Constant notifications for blocked inbound RDP connections

[bjp1662]

I'm in the trial period of Malwarebytes Premium and I am constantly (~once a minute) getting popups in the corner of my screen telling me about an inbound RDP connection Malwarebytes has blocked.  I think the wording is poor -- "Website blocked due to compromised" is both grammatically incorrect and there is no "website" that was blocked, just a remote client.  But, the real issue is that I have a Windows firewall rule that I would expect to prevent Malwarebytes from ever seeing this connection attempt.  I block everything from that remote IP address (see Firewall.PNG).  Just for good measure, I also block if that IP address were the local IP address, since there is a post in this forum that links to instructions on blacklisting an IP in the firewall which uses the local IP rather than remote (which seems wrong).

Why does this Malwarebytes window pop up even though the connection should be blocked in my firewall and therefore never seen by Malwarebytes?

MalwarebytesBlock.txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[exile360]

Greetings,

The Web Protection component uses a WFP filter/driver which is the same API/framework used for the built in Windows Firewall and most modern firewalls and network filtering tools in Windows so your firewall and the Web Protection in Malwarebytes actually see the connection attempts at the same time.  To avoid the block notifications you could try blocking those particular ports (if you don't use RDP) and/or IP addresses in your router/modem if it has such functions available so that the connection attempts/port scans never reach your system.

[bjp1662]

Wow, a very nice answer very quickly -- impressive.  Unfortunately neither of the two router layers this computer is behind has the capability to block incoming connections by remote IP, but definitely a reasonable suggestion.  I do use RDP (very handy; sole reason to get Windows Professional over Home for me), so I don't want to close that port.  I could change the port number, but that's only a temporary solution.

Is there a way to configure Malwarebytes to not pop up notifications for this kind of protection?  It looks like adding this (malicious) IP to my "Allow" list would achieve the desired result (no pop-ups, still protected by Windows Firewall), but that feels a little dirty.

As an advanced feature request, is there any way a future version of Malwarebytes could check the Windows Firewall settings so as not to duplicate them?

I'm open to other suggestions to avoid this pop-up, but I suppose the current "best" solution appears to be to add the malicious IP to my Malwarebytes "Allow" list after adding a blacklisted Windows firewall entry.  Second choice after that currently would probably be finding a different brand of protection software 😕

[exile360]

Yes, unfortunately adding the IP to your Allow List or disabling notifications entirely would be the only two options in Malwarebytes at the moment as there is currently no way to disable notifications for a specific module or specific IP/detection.  Switching to a different port for RDP would actually be a pretty good idea from a security perspective since the entire reason those specific ports get scanned is due to known vulnerabilities in RDP that impact some systems, so using a different port would at the very least shield your system from any of their scripts/scans which rely on targeting the default Windows/RDP configuration.  I do not know whether doing so would impact any of the tools you might use with RDP though, so that also may not be an ideal solution if you use any utilities or applications which rely on the default ports/configuration for RDP.

In fact, changing ports for RDP is one of the security measures recommended in this Malwarebytes Labs article on the subject, in addition to several others you might find useful for helping to secure your devices against attack.