Jump to content
DocTL

Option to add Web Exclusion for link.babi.gdn in Malwarebytes context menu.

Recommended Posts

Hello, I noticed the following has been added to the malware bytes context menu in they system tray. It looks like the malware is trying to make it easy to add it to the exclusion list... smart.. evil smart.

How can I remove this?

image.png.86c115fc30722865af5185e808a950a1.png

Version below. The alerts are from blocked URLs.

image.png.6c62ceb44ae32dca39e9a583ae4154c9.png

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Share this post


Link to post
Share on other sites

Also of note.

I was not able to find babi. in the registry anywhere.

It does not show in any other context menu.

Share this post


Link to post
Share on other sites

This happens when you visit a site that gets blocked, the entry is added to the context menu so you can easily exclude it.

Share this post


Link to post
Share on other sites

Thank you DCollins.

So I guess this is "by behavior" then. Seems like a strange thing to do... how often would you REALLY be adding sites that were blocked that you would need them to show right in the context menu like that... ah well. we can close this case.

Share this post


Link to post
Share on other sites

It's not so much that users would wish to do so often, just that when the odd case occurs that a user does wish to exclude the last blocked website, this item makes it easy for them to do so (rather than requiring them to dig through their protection logs in Malwarebytes to find the exact URL/IP address that was blocked then create the exclusion manually).  It was a popular feature in older versions of Malwarebytes (1.x versions; this was removed in version 2.0) and because of customer requests, it was brought back now in version 3.

It's sort of the same idea of allowing users to easily exclude an item at the end of a scan where the item was detected.  All they have to do is uncheck the box next to the item they wish to exclude, click Next, then Malwarebytes prompts them on what to do with the remaining/unchecked item(s) from the scan, with one of the options being Always Ignore, which adds it to the exclusions list.

I hope that helps explain the reasoning behind this feature.  Also note that it does display a confirmation dialog once an exclusion is added this way, so if the user were to accidentally click on it by mistake, Malwarebytes would immediately make them aware of it so that they could remove it from the Exclusions tab in Malwarebytes.

Share this post


Link to post
Share on other sites

I would suggest hiding it somewhere else, maybe where you apply exlusions, rather then have it at such an area so easy to accidentally click.. .It also got my heart racing once i googled the site and seen it was a "popular" type of malware...it truly made me think I might be infected.. so much so that I took the time to make an account just to post my concerns.

 Also, why wouldn't Malwarebytes at least screen / filter the URL's it makes easy to white list... There has to be a VERY small percentage of people out side of malware researchers and malware creators that would want to white list a website so widely known as being malicious.

 

Share this post


Link to post
Share on other sites

Having it be convenient/accessible was the point.  Users didn't want to have to open Malwarebytes and dig into settings just to exclude a website that was just blocked that they're determined to reach.  Most users won't right-click on the menu following a block, so unless they're deliberately trying to exclude it, most will never even see it (for example, you're the first user in all the time this feature has been active that I'm aware of who has complained about it being a risk; that's not to say that you are wrong, just that I don't think most users are clicking there unless they're looking for it, which means that it is most likely being used as intended).

As for screening, that is a possibility.  Just recently (in fact, in just the last released version of Malwarebytes that went live only days ago) a new feature was added which provides additional info on why each website is blocked, for example if it's malware, phishing, adware etc., so adding an option to determine the categories of sites to offer this option for is a possibility.  I'll suggest it to the Product team for consideration.

Share this post


Link to post
Share on other sites

Despite the '2nd prompt" to white list it if you accidentally clicked it, what if the malware URL was was named something like "updates.malwerebytes.com" or something that looks legit at first glance / to the less security conscious people. I could see easily see the scenario of and end user seeing that entry in the context menu and thinking "I guess Malwarebytes WANTS me to do this, otherwise why would the make it so easy and put it into my context menu".

 

You are teeing up a way to allow a backdoor into the program, its only a matter of time before someone exploits the easiest thing to exploit... humans (likely the very same breed of human that are responsible for there still being things Nigerian email scams...)

 

 

Share this post


Link to post
Share on other sites

It's just like when a threat is detected.  Many AVs immediately display an option to restore and ignore the item they just removed.  It's a pretty standard practice.

Also keep in mind that it is only listed there temporarily.  I don't recall how long, but only a couple of minutes or less I believe.

Share this post


Link to post
Share on other sites

See.. this is what happens when we try to mix security and convenience. 

