Malicious website blocking inconsistency

[Omoeba]

The extension "Malwarebytes Browser Guard" blocks PUP site reimageplus.com but MB premium doesn't. Web protection is working because iptest.malwarebytes.org is blocked with the extension disabled.

[exile360]

Greetings,

Web Protection in Malwarebytes Premium and the Malwarebytes Browser Guard browser extension do not block all of the same sites, this is why they are offered separately.  When used together you get the benefits of both.

I hope that helps to clear things up a bit.

If there is anything else we might assist you with please let us know.

Thanks

[Porthos]

5 hours ago, Omoeba said:

The extension "Malwarebytes Browser Guard" blocks PUP site reimageplus.com but MB premium doesn't. Web protection is working because iptest.malwarebytes.org is blocked with the extension disabled.

Actually my MB Premium blocks it as well.

Edited November 22, 2019 by Porthos

[Omoeba]

After further testing it MB appears to conflict with Wireguard VPN.

 

Edited November 22, 2019 by AdvancedSetup
Removed hyperlink

[exile360]

A VPN changes the reported IP addresses of websites that your computer connects to.  This will definitely break blocking for many sites for both Malwarebytes Browser Guard and the Web Protection component in Malwarebytes Premium as both rely on checking the IP address of servers your system connects to in addition to other info such as the URL/domain and content of the websites and their behavior.  Unfortunately there is no workaround as the only way for Malwarebytes to determine the true IP address of the sites your system connects to when using a VPN would be for the VPN provider to be running Malwarebytes' Web Protection on their systems which your system is connecting to the web through.

[Porthos]

2 minutes ago, exile360 said:

A VPN changes the reported IP addresses of websites that your computer connects to. 

I am trying out the Mullvad VPN that MB has partnered with and it does not affect MB or the browser guard.

[exile360]

Just now, Porthos said:

I am trying out the Mullvad VPN that MB has partnered with and it does not affect MB or the browser guard.

I have no idea how.  The entire point of a VPN is to use the VPN's servers to connect to websites rather than connecting to them through your own system/connection directly.  The only possibility would be if their VPN client software somehow 'translates' the connections through the VPN to your system so that from the system's perspective it still sees the true IP addresses of the sites/servers you are connecting to through the VPN.

[Porthos]

1 minute ago, exile360 said:

I have no idea how.  The entire point of a VPN is to use the VPN's servers to connect to websites rather than connecting to them through your own system/connection directly.  The only possibility would be if their VPN client software somehow 'translates' the connections through the VPN to your system so that from the system's perspective it still sees the true IP addresses of the sites/servers you are connecting to through the VPN.

Currrently my IP is showing

Your IP Address 185.236.xxx.xx

 

• Los Angeles, California, United States

And you know I am not in Cali.

[exile360]

Right, that's what a VPN is supposed to do; show a different IP to the sites/servers you connect to, however that normally goes both ways so that the sites/servers you connect to when browsing only connect to the VPN's servers so that your system only ever sees the IP of the VPN server you're using, however if web blocking works for IPs then it sounds like they have some kind of passthrough tech in place so that your system still sees the actual IP addresses of the sites you're browsing to which is not normally how it works.

[Omoeba]

40 minutes ago, exile360 said:

A VPN changes the reported IP addresses of websites that your computer connects to.  This will definitely break blocking for many sites for both Malwarebytes Browser Guard and the Web Protection component in Malwarebytes Premium as both rely on checking the IP address of servers your system connects to in addition to other info such as the URL/domain and content of the websites and their behavior.  Unfortunately there is no workaround as the only way for Malwarebytes to determine the true IP address of the sites your system connects to when using a VPN would be for the VPN provider to be running Malwarebytes' Web Protection on their systems which your system is connecting to the web through.

then how does iptest.malwarebytes.org still get blocked?

[exile360]

It's getting blocked based on the URL/domain by name 'iptest.malwarebytes.org' rather than the actual IP address.

edit: By the way, the .org sub-domain is no longer in use.  It should by iptest.malwarebytes.com.  You can verify whether it is blocked by IP by trying to go to 100.24.169.13 which is the actual IP of iptest.malwarebytes.com and if it is blocked, then IP blocking is working, and if it isn't, then it's likely that I'm correct about what the VPN is doing.

Edited November 22, 2019 by exile360

[Omoeba]

@exile360going directly to the ip address surprisingly got blocked. However something weird I noticed is websites that are supposed to be blocked such as iptest.malwarebytes.com and malware.wicar.org are resolved to a "172.42.0.x" ip address.

