DrewGee Posted October 1 ID:1664217 Share Posted October 1 Hello, this morning MB started giving me warning pop-ups at seemingly random intervals, including just after startup and before I run any interactive programs: Website blocked due to Trojan If you don't want to block this website, you can exclude it from website protection by accessing Exclusions. IP Address: 100.64.100.6 Port: 137 Type: Outbound File: System The following malware scans have all come up clean: MB (including Rootkit scan) Norton AVG (quick, deep, and file) Hitman Pro Windows Defender (quick + some targeted file scans) I've attached one of the Blocked Reports. Is this likely to be a false detection? Malwarebytes Website Blocked Report 2024-10-01 053616.txt Link to post Share on other sites More sharing options...
Porthos Posted October 1 ID:1664219 Share Posted October 1 7 minutes ago, DrewGee said: Is this likely to be a false detection? Let's find out. I will move you to the correct section to find out. Link to post Share on other sites More sharing options...
David H. Lipman Posted October 1 ID:1664220 Share Posted October 1 You need to be behind a Firewall such that NetBIOS over IP does not leak to the Internet. A Router with a full Firewall or Firewall constructs can block egress and ingress of NetBIOS over IP. Some notes and tips for the Router: Disable acceptance of ICMP PingsChange the Default Router password using a Strong PasswordUse a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.Disable Remote ManagementCreate separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.Example: Keep IoT devices on one network and mobile devices on another. Change the network name (SSID). Do not use your; Name, Postal address or other personal information. Make it unique or whimsical and known to your family/group.Mitigate SSID Confusion attacks [CVE-2023-52424] by avoiding credential reuse across SSIDs by using a unique password per SSID.Example: One password for 2.4Ghz and a different password for 5.0Ghz.Is the Router Firmware up-to-date ? Updating the firmware mitigates exploitable vulnerabilities.Specifically set Firewall rules to BLOCK; TCP and UDP ports 69, 135 ~ 139, 161, 445, 1234, 3389, 5555 and 9034Many Routers support Saving and Restoring settings from a file. It is suggested to make a backup by saving your Router's settings once it has been configured.Document passwords created and store them in a safe but accessible location. NOTES: The above suggested tips may be dependent upon one's preferences and the Router's capabilities.Same rule of applying Strong Passwords on all IoT devices, never retaining the Default. References: What is a Cable Modem?What is a Router?what is a Modem+Router?How To Reset Your RouterPorts DatabaseIANA official ports Link to post Share on other sites More sharing options...
DrewGee Posted October 1 Author ID:1664231 Share Posted October 1 Thanks! I do have a full firewall both on my router and via Norton. But before I dig into my router, there's an interesting twist: I've just noticed that when I restart my PC, the message comes up within 5 seconds of my VPN connecting (ExpressVPN), regardless of the source it connects to. If ExpressVPN auto-starts, but I prevent it from auto-connecting, there's no message until I manually connect. The warning can appear after that, too, but at far as I can tell it's VPN related. Which makes sense, since as I understand it only a something BIOS/network related should be trying to access an IP address in that range on that port. That leaves me moderately comfortable ignoring this, though I still wonder whether this is a mistaken block on MBAM's part. Link to post Share on other sites More sharing options...
surfblue Posted October 1 ID:1664244 Share Posted October 1 I've been getting these warnings just now, seems to be after activating my Express VPN too. Link to post Share on other sites More sharing options...
David H. Lipman Posted October 1 ID:1664246 Share Posted October 1 @surfblue Please start your own thread. Link to post Share on other sites More sharing options...
Crab91764 Posted October 1 ID:1664272 Share Posted October 1 I experienced something similar. I think it is ExpressVPN trying to send a message out? Link to post Share on other sites More sharing options...
Porthos Posted October 1 ID:1664273 Share Posted October 1 Just now, Crab91764 said: I experienced something similar. I think it is ExpressVPN trying to send a message out? Please start your own topic as well. Link to post Share on other sites More sharing options...
Staff Solution TeMerc Posted October 1 Staff Solution ID:1664281 Share Posted October 1 This VPN related IP block has been disabled. Link to post Share on other sites More sharing options...
Recommended Posts