Jump to content

Firewall Rules


Recommended Posts

Ah, gotcha.  It may just be Malwarebytes checking digital signatures of processes/files on the system then as part of either its scan or the Malware Protection component when monitoring processes/threads in memory.  I also believe that one of the aspects of the cloud/Machine Learning heuristics component looks for digital signatures as well as a part of its analysis criteria which makes sense, especially if it is checking a file digitally signed by a vendor such as Microsoft who the bad guys like to spoof a lot in their malicious files to attempt to evade detection.

Link to post
Share on other sites

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

29 minutes ago, exile360 said:

I also believe that one of the aspects of the cloud/Machine Learning heuristics

Thank you for your explanation.

If you have any "connections" with Malwarebytes management , can you push this issue , please?

Malwarebytes is connecting now (or is trying to connect) to at least 18 websites , so is very confusing to figure out which connection is legit, which is absolutely necessary and which is not.

Thanks!

Link to post
Share on other sites

Sure, I'll include a line item about it in my weekly report to the team to bring their attention to it.  I'll bet that part of what's taking so long is the fact that they have to document it without exposing any proprietary info and of course they have to write it all up and proofread it to publish it to the support site which also takes time, but I'll be sure to give them a poke just to make sure they haven't forgotten about it or put it on the back burner.

Link to post
Share on other sites

Hello,

[C:\Program Files\Malwarebytes\Anti-malware\Mbamservice.exe ] is trying to connect to the followings:   

 

TCP80

cs9.wac.phicdn.net

crl3.digicert.com

crl4.digicert.com

ocsp.digicert.com

crl.microsoft.com

www.microsoft.com

ocsp.verisign.com

crl.verisign.com

e8218.dscb1.akamaiedge.net

ocsp.thawte.com

crl.thawte.com

ts-ocsp.ws.symantec.com

ts-crl.ws.symantec.com

s1.symcb.com

sv.symcd.com

sv.symcb.com

 

TCP443

my-device.malwarebytes.com

 

I have web shield disabled, so are all these connections legit?

 

I would rather prefer an answer than having this post joint to the other unanswered ones!

Thanks!

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Almost all are associated with Digital Certificates and the verification of a Certificate's status associated with Public Key Infrastructure ( PKI ).  Important if a file is is digitally signed with a Publisher's Certificate.

Example:

ocsp.thawte.com  - Online Certificate Status Protocol ( OCSP ) server for Thawte

crl.verisign.com - Certificate Revocation List ( CRL ) server for Verisign ( now a Symantec company )

Digicert

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar
Link to post
Share on other sites

Thank you for your answer!

What about :

C:\Program Files\Malwarebytes\Anti-malware\Mbam.exe

 

TCP 443 to    www.malwarebytes.com

TCP 443 to    cleo.mb-internal.com

TCP 443 to    links.malwarebytes.com

 

C:\Program Files\Malwarebytes\Anti-malware\Mbamtray.exe

 

TCP 443 to    cleo.mb-internal.com

TCP 443 to    www.malwarebytes.com

TCP 443 to    cdn.mwbsys.com

TCP 443 to    links.malwarebytes.com

 

C:\Program Files\Malwarebytes\Anti-malware\Mbamservice.exe

 

TCP 443 to    iris.mwbsys.com

TCP 443 to    my-device.malwarebytes.com

TCP 443 to    cdn.mwbsys.com

TCP 443 to    sirius.mwbsys.com

TCP 443 to    keystone.mwbsys.com

 

C:\Program Files\Malwarebytes\Anti-malware\Assistant.exe

 

* communicates using Mbam.exe

Link to post
Share on other sites

The majority are directly related to Malwarebytes.  You have to ask about  malwarebytes.com and microsoft.com ?

One can presume that mb-internal.com and mwbsys.com are likewise associated with Malwarebytes.  However their site Registration is obfuscated by a WhoIs Proxy.

cdn.mwbsys.com  - Content Delivery Network ( CDN )

Link to post
Share on other sites

4 minutes ago, exile360 said:

like database and program updates, the cloud components and of course licensing/subscription check-ins.

For program updates is TCP 443 cdn.mwbsys.com

For update check is TCP 443 sirius.mwbsys.com

For licensing check is TCP 443 keystone.mwbsys.com

For cloud classifications is TCP 443 hubble.mb-cosmos.com

 

What about the rest of 17 connections? I do not want to live with the feeling that MBAM is collecting data about us and deliver i it to different channels...

Link to post
Share on other sites

I don't know, honestly, though I do know that Malwarebytes uses a lot of different types of databases, some of which likely use different servers/connections, and that it also may be doing checks on the digital signatures with some online databases (which would also explain all those connections related to digital signature validations).  A member of the staff will have to provide specifics as I don't have access to any proprietary/internal information.

