Website blocked via Edge "page prediction"?

[Steve1982]

HI,

I was looking for info on setting up an ASUS router so I headed over to Google using Microsoft Edge and type in "asus router setup". I switched to the image results and as I was browsing through the image results on Google, MalwareBytes popped up an alert "Website blocked due to Hijack".  Since I wasn't even trying to go to the blocked site (I was literally just looking at Google's image result page) I wasn't sure what caused it but then I noticed Edge has a setting called "Use page prediction to speed up browsing, improve reading, and make my overall experience better" and it was turned on.

Is it safe to assume this alert was simply caused by Edge trying to pre-fetch a link it thought I may click on? The blocked site (asusroutersetup.net) relates to the search I was doing so I'm pretty sure that somewhere in the Google results there was a link to the blocked site and Edge was trying to prefetch the page, but it would be great to hear what the experts think.

Naturally I did a full scan using MBAM and Windows Defender and it comes up clean.

FWIW, this is the site that was blocked:

Quote

-Website Data-
Category: Hijack
Domain: asusroutersetup.net
IP Address: 103.76.231.95
Port: [51670]
Type: Outbound
File: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

 

Thanks!

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a checkmark next to Accept License Agreement and click Next
• You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
• Click the Advanced Options link
  
  
   
• Click the Gather Logs button
  
  
   
• A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
• Upon completion, click OK
• A file named mbst-grab-results.zip will be saved to your Desktop
• Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
  
     
  
  
  Click "Reveal Hidden Contents" below for details on how to attach a file:
   
  Spoiler

  To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

  
   

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

Based on your description of events it sounds like what happened was that an image from the site in question attempted to load among the results so it was blocked by Malwarebytes via the Web Protection component.  You shouldn't need to take any further action and nothing was able to actually reach your system from the blocked site that might be harmful so you should be just fine.

If there is anything else we might assist you with please let us know.

Thanks

[Steve1982]

Thanks for chiming in exile360! I'm sure it had to be something like that although I expected Google to load images on it's image search result page from it's own cache. If not that though, then it was most likely via Edge's "page prediction" feature trying to pre-load some of the links on the search results page in case I clicked one of them. I now have "page prediction" turned off for good measure. Either way I'm sure there's nothing to worry about. It only happened that one time, plus the blocked domain was directly related to the search results, so the odds of this being cause by some sort of background process is basically zero..

On a related note ... after the alert the "Real-time Protection" count went from 0 to 3 even though there was only 1 alert (and only one entry under "Reports). I tried testing with iptest.malwarebytes.org. As expected, MBAM blocked it, but it too incremented the count by 3 (from 3 to 6). So every 1 detection adds 3 to the count. Is this a known bug? I'm on version 3.6.1.2711.

Thanks!

[exile360]

Yep, I've seen similar behavior with Google image search results; it usually occurs when I click on an image to expand the info.  I guess when displaying the larger thumbnail, it's actually a live image from the site hosting the image, not the cached copy stored on Google's servers, so that's most likely the reason for the block.

Yes, it's typical for 3 log entries to be created for each web block and it's been this way pretty much since the beginning when Web Protection was first implemented in Malwarebytes Anti-Malware 1.x so that's expected behavior since the count goes based on the entries in the protection logs.  It's not so much a bug as just the way that the system works, and likely has something to do with how Windows automatically attempts to reconnect to a failed connection more than anything else, so when Malwarebytes blocks something, Windows probably retries it a couple of times to attempt to resolve the address/connection.  If that's true, then technically speaking, Malwarebytes is actually blocking 3 connection attempts to the website/server, so it is technically accurate even if you only attempted to browse to the page/load content from the page just once.  The Developers may be able to clarify further, but based on my somewhat limited knowledge of the network stack and the inner workings of Malwarebytes and Windows, I'm pretty sure this is what's going on and why it shows up this way.

[Steve1982]

Thanks again for the information! The worst thing about these alerts is the general anxiety it creates when you didn't expect it. I am super careful about where I go online.

It sounds like browser hijacking actually requires the download and installation of software from the blocked domain (I didn't even visit the domain, let alone download and install software from it) so I'm sure I have nothing to worry about.

[exile360]

Yes, that's correct, or at the very least the successful execution of an exploit, which is also something that Malwarebytes does very well at protecting against (in fact, the Exploit Protection in Malwarebytes 3 is pretty much its most proactive feature, as it doesn't rely on any signatures/databases and operates strictly on application behavior to guard against illegal operations and malicious scripting).  Web blocks are quite common, especially since many sites may share the same IP address, and since Malwarebytes blocks connections both ways (incoming and outgoing), it prevents your system from connecting to any site in its block list so you don't have to worry about anything malicious that might be hosted on those sites getting onto your system as long as Web Protection is active.

Also, if it were a case of browser hijacking such as with a malicious browser extension or plugin, you'd see web blocks pretty much every time you use your browser and it would typically be the same address(es) being blocked all the time.  You'd definitely know if that was the case because it would be way more than 3 alerts and wouldn't happen just the one time.  In fact, that's one way that Web Protection functions as a great indicator of malware or PUPs slipping through.  If you start seeing a lot of frequent web blocks to the same IPs/domains, then it's a good indication that something may have gotten onto your system and if that ever does happen, you can return here to the forums and our malware removal specialists will help you to check your PC and get it cleaned up if anything did get through (not likely, but of course it is always a possibility no matter how much protection you use and how good it is).  The only exceptions would be if you frequently run any Peer-to-Peer applications such as a Bittorrent client that connect to many remote servers, as such apps tend to connect to some IP addresses which may be on malware friendly hosting providers which Malwarebytes blocks due to the high frequency of malicious content being hosted on their networks, but in that case you'd see the process indicated in the web block notifications from Malwarebytes so you'd know that was the culprit.

[Steve1982]

Thanks again for taking the time to respond in such detail, I appreciate it!

[exile360]

You're very welcome, and if there's anything else we can help with just let us know