Jump to content

Recommended Posts

Malwarebytes has an "Allow" list.  What I'm looking for is a "Block" list.

Recently (as in, the past hour or so) a bunch of IPs from Russia have been poking at my PC and I'd like to not be notified of this every 10 seconds.  I've tried blocking them within the Windows firewall but MB apparently still catches the attempt.

What I don't want to do:

  • Add those IPs to the allow list, for obvious reasons.
  • Disable _all_ popups.

Is there a way to remove popups for that specific range of IP addresses while still having them blocked silently (preferably still recorded in MB's history, but not critical since I've already got dozens of copies of the report)?  I've had to go with disabling all popups for now but you never know when some different unrelated problem will crop up that I may not want to simply ignore.

Or maybe a setting to prevent repeated duplicate popups within X minutes or something..?

Link to post
Share on other sites

Sorry, they're incoming.  Being picked up by svchost.exe so can't even tell what they're trying to hit.

Here's the export from one of the most recent events.  All of this is fine (and expected and what I want.)  I just want the notification to be less annoying/intrusive since I can't control tell the computer in Russia to knock it off.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/28/20
Protection Event Time: 6:05 PM
Log File: b54f98e4-e993-11ea-a08d-b42e9932c424.json

-Software Information-
Version: 4.2.0.82
Components Version: 1.0.1025
Update Package Version: 1.0.29177
License: Premium

-System Information-
OS: Windows 10 (Build 19041.450)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 193.27.228.15
Port: 37534
Type: Inbound
File: C:\Windows\System32\svchost.exe

(end)

Link to post
Share on other sites

Yes to both questions.  I could try turning it off temporarily but that doesn't really solve the problem.

If I may ask, where did you get RDP from?  Just reading down a list of "common" things or is there something in that log that suggests it might be the culprit?

Link to post
Share on other sites

1 minute ago, altrag said:

where did you get RDP from?  Just reading down a list of "common" things or is there something in that log that suggests it might be the culprit?

The incoming connections are probing the open ports for RDP.

The probes will cease after a while.

Link to post
Share on other sites

The attempts on various ports are tried by bots.   But they are STOPPED  by the Malwarebytes real-time web protection.

Malwarebytes is protecting your system.

See this article  https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

 

In most cases the attempted probes will eventually stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

Link to post
Share on other sites

Hello altrag.

Just wanted to mention a couple of other tips.   When you are finished with your computers at end-of-day, it will help a lot to do Windows "shutdown" on each machine.  Being shut down means your systems cant be sensed.

The bad guys seek out machines able to do remote desktop as being prime candidates.   Keep in mind these involve automated bots.

.

The block events are on IP addresses that the Malwarebytes researchers have determined as containing harmful content.

 

You can block one or more IP addresses in the Windows 10'  Windows Firewall   by setting a new Inbound Rule

See   https://www.cm3solutions.com/block-ip-address-ip-range-using-windows-firewall/

 

To get started go to Control Panel >>System and Security >> Windows Defender Firewall     and then on the left side list, click on Advanced Settings

then follow the example in the article cited above.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.