MalwareBytes 4 messing with IPv6 ping

[Maurice Naggar]

What follows is worth a test  as an alternate way to set the DNS server address  choice  for TCP/IP v6  &  TCP/IPv4

and that is to select "Obtain DNS server address automatically".   This can resolve the situation with Ping.

 

Click Win-key  and use the search box:
Search for Control Panel, and click the top result to open.
Click on Network and Internet.
Click on Network and Sharing Center.
Click on Change Adapter Settings.

Right-click the Wi-Fi or Ethernet adapter that you're using to connect to the internet, and select the Properties option.

Select the Internet Protocol Version 4 (TCP/IPv4) option.
Click the Properties button.
Click the "Obtain DNS server address automatically"
Click OK

If the Internet Protocol Version 6 (TCP/IPv6) stack is enabled in the network adapter properties, select the option.
Click the Properties button.
Click the "Obtain DNS server address automatically"
Click OK

Click Close

[Maurice Naggar]

notes ^^^^    That should apply to all Windows versions.    This was tested on MB beta  4.1.1.76    Component package 1.0.946   / win 10  build 2004  ( May 2020  )

[rahe]

1 hour ago, Maurice Naggar said:

What follows is worth a test  as an alternate way to set the DNS server address  choice  for TCP/IP v6  &  TCP/IPv4

and that is to select "Obtain DNS server address automatically".   This can resolve the situation with Ping.

 

Click Win-key  and use the search box:
Search for Control Panel, and click the top result to open.
Click on Network and Internet.
Click on Network and Sharing Center.
Click on Change Adapter Settings.

Right-click the Wi-Fi or Ethernet adapter that you're using to connect to the internet, and select the Properties option.

Select the Internet Protocol Version 4 (TCP/IPv4) option.
Click the Properties button.
Click the "Obtain DNS server address automatically"
Click OK

If the Internet Protocol Version 6 (TCP/IPv6) stack is enabled in the network adapter properties, select the option.
Click the Properties button.
Click the "Obtain DNS server address automatically"
Click OK

Click Close

I already have everything set to DHCP/AUTO (IP & DNS for IPv4 & IPv6)

Care to explain, why the ping will be blocked by MWB Web Protection, when it is not set to "Obtain DNS server address automatically? This sounds interesting.

[Maurice Naggar]

I would only say this.   If it were "web protection"  I would expect a message-window of a block with IP address cited in that message-box.

I have not seen that.   My MB 4.1.1.71   currently has all real-time protections on.   and the "obtain DNS server automatically".

Ping works on my rig.    WIFI connection by the way.

 

Prior to this for a short time, I had had Cloudfare set as the DNS server.   Wile web browsers worked ;   Ping was not succeeding.

Why that was so I have no idea.

[rahe]

3 minutes ago, Maurice Naggar said:

I would only say this.   If it were "web protection"  I would expect a message-window of a block with IP address cited in that message-box.

I have not seen that.   My MB 4.1.1.71   currently has all real-time protections on.   and the "obtain DNS server automatically".

Ping works on my rig.    WIFI connection by the way.

 

Prior to this for a short time, I had had Cloudfare set as the DNS server.   Wile web browsers worked ;   Ping was not succeeding.

Why that was so I have no idea.

If I disable Web Protection, the ping directly works. I maybe have to mention, if I for example ping google.com (with Web Protection enabled), the ping command directly shows the IPv6 address of google.com, but the ping fails. So to me it doesn't look like a DNS problem at first glance, but I am not a specialist.

 

[Maurice Naggar]

Bit of a mystery.   I would swear that pinging google.com  was good  earlier on both IPv6 & IPv4

Now IPv4 works   but IPv6 fails when you specify google,com   /   but works when you ping 172.217.1.142

IPv6 fails when you specify yahoo.com   /   but works when you ping  72.30.35.10

[bdg2]

2 hours ago, Maurice Naggar said:

Bit of a mystery.   I would swear that pinging google.com  was good  earlier on both IPv6 & IPv4

Now IPv4 works   but IPv6 fails when you specify google,com   /   but works when you ping 172.217.1.142

IPv6 fails when you specify yahoo.com   /   but works when you ping  72.30.35.10

What's the mystery?

IPv4 works. MWB breaks IPv6 pings.

What's mysterious about that?

The real mystery is why they seem totally unable to fix it.

[Maurice Naggar]

You may consider using TCPING.exe https://www.elifulkerson.com/projects/tcping.php
You may consider using NMAP which comes with a utility called NPING
https://nmap.org/download.html

 

[bdg2]

11 minutes ago, Maurice Naggar said:

You may consider using TCPING.exe https://www.elifulkerson.com/projects/tcping.php
You may consider using NMAP which comes with a utility called NPING
https://nmap.org/download.html

 

Why?