 

;)

And kudos to you exile360 (sir or mam) Its refreshing to see a forum that was so responsive as well, that spurred a good security conversations... I think I''m going to bite on a subscription for the family (anyone have any discount codes) for us weak dollar using Canadians?

Share this post


Link to post
Share on other sites

Hmmm. but when you are alerted to a threat, big AV (even Malwarebytes) make the notice BIG AND RED and SCARY .. not just blended in the context menu, at the same font size as the friendly "check for updates" option, just asking to be clicked by some...

Its still listed in the menu...so i guess longer than 4 hours... I will see how long she stays out of curiosity 

Share this post


Link to post
Share on other sites

The item in the context menu isn't the alert, the pop-up you initially saw from your tray is when the block occurred.

I think I see what you're saying though, and yes, if a user were to be using their context menu for something like checking for updates and accidentally clicked on that item for the previously blocked site, it wouldn't be a good thing, however as I said, it does alert them to this action with a second notification explaining that the site has been added to their exclusions list so at least they understand what they just did and can quickly take action to reverse it if desired.

The flip side, and the reason this was implemented in the first place, was because of issues where a user is visiting a site that they know to be safe or using an application such as an online game or some other Peer-to-Peer (P2P) application that connects to a wide range of IP addresses, which might include some that are blocked by Malwarebytes due to the fact that they are also shared with some malware (since a single IP can be host to many different domains/websites) and so now their game or visit to their site is interrupted because Malwarebytes just blocked it.  The trouble is, in order to exclude the site they have to know the exact address or IP, then they have to open Malwarebytes, go to Settings>Exclusions, click Add Exclusion, click on the Exclude a Website option, click Next, then select either Exclude a url or Exclude an IP Address, then enter the URL of the website or IP address exactly correctly (otherwise it won't work, obviously), then click OK, then close Malwarebytes.  It's a lot of steps with a lot of room for potential mistakes.  The item in the context menu is just one simple click, and besides, even if the bad guys did us a legit sounding name to try to convince people that the site is safe/shouldn't be blocked, if the user believed them, then they'd go ahead and exclude it the hard way if necessary.  Having it appear in the context menu does nothing to affect their psychology, I don't think, though perhaps adding a single confirmation dialog/pop-up wouldn't be a bad idea (something like "Malwarebytes blocked the website <name of site or IP address that was blocked> due to <reason for the block, the same as what is shown on the block/redirect page from the Malwarebytes database>, are you sure that you want to exclude it so that it will no longer be blocked?" with a set of "Yes"/"No" buttons.  I think that would go a long way to make the feature much more safe/full-proof.  What do you think?

edit: By the way, I just recalled that they way they actually implemented this feature, the last blocked site stays listed in the context menu of the tray until the next system restart or the next time that you quit/start Malwarebytes.  Also note that only the most recently blocked site is ever displayed, so if Malwarebytes blocks a different site during the same session, it will replace the previous entry.  You should be able to test this yourself by trying to visit iptest.malwarebytes.com or domaintest.malwarebytes.com, both of which should be blocked as they are test pages for verifying that Web Protection in Malwarebytes is functioning (one tests the IP address block functionality/database(s) and the other tests its URL/domain name blocking capabilities/database(s)).

Edited by exile360

Share this post


Link to post
Share on other sites

There is a 25% off savings if you purchase 2 years for 1 device

There is a 50% off savings if you purchase for 3 devices - then an additional 25% off if you purchase for 2 years on the 3 devices

https://www.malwarebytes.com/pricing/

If you have a 3 device license and you have a Mac, Smart Phone, and Windows then each device could use the license.

 

Share this post


Link to post
Share on other sites

The license is good for any of those types of devices so if you bought 6 and found you wanted to use one for a phone it would work.

If you need anything else please let us know.

Cheers

Ron

 

Share this post


Link to post
Share on other sites

Thanks for your feedback @DocTL. We actually use to have the exclude button directly on the "website blocked" popup, but we got many reports of users thinking they needed to click something on that popup, which would inadvertently add the site as an exclusion. While not many people want to whitelist malicious sites, there are some people who want to be able to access sites for various reasons. After getting customer feedback, we determined that adding the exclusion option to the system tray icon was a method that would allow people who want to exclude to easily do it without needing to open the application, but also hide it just enough that most people don't accidentally click it. We are always taking in feedback about Malwarebytes though, so we appreciate your insight here.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.