IP Protection

[MWE]

How does Malwarebytes build the "bad IP" list? Since turning on protection about 5 days ago I have noticed:

1. much more erratic browser behavior with lots of "site not found" errors. These are not MBam popups about bad sites, but browser messages about sites not available
   
2. many sites that I believe to be pretty innocent are being flagged as bad. I know that I can tell MBam to add them to the Ignore List, but I would prefer to know how they go on the bad list in the first place.
   
3. I looked through the forum sticky about how Protection Mode works and it implied that each site blocked creates a log file or an entry into a log file. The location indicated contains just scan run logs
   

[exile360]

Greetings MWE

How does Malwarebytes build the "bad IP" list?

It is built based on threat research where malware is discovered to be distributed from and/or phishing scams and other malicious activities.

much more erratic browser behavior with lots of "site not found" errors. These are not MBam popups about bad sites, but browser messages about sites not available

If there is no message from MBAM's tray module and you haven't disabled the notifications then it isn't MBAM preventing access to the site(s) in question.

many sites that I believe to be pretty innocent are being flagged as bad. I know that I can tell MBam to add them to the Ignore List, but I would prefer to know how they go on the bad list in the first place.

Domain names are not blocked by MBAM, it blocks actual IP addresses and multiple sites can share the same IP address. The reason for this is because malware authors can much more easily change domain names than they can their IP address due to cost and other factors so it is much more effective to block the IP that is the source of the malicious activity. An IP or range is only added to the blocklist after attempting to contact the hosting provider and reporting the abuse, if no response is received and/or the site or range's malicious content is not removed within a timely manner, the site or range is blocked in the MBAM IP Block List (sometimes entire ranges of IP's are blocked due to the majority of the sites in a particular range containing malicious content).

I looked through the forum sticky about how Protection Mode works and it implied that each site blocked creates a log file or an entry into a log file. The location indicated contains just scan run logs

The protection logs are stored under C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs if you're using Windows XP, if you're using Vista or Windows 7 then they would be in C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs.

The location of scan logs is C:\Documents and Settings\Your Username etc, and in Vista and 7 it would be C:\Users\Your Username etc.

If a site is blocked and you believe it to be a false positive then please refer to this post: IP Blocking False Positives and post the info here: False Positives and one of our researchers will respond with why a particular IP is blocked and look into whether the block can be removed or not.

If you require anything further please post.

Thanks