Anyway I don't see how they help if, say, I use a web page that has a script that pings test sites.

Your first link is blocked by MWB anyway.

[bdg2]

I'm uninstalling MWB 4.

It was a mistake to try it before the final V4 version just the same as it was with version 3 before. None of V3 releases I tried were acceptable until the final one before V4 was released.

I'm fed up with being stuck on a clunky version that makes my PC freeze for several seconds at intervals while a bug with IPv6 in later versions is ignored.

I keep getting told to try beta versions that refuse to install on my PCs.

[exile360]

1 hour ago, bdg2 said:

I keep getting told to try beta versions that refuse to install on my PCs.

What happens when you try to install them?  How are you trying to install them exactly?  I have not heard of anyone else having any issues with getting any of the betas installed so this issue may indicate further issues beyond the IPv6 issue.

[rahe]

Because of the problems I am running version 4.0.4.49 as advised. But this version is constantly nagging with "New version available" although "Automatically download and install updates" and "Notify me when a new version is availabe" is DISABLED. Why is this happening? This notifcation also draws over games and all applications.

 

 

[exile360]

Malwarebytes must have downloaded the new build prior to the two update settings being disabled.

Perform a clean uninstall/reinstall of Malwarebytes, then immediately disable those two options and it should no longer prompt you to upgrade.

1. Download and run the Malwarebytes Support Tool
2. Accept the EULA and click Advanced tab on the left (not Start Repair)
3. Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes
   

Edited June 29, 2020 by exile360

[Porthos]

4 hours ago, rahe said:

I am running version 4.0.4.49 as advised. But this version is constantly nagging with "New version available" although "Automatically download and install updates" and "Notify me when a new version is availabe" is DISABLED. Why is this happening?

You must have not disabled it fast enough and it triggered it. You have to be quick to toggle it off.

See if you can find a MBsetup file in this folder. It is hidden by default. If yes, Exit Malwarebytes from the system tray and proceed to delete the file.

C:\ProgramData\Malwarebytes\MBAMService\instlrupdate

Edited June 29, 2020 by Porthos

[Daggerheart]

On 6/13/2020 at 10:03 AM, Maurice Naggar said:

...

Prior to this for a short time, I had had Cloudfare set as the DNS server.   Wile web browsers worked ;   Ping was not succeeding.

Why that was so I have no idea.

That's interesting, I do have my ipv6 networking configured for DHCP but my router is utilizing cloudflare as the DNS resolver and that's the what is being sent to my devices. I do know the 1.1.1.1 has caused some network shennanigans (not so much at home but at work) but it would be weird if the IPV6 DNS address was causing issues as well.  That said did try to change from cloudflare to google's ipv6 dns and the issue persists.

DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                    2001:4860:4860::8844
                                    1.1.1.1
                                    1.0.0.1
                                    8.8.8.8

This particular DNS config ping still randomly cuts out. Between 7 and 21 is where I turned on Web Protection

$ ping google.com
PING google.com(dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e)) 56 data bytes
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=1 ttl=115 time=10.1 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=2 ttl=115 time=9.99 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=3 ttl=115 time=9.82 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=4 ttl=115 time=20.9 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=5 ttl=115 time=9.79 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=6 ttl=115 time=12.2 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=7 ttl=115 time=9.59 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=21 ttl=115 time=9.75 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=22 ttl=115 time=9.87 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=23 ttl=115 time=10.4 ms
64 bytes from dfw28s04-in-x0e.1e100.net (2607:f8b0:4000:815::200e): icmp_seq=24 ttl=115 time=10.0 ms
^C
--- google.com ping statistics ---
24 packets transmitted, 11 received, 54.1667% packet loss, time 23031ms
rtt min/avg/max/mdev = 9.594/11.123/20.862/3.151 ms

So Maurice ipv6 ping works just fine for you on the current stable version of mbam?

[bdg2]

On re-reading what Maurice Naggar wrote it looks like he doesn't really know much at all about IPv4 and IPv6.

He seems to be puzzled by being able to ping an IPv4 address and not getting an IPv6 error!

I wonder if the same level of ignorance prevails throughout everyone at MalwareBytes.

It certainly would explain a lot.

[exile360]

Maurice is a volunteer, not an employee of Malwarebytes, just FYI.

[Daggerheart]

Looks like 4.2 has not addressed this issue still.

