a 1:1 match for the Malwarebytes web block database and likely never will be.  This is for a few reasons.  First, hpHosts actually existed long before Malwarebytes ever did and was developed and maintained primarily by Steven and its purpose was to block malware, ads, tracking servers and other malicious/potentially undesirable content on the web (similar to the MVPS HOSTS file and other similar HOSTS files/block lists freely available on the web) so the criteria used there for blocking sites isn't necessarily a 100% match with the policies for blocking sites in Malwarebytes (Steven can be much more aggressive against things like ads etc. than Malwarebytes can legally be since it's just a freeware file, not a retail consumer/business product).  Also, the blocking capabilities in Malwarebytes enable it to block sites in more ways than just targeting specific IP addresses and domains/URLs, including the support of wildcards and the ability to block entire blocks of IP addresses (i.e. entire IP ranges) so the hpHosts database won't necessarily contain an individual entry for every IP that Malwarebytes blocks.

• Second, as I explained before, the Malwarebytes Product team is planning to implement additional contextual/descriptive info on web blocks when they occur which will help provide guidance on how to deal with each block and what it means.  They plan to implement this feature very soon in the consumer build and I expect it won't be too long before that functionality makes it into their business products.

• For the time being, my personal recommendation based on my own knowledge and experience would be to focus on the endpoints where you see many frequent blocks, especially where the blocked IPs and/or domains are often or always the same because this is the most common indicator that something (or someone if it's a user's browsing habits causing the issue) is trying to reach servers that it shouldn't be, such as an undetected Trojan, undesirable browser plugin or some other piece of undesirable software.  For cases where you see many blocks on a particular endpoint but with a varied, wide range of IPs (and especially where virtually all or at least most are specifically IP blocks, not domain/URL blocks) the most likely cause is the use of a Peer-to-Peer (P2P) application such as Bittorrent or similar.  While other P2P apps like Skype etc. may also cause similar blocks, those applications do not attempt to connect to blocked servers nearly as frequently as filesharing type P2P apps, so if your company has a policy against the use of such apps on your endpoints, it might be something to investigate (or if that turns out to be the case and you have no such policy, you might consider adopting one for the sake of increased security/productivity, but that's something you/your organization would obviously need to determine internally; these are just my personal opinions/recommendations).

• In this specific case if it turns out that a browser plugin was the culprit, it might be worth determining if you can institute a more restrictive environment on your endpoints to prevent the installation of browser add-ons/plugins/extensions, and if it turns out that such was installed while Malwarebytes was active on the endpoint, then you might also consider contacting Support directly to investigate if you determine that Malwarebytes was configured to detect/block PUPs but failed to detect it when it was installed on the system.

I hope that (wall of text, sorry) helps clarify things a bit.  I know the situation is not ideal right now, but at least you know that Malwarebytes is at least blocking the malicious/potentially unwanted communications, regardless of whether it's currently making it terribly clear as to the reason for each block at the moment and please take heart knowing that they will be implementing more informative block info soon which will hopefully make things a lot easier for you and others in your situation.

Please let us know if there's anything else we might help you with and we'll gladly do our best to assist.

Thanks

[Rob1158]

I prefer more information that not enough, so I thank you for the wall of text.    This will help us to move forward, and hopefully we will see the additional descriptive information for the web blocking in the near future. 

Thank you! 

[MysteryFCM]

Sorry for the delay.

hpHosts doesn't blacklist IPs, only hostnames. The IPs it displays are only those corresponding to a hostname.