Malwarebytes Anti-Malware's malicious website blocking module

[justenough]

For all I know it has been there for a long time, but I just discovered that you can run MBAM's malicious website blocking feature real-time without enabling the filesystem protection module. The button to turn it on is under the 'Protection' tab. It's been running for a couple of days now on my computer without problems with my other browsing protection. Anyone have any information on it or know how effective it is? Or how long it's been available?

[Mman79]

As far as I'm aware, the IP blocker has been there a good long time. What it does ( at least my take on it) is check whether an IP address you're connecting to or attempting to is associated with known malware distribution or is currently hosting malware either through temporary infection or intentionally. If it determines the IP unsafe, it will refuse to either load the website associated with that website or the link/s on an otherwise safe website associated with the troubled IP address. It's usually quite effective in my past experiences with it. Sometimes a little too effective at times What I mean by that is that there have been times that an IP wasn't infected, but, as with the case of P2P websites, were considered "risky" and therefore were blocked.

It works very well and is a great tool to have in your defense if you so desire. Just be aware there may be times you and it may disagree

[Techwiz]

A recent update to Malwarebytes has allowed users to independently enabled/disable the File System Protection and Website Protection. Also eliminated having to reboot after installing the update.

[itman]

It uses a black listing of known malicious IP addresses. I would consider it basic protection at best. Problem is the sheer number of web sites that can be infected on a daily basis makes effective maintenance of black lists almost impossible.

Personally I like the proactive approach. Install the WOT add-on to your browser and you will get a visual display of if a web site is safe or not prior to selecting it. Also if your the "asleep at the keyboard type", WOT will warn you of a malicious web site prior to entering it.

Bottom line is with today's malware, you need browser protection that will detect malicious activity via behavior, hueristics, and file signatures.

[Mman79]

Please be cautious with WOT however. It can be a decent tool to get an idea of what to expect, but be aware a good amount of ratings are user-driven and not necessarily proof a website is good or bad.

[Page42]

Quote:

Originally Posted by justenough

Anyone have any information on it or know how effective it is? Or how long it's been available?

Malwarebytes introduced IP Protection into Malwarebytes' Anti-Malware in v1.40.
I couldn't find the exact date, but I do know that v1.43 was released on December 30th, 2009, so it was sometime prior to that... a good 3 years ago.

A little more info can be found here...
IP Protection Module
http://forums.malwarebytes.org/index...0&#entry162100

I run MBAM Pro on 3 machines, justenough, including the Website Blocking (IP Protection Module). I find it to be a far greater asset than any problems it might cause with blocking non-infected sites, and if I want access to a blocked site, it's easy to add it to the Ignore List.

[nosirrah]

Just because it rarely gets mentioned.....

MBAM also blocks uploads to malicious servers.

Quote:

It uses a black listing of known malicious IP addresses. I would consider it basic protection at best. Problem is the sheer number of web sites that can be infected on a daily basis makes effective maintenance of black lists almost impossible.

Personally I like the proactive approach. Install the WOT add-on to your browser and you will get a visual display of if a web site is safe or not prior to selecting it. Also if your the "asleep at the keyboard type", WOT will warn you of a malicious web site prior to entering it.

IP based is more proactive than domain based. One IP can have almost unlimited domains and something like WOT would have trouble keeping up rapidly generated domains while we should just block the IP outright. That being said WOT + MBAM is even better.

[LoneWolf]

Quote:

Originally Posted by nosirrah

Just because it rarely gets mentioned.....
MBAM also blocks uploads to malicious servers.

Good to know.

[Page42]

Quote:

Originally Posted by nosirrah

Just because it rarely gets mentioned.....
MBAM also blocks uploads to malicious servers.

Marcin mentioned it in his recent interview.

Quote:

We have a website blocking module that basically blocks your computer from ever accessing servers that can contain malware. So, if you visit a website that was hijacked and has an ‘iframe’ in there trying to pull a malicious executable and get it on your system, Malwarebytes will let the page load but block access to the executable from a malicious server.

~snip~

There are two more things I want to add here. Let’s say you download a sketchy piece of software, and once you start the installation process, it starts installing malware as well because they get paid money for every installation that people do. This is not an uncommon issue, whether it’s adware or toolbars, some free applications make their money this way. In those cases our IP blocking module detects that connection and blocks it. So you can actually continue your install without installing any malware. So, that’s number one.

Number two is let’s say you download malware from a specific server that we failed to detect. That’s our miss and unfortunately the malware is now installed. However, we can still mitigate part of the problem, because as soon as it starts pulling other malicious software from a server that we do know, we will block that transfer. This can prevent vital components of the malware to be downloaded, thus lowering the risk for you.

Interview with Malwarebytes' founder, Marcin Kleczynski

[justenough]

Thanks for the links and other good information. The more I learn about MBAM the more I appreciate what it can do. I knew that MBAM had malicious website blocking, but a couple of days ago I first saw that you have the choice to run it real-time without also running 'filesystem protection'. Since the internet is my main security risk, being able to use the malicious website blocking on its own is just what I need, glad it's become available.

[gery]

Quote:

Originally Posted by Techwiz

A recent update to Malwarebytes has allowed users to independently enabled/disable the File System Protection and Website Protection. Also eliminated having to reboot after installