Why does Malwarebytes query each domain you exclude every 2 minutes!?

[Frk]

I recently noticed something strange in the logs of my DNS server. My PC was querying 1337x.to and eu-central450.discord.gg every two minutes. For the life of me I couldn't figure out why. Yes I was running Discord, but even with Discord closed, it kept querying eu-central450.discord.gg every 2 minutes... And what about 1337x.to? That doesn't look too good... It got me thinking whether or not I got infected.

https://i.imgur.com/wbMVpw8.png

Well after two hours of digging with Fiddler, Wireshark, ProcMon, TCPView and Torch (in Winbox), I found the answer. Lo and Behold, it was *MalwareBytes*! Apparently, I had added 1337x.to and eu-central450.discord.gg to my Exclusions list in the past, which I was unaware of, and MalwareBytes then decided it was okay to query these domains every two minutes.

https://i.imgur.com/h067TO0.png

Dear MalwareBytes developers; WHY!?

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[lmacri]

Hi Frk:

In regards to 1337x.to, my understanding is that Malwarebytes is blocking this torrent site for illegal activity and fraud - see the 19-Nov-2018 TF article Top Torrent Site 1337x Blocked By MalwareBytes For Alleged ‘Fraud’.

Your .png image shows that you've added an exclusion for this website in your Malwarebytes settings.  That means you are excluding the website from detection by Malwarebytes (i.e., overriding Malwarebytes' block) and that you accept the risks of allowing your computer to connect to this site.  If you want Malwarebytes to prevent the connection to 1337x.to you need to remove the exclusion.  The same comments apply to the eucentral450.discord.gg site.

If you believe that 1337x.to is a safe site and should not be blocked as a fraudulent site then you can file False Positive report at https://forums.malwarebytes.com/forum/123-website-blocking/?page=228 and ask them to reconsider the block of the entire 1337x.to domain.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

[Frk]

Hi Imacri,

Thanks for your reply.

That was not really what I meant. My question was why MalwareBytes queries domains that have been excluded every 2 minutes. I found the 'answer' in MB's FAQ: https://support.malwarebytes.com/docs/DOC-2432

Not really a satisfactory answer though. For example, 1337x.to uses Cloudflare. So if I would visit 1337x.to in between of the two minute query interval of MalwareBytes, there is a good chance MalwareBytes would still block the attempt, since I might be connecting to a different Cloudflare IP. Or am I mistaken?

[exile360]

No, it shouldn't block the excluded site regardless of what other sites/domains/IPs or hosts/blocks of IPs are blocked by Malwarebytes.  If a site you have excluded continues to be blocked, then usually either closing and reopening your web browser, clearing your browser's cache, or clearing your DNS cache resolves it.  This is because once a site has been blocked once, the Windows DNS caching system, and often the caching system built into many modern browsers (especially Chrome and Firefox in my personal experience) will cause subsequent connection attempts to fail even though Malwarebytes isn't actually blocking the excluded site any longer (which can be verified by checking your logs in Malwarebytes as it logs each blocked connection attempt whenever it occurs).

I hope this information is helpful, and I apologize if it is unrelated to the issues you are describing as I'm not a Developer or Researcher so I'm just speaking from my own personal experience and what I've learned of Malwarebytes behavior in Windows throughout the years.

[lmacri]

Hi Frk:

You might want to read through Lock's 02-Sep-2018 thread Firewall Rules.  Replies by Malwarebytes employees dcollins, gonzo and AdvancedSetup from post # 33 onward should give you a good idea of Malwarebytes' official stance on this topic.

Just FYI, I purchased a lifetime license for Malwarebytes Premium many years ago but I recently deactivated my Premium license and now use Malwarebytes as a free on-demand malware scanner.  I made that decision primarily because of unresolved conflicts between Malwarebytes' real-time protection and my Norton Security antivirus, but recent threads about the large amounts of data being gathered by Malwarebytes for "cloud analysis" and pop-up advertising (see Meathead's Marketing Popup) have me very concerned about the direction that Malwarebytes is taking the Premium (paid) version of their product.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

[lmacri]

Hi Frk:

...and if you still have concerns about whether Malwarebytes is blocking connections to your excluded web sites after reading exile360's comments in post # 5, please follow the instructions in post # 2 and use the Malwarebytes Support Tool to collect and attach diagnostic logs (mbst-grab-results.zip) in your next reply so the Malwarebytes staff can review details about your current system specs and Malwarebytes configuration.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Norton Security Premium v22.15.1.8 * MB Free v3.5.1.2522-1.0.365

[Frk]

18 hours ago, lmacri said:

Just FYI, I purchased a lifetime license for Malwarebytes Premium many years ago but I recently deactivated my Premium license and now use Malwarebytes as a free on-demand malware scanner.  I made that decision primarily because of unresolved conflicts between Malwarebytes' real-time protection and my Norton Security antivirus, but recent threads about the large amounts of data being gathered by Malwarebytes for "cloud analysis" and pop-up advertising (see Meathead's Marketing Popup) have me very concerned about the direction that Malwarebytes is taking the Premium (paid) version of their product.

I agree, I think this is the best way forward. I have had serious issues with my PC and in the end MB was the culprit. This is strike three for me. I will also deactivate my Premium license. Thanks

[dcollins]

To answer your original question about why excluded sites are checked every two minutes, it's because you excluded by domain name. if you're unfamiliar with how domain names work, the very short explanation is that when you type in 1337x.to into your web browser, your computer converts that to an IP address, and that's how your browser actually talks to the website.

However, that IP address can change over time. So when you first try to visit the site, the IP address could be 104.31.16.3. But the next time you try to go to the site, the IP address could be 104.31.17.5. Because you excluded 1337x.to in Malwarebytes, we check to see what the latest IP address of the website is to make sure that's not also blocked, and if it is, we allow traffic to it. Because Malwarebytes could potentially block both 1337x.to and 104.31.16.3 separately, it would be confusing for users if they excluded 1337x.to and then still got blocked when trying to access the webpage the next time because we also blocked the IP address.

Hopefully that helps clear up your original question, and it looks like the rest of your questions were answered already as well.