[Omoeba]

Update: disabling web protection makes the domains resolve normally

[Omoeba]

Another update: even though both iptest.malwarebytes.com and reimageplus.com resolve to a "172.42.0.x" ip address, which I suspect is a "sinkhole" ip range for web protection, iptest.malwarebytes.com is blocked but reimageplus.com is NOT blocked. After further testing, the only websites that are blocked when using wireguard vpn are iptest.malwarebytes.com and iptest.malwarebytes.org. Directly visiting the resolved sinkhole ip for any malicious site ends with a blocked notification, even over vpn.

[exile360]

Yes, there is a redirect page for blocked sites and I bet that's what that sinkhole IP is.

URL/domain blocking should still work for Web Protection and Malwarebytes Browser guard, even with an active VPN, however any blocks for IPs likely won't function for the reasons I mentioned above.

[Omoeba]

@exile360then how does 100.24.169.13 still get blocked even over vpn?

 

[exile360]

Probably because you're entering the IP address directly so your system tries to connect to it explicitly which triggers the block.

[Omoeba]

that still doesn't explain why entering the domain iptest.malwarebytes.com or its ip address 100.24.169.13 result in a block but entering the domain or ip address for any other malicious website, e.g. reimageplus.com and its corresponding ip 161.47.7.14, does not result in a block.

[exile360]

OK, I'll try to explain it again.

The website iptest.malwarebytes.com is blocked because it is in the block list based on the actual domain name/URL, not the IP address where it is hosted so as long as you are attempting to access that domain, no matter what the IP is, it should be blocked (even with a VPN, since the VPN changes the IP, not the URL).

When you manually enter an IP address into your browser or use something else such as the 'ping' command you are explicitly attempting to connect to that specific IP so Malwarebytes is able to see and filter this correctly because it gets to it before the connection is routed through your VPN on their end.

For everything else, like when browsing normally, any site that is contained in the block list based on its IP address will fail to be blocked because your system is connecting to the VPN's servers, and the VPN routes your connection accordingly passing traffic to/from the sites you visit to your system so that the only servers you ever actually connect to belong to the VPN.  This is why Web Protection will not work with a VPN like that because any addresses that are blocked based on IP will fail to be blocked.

[Omoeba]

@exile360so iptest.malwarebytes.com is blocked with a different method than all of the other blocked sites?

[exile360]

Not all sites are blocked based on IP.  Some are blocked based on the URL/domain name instead, and the iptest site is one of those.

[Omoeba]

@LiquidTensionis it possible to change the blocking method so all malicious websites can be filtered?

[exile360]

The problem is that they deliberately target some based on URL/domain, usually to avoid FPs when the majority of content on a particular server/IP is known to be safe so that they can block the bad content by specifically targeting one or a handful of known URLs/domains.  On the other hand, when a server is known to contain mostly or exclusively malicious content, it is blocked based on IP.  This is particularly necessary for IP's and IP blocks (i.e. entire hosting providers) known to be friendly to malware and other malicious/illegal content and where the owners of the servers are unresponsive to abuse reports (i.e. they refuse to take down sites even when provided proof of malicious activity and illegal content such as malware, scams etc.), and this is especially needed because it is possible for the bad guys who have access to such servers to frequently change/randomize their domain names/URLs so that attempting to use a strictly domain/URL based block list is ineffective.

You can learn more about Web Protection and how it works by reading the information in this Malwarebytes Labs article, though it is quite old, it is still largely accurate to how Web Protection currently functions (though on the engine/driver/API side some enhancements have been made since then in the subsequent Malwarebytes Premium releases).

[Omoeba]

Then how does something like Norton still work with a VPN?

[exile360]

My guess is they are using a different method, likely with nothing but domain names, no IP's, which means it's no better than a malware blocking HOSTS file and will miss a LOT of bad sites (basically all of the ones that pop up and switch domains constantly, of which there are many, some of which being so bad that you can try to hit the same site/infection two times in a row within seconds and you'll get a different domain each time, and another new one every time you connect to it).  They might use some level of wildcards to try and mitigate this, but it's still a pretty big gap in sites they cannot block and makes their solution far more reactive than proactive because if they can't block IP's, they can't block the malware where it actually lives (the actual bare metal servers and known malicious hosting providers/IP ranges).  Perhaps there is some other way of accomplishing it that I am unaware of, but I've never heard of it if there is one.  The fact is, your system cannot see the actual server/IP of the websites you connect to because you aren't connecting to them directly; you're going through a VPN so only the VPN makes a direct connection to either end (which is of course the point of using a VPN, for anonymity).

Edited November 26, 2019 by exile360