Edited by exile360
Link to post
Share on other sites

Sorry, I was on vacation and didn't get a chance to review this latest post or make the support article I mentioned in your first post. Since this new post is basically the same question that you had before, I went ahead and merged both topics together as well. As this is now the third time I've had to do this, please quit making new posts about the same topic. I will do what I can to get the support article put together by the middle of next week, just getting back from vacation means I have quite a few things to catch up on first.

Link to post
Share on other sites

8 hours ago, dcollins said:

I will do what I can to get the support article put together by the middle of next week

Thank you very much for not ignoring my request!

8 hours ago, dcollins said:

Since this new post is basically the same question that you had before

Meanwhile my firewall detected 17 new connections asked by Malwarebytes, hence the new post...

Link to post
Share on other sites

On 9/4/2018 at 3:24 AM, lock said:

Do you think would be useful to have a sticky about what we should ABSOLUTELY allow in a firewall and what is RECOMENDED to allow?????

Surely you either trust Malwarebytes or you don't? If you do, then leave them to get on with it and allow all their connections. If you don't trust them, then perhaps don't use the software! I don't understand what people are thinking when they try and lock down a security software in some way.

It's not intended as a criticism of you, just puzzlement on my behalf because I've seen quite a few people on various boards do this kind of think for different products.

Link to post
Share on other sites

6 minutes ago, AP2012 said:

Surely you either trust Malwarebytes or you don't?

There are different degrees of trust; to begin with, my level of trust in Malwarebytes would increase if they will explain somehow each and every connection their software is making over the internet ( 24, so far , based on my firewall).

I blocked all but 4-5 , and everything works fine , hence my question.

Link to post
Share on other sites

On 10/17/2018 at 6:14 PM, dcollins said:

Here's the support article that lists why we reach out to certain URL's: https://support.malwarebytes.com/docs/DOC-2706

I notice that you have some URL's not in this list, those are mostly related to Windows certificate validation and unfortunately that list is ever-changing, so it's not something we can easily document

Thank you for following up with my request.

Unfortunately the support article is pure informative; I cannot see any information about telemetry...

Anyway, the way the information is presented is impossible to use in creating firewall rules; see below the Windows Firewall Control rules; so, which is what????

image.thumb.png.c362ecdf7f7eae2002e9cd61c1638957.png

Link to post
Share on other sites

On 10/17/2018 at 6:14 PM, dcollins said:

Here's the support article that lists why we reach out to certain URL's: https://support.malwarebytes.com/docs/DOC-2706

Earlier another user advised to "trust" Malwarebytes...

The "support article"  says the the connection to " www.malwarebytes.com:443 " is " Used to verify connectivity to the Malwarebytes servers "

In reality the connection is to "telemetry.malwarebytes.com:443" and is used for telemetry....

Why not being honest???? How do you want tho gain "trust"?????

Link to post
Share on other sites

Doh, I missed telemetry.malwarebytes.com, I'll get that updated on the list. I based on the majority of those URL's off of the ones you provided in the most recent article and forgot to look at our earlier discussions with the additional URL's.

While I realize the article doesn't go extremely in-depth stating exactly what is happening on each connection, we also have to make sure we're not giving out information that can be used to hinder our product and potentially leave customers in a vulnerable state. And yes, we don't break down the exact bits of telemetry we send to our servers. To see the breakdown of what we send, and how it's used, you can visit our privacy policy here: https://www.malwarebytes.com/privacy/

Lastly, our servers utilize dynamic IP addresses, so whitelisting/blacklisting off of IP address will not work.

Link to post
Share on other sites

  • Root Admin

The listed Malwarebytes Privacy Policy article explains in great detail what we collect, what we do, etc. and is more than compliant with both General Data Protection Regulation (GDPR), and the California Consumer Privacy Act of 2018 concerning data collection and has passed legal review more than once. Further disclosure beyond this level may potentially impact users or our business.

Thank you for your understanding

 

Link to post
Share on other sites

4 hours ago, AdvancedSetup said:

California Consumer Privacy Act of 2018 concerning data collection and has passed legal review more than once

Dear Sir,

I am positive that Malwarebytes complains with California Consumer Privacy Act of 2018   but I do not know how is this relevant for a product sold internationally , where different legislation may apply.

As a paying customer I have the right to "deliver" the data you collect or not. That's why you have a selection in "Application / Usage and Threat Statistics ON/OFF"

However, even though the selection is OFF, Malwarebytes will continue to collect data, which it is not a fair practice.

Link to post
Share on other sites

As mentioned above, they do comply fully with GDPR as well, and as far as I know that is the most stringent/strict law internationally that currently exists to protect consumer privacy, so as long as they are in compliance with that, then it should be pretty transparent and the data collected should be very limited in order to remain in compliance.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.