Jump to content

Malicious website blocking inconsistency


Recommended Posts

  • Staff

Greetings,

Web Protection in Malwarebytes Premium and the Malwarebytes Browser Guard browser extension do not block all of the same sites, this is why they are offered separately.  When used together you get the benefits of both.

I hope that helps to clear things up a bit.

If there is anything else we might assist you with please let us know.

Thanks

Link to post
Share on other sites

5 hours ago, Omoeba said:

The extension "Malwarebytes Browser Guard" blocks PUP site reimageplus.com but MB premium doesn't. Web protection is working because iptest.malwarebytes.org is blocked with the extension disabled.

Actually my MB Premium blocks it as well.

Remiage.png

Remiage chrome.png

Edited by Porthos
Link to post
Share on other sites

  • Staff

A VPN changes the reported IP addresses of websites that your computer connects to.  This will definitely break blocking for many sites for both Malwarebytes Browser Guard and the Web Protection component in Malwarebytes Premium as both rely on checking the IP address of servers your system connects to in addition to other info such as the URL/domain and content of the websites and their behavior.  Unfortunately there is no workaround as the only way for Malwarebytes to determine the true IP address of the sites your system connects to when using a VPN would be for the VPN provider to be running Malwarebytes' Web Protection on their systems which your system is connecting to the web through.

Link to post
Share on other sites

  • Staff
Just now, Porthos said:

I am trying out the Mullvad VPN that MB has partnered with and it does not affect MB or the browser guard.

I have no idea how.  The entire point of a VPN is to use the VPN's servers to connect to websites rather than connecting to them through your own system/connection directly.  The only possibility would be if their VPN client software somehow 'translates' the connections through the VPN to your system so that from the system's perspective it still sees the true IP addresses of the sites/servers you are connecting to through the VPN.

Link to post
Share on other sites

1 minute ago, exile360 said:

I have no idea how.  The entire point of a VPN is to use the VPN's servers to connect to websites rather than connecting to them through your own system/connection directly.  The only possibility would be if their VPN client software somehow 'translates' the connections through the VPN to your system so that from the system's perspective it still sees the true IP addresses of the sites/servers you are connecting to through the VPN.

Currrently my IP is showing

Your IP Address 185.236.xxx.xx

 

  • pic Los Angeles, California, United States

And you know I am not in Cali.

Link to post
Share on other sites

  • Staff

Right, that's what a VPN is supposed to do; show a different IP to the sites/servers you connect to, however that normally goes both ways so that the sites/servers you connect to when browsing only connect to the VPN's servers so that your system only ever sees the IP of the VPN server you're using, however if web blocking works for IPs then it sounds like they have some kind of passthrough tech in place so that your system still sees the actual IP addresses of the sites you're browsing to which is not normally how it works.

Link to post
Share on other sites

40 minutes ago, exile360 said:

A VPN changes the reported IP addresses of websites that your computer connects to.  This will definitely break blocking for many sites for both Malwarebytes Browser Guard and the Web Protection component in Malwarebytes Premium as both rely on checking the IP address of servers your system connects to in addition to other info such as the URL/domain and content of the websites and their behavior.  Unfortunately there is no workaround as the only way for Malwarebytes to determine the true IP address of the sites your system connects to when using a VPN would be for the VPN provider to be running Malwarebytes' Web Protection on their systems which your system is connecting to the web through.

then how does iptest.malwarebytes.org still get blocked?

Link to post
Share on other sites

  • Staff

It's getting blocked based on the URL/domain by name 'iptest.malwarebytes.org' rather than the actual IP address.

edit: By the way, the .org sub-domain is no longer in use.  It should by iptest.malwarebytes.com.  You can verify whether it is blocked by IP by trying to go to 100.24.169.13 which is the actual IP of iptest.malwarebytes.com and if it is blocked, then IP blocking is working, and if it isn't, then it's likely that I'm correct about what the VPN is doing.

Edited by exile360
Link to post
Share on other sites

Another update: even though both iptest.malwarebytes.com and reimageplus.com resolve to a "172.42.0.x" ip address, which I suspect is a "sinkhole" ip range for web protection, iptest.malwarebytes.com is blocked but reimageplus.com is NOT blocked. After further testing, the only websites that are blocked when using wireguard vpn are iptest.malwarebytes.com and iptest.malwarebytes.org. Directly visiting the resolved sinkhole ip for any malicious site ends with a blocked notification, even over vpn.

Link to post
Share on other sites

that still doesn't explain why entering the domain iptest.malwarebytes.com or its ip address 100.24.169.13 result in a block but entering the domain or ip address for any other malicious website, e.g. reimageplus.com and its corresponding ip 161.47.7.14, does not result in a block.

Link to post
Share on other sites

  • Staff

OK, I'll try to explain it again.

The website iptest.malwarebytes.com is blocked because it is in the block list based on the actual domain name/URL, not the IP address where it is hosted so as long as you are attempting to access that domain, no matter what the IP is, it should be blocked (even with a VPN, since the VPN changes the IP, not the URL).

When you manually enter an IP address into your browser or use something else such as the 'ping' command you are explicitly attempting to connect to that specific IP so Malwarebytes is able to see and filter this correctly because it gets to it before the connection is routed through your VPN on their end.

For everything else, like when browsing normally, any site that is contained in the block list based on its IP address will fail to be blocked because your system is connecting to the VPN's servers, and the VPN routes your connection accordingly passing traffic to/from the sites you visit to your system so that the only servers you ever actually connect to belong to the VPN.  This is why Web Protection will not work with a VPN like that because any addresses that are blocked based on IP will fail to be blocked.

Link to post
Share on other sites

  • Staff

The problem is that they deliberately target some based on URL/domain, usually to avoid FPs when the majority of content on a particular server/IP is known to be safe so that they can block the bad content by specifically targeting one or a handful of known URLs/domains.  On the other hand, when a server is known to contain mostly or exclusively malicious content, it is blocked based on IP.  This is particularly necessary for IP's and IP blocks (i.e. entire hosting providers) known to be friendly to malware and other malicious/illegal content and where the owners of the servers are unresponsive to abuse reports (i.e. they refuse to take down sites even when provided proof of malicious activity and illegal content such as malware, scams etc.), and this is especially needed because it is possible for the bad guys who have access to such servers to frequently change/randomize their domain names/URLs so that attempting to use a strictly domain/URL based block list is ineffective.

You can learn more about Web Protection and how it works by reading the information in this Malwarebytes Labs article, though it is quite old, it is still largely accurate to how Web Protection currently functions (though on the engine/driver/API side some enhancements have been made since then in the subsequent Malwarebytes Premium releases).

Link to post
Share on other sites

  • Staff

My guess is they are using a different method, likely with nothing but domain names, no IP's, which means it's no better than a malware blocking HOSTS file and will miss a LOT of bad sites (basically all of the ones that pop up and switch domains constantly, of which there are many, some of which being so bad that you can try to hit the same site/infection two times in a row within seconds and you'll get a different domain each time, and another new one every time you connect to it).  They might use some level of wildcards to try and mitigate this, but it's still a pretty big gap in sites they cannot block and makes their solution far more reactive than proactive because if they can't block IP's, they can't block the malware where it actually lives (the actual bare metal servers and known malicious hosting providers/IP ranges).  Perhaps there is some other way of accomplishing it that I am unaware of, but I've never heard of it if there is one.  The fact is, your system cannot see the actual server/IP of the websites you connect to because you aren't connecting to them directly; you're going through a VPN so only the VPN makes a direct connection to either end (which is of course the point of using a VPN, for anonymity).

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.