[exile360]

That's correct, there was no mention of this issue in the release notes so the Developers must still be working on this issue.  Once it has been fixed someone from the staff will most likely respond to this and other threads where the issue is being discussed to let everyone know that it has been corrected.

[moraga695]

As exile360 said, wait for the developers to respond that they have fixed the IPv6 ping issue. However, since this problem has been known for some time, I’m guessing that it is WAY down on their list of things to do. Get ready to wait for a much longer time! As a many year loyal user, I’m very disappointed in how this was not fixed a long time ago. I’ll soon be shopping for a replacement. 

[exile360]

5 hours ago, moraga695 said:

As exile360 said, wait for the developers to respond that they have fixed the IPv6 ping issue. However, since this problem has been known for some time, I’m guessing that it is WAY down on their list of things to do. Get ready to wait for a much longer time! As a many year loyal user, I’m very disappointed in how this was not fixed a long time ago. I’ll soon be shopping for a replacement. 

My fear is that it may not be possible for Malwarebytes to fix it on their end, having already seen issues with WFP which were the result of poor implementation on the part of Microsoft for their own APIs which are used by the Web Protection in Malwarebytes, and it is my fear that this issue may be something only they (Microsoft) can resolve on their end.  It is far more difficult to get Microsoft to act on something than it is to get Malwarebytes to do so.  It is also quite possible that it is simply an exceptionally difficult issue to fix and may be taking Malwarebytes' Developers a long time to address.  Issues where BSODs and/or loss of internet connectivity as we have here tend to be among the highest priority due to the level of impact and disruption to the users, though of course the number of users affected is also a factor.

I know that they have already fixed most of the reported past issues with Web Protection over the past several releases, and while I am still hopeful for a fix, I also know that it is unfortunately entirely possible that there is simply nothing Malwarebytes can do to fix it.  Of course, I am not a Developer so I cannot speak for them either; I only speak from my observations as well as experiences with past issues (both externally as a Malwarebytes user, as well as internally as former Product Manager for the Malwarebytes product).

[moraga695]

Hello exile 360,

You seem to be suggesting that an IPv6 ICMP ping packet somehow needs to be a part of Malwarebytes Web protection and that Microsoft might have something to do with the problem. I can successfully do IPv6 pings from Microsoft programs. It’s only when Malwarebytes Web protection interferes with IPv6 ICMP packets (and not IPv4 packets) that the problem arises. Can you tell me how someone might be infected with malware via IPv6 ping packets requiring them to be blocked?

 

[exile360]

I'm suggesting that the issue with Web Protection, which uses Microsoft's WFP APIs, *might* be due to an issue with MS' implementation of WFP only because I've already seen past issues with Web Protection that were.  WFP drivers/filters, like the Web Protection in Malwarebytes, need to guard all connections in and out of a device, which includes ping and every other type of packet/connection because it operates on the same level of the network stack as the Windows Firewall itself.  They could whitelist IPv6 ping so that it is not filtered/analyzed by Web Protection, however that would mean that if it ever were abused for malicious purposes by the bad guys that Malwarebytes' Web Protection wouldn't be able to detect it or stop it.

[hapx]

Hello,

I have just registered with this forum in order to join my complaints about MBAM Web Protection blocking IPv6 ping.
This topic saved me lot of headache since I was desperately investigating why my IPv6 ping did not work for external Internet sites
like ipv6.google.com. Of course test with http://test-ipv6.com/ has been done with 10/10 result.

The problem is alive regardless of DNS settings of my network interface cards (Ethernet, Wi-Fi): automatic, Google, Cloudflare or OpenDNS. I am running MBAM v4.2.1.

It is really strange that Malwarebytes team did not yet fix this problem that has been pointed out by @bgd2 since Feb 8th, 2020.
 

[Maurice Naggar]

Hello.   Good afternoon.

The latest Beta of Malwarebytes for Windows includes a fix for   PING  w    IPv6

See    https://forums.malwarebytes.com/topic/262752-malwarebytes-42-beta/?do=findComment&comment=1412784

 

 

You may opt your program intro the Beta  and then apply this  and check it out for yourself.

Start Malwarebytes.    Then click on the Settings icon  at top right.

Then look on the GENERAL tab.    Scroll down to " Beta Updates "      and click that to the Right side   (  ON  ) .

Then scroll back up to the top at "Application Updates"   and click on the button " Check for Updates ".     Have patience   & follow all the prompts.

The latest Beta is Version 4.2.1.89    with   Component package 1.0.1070     💢     

 

Please let us know if this helps.

Sincerely.

Edited October 8, 2020 by Maurice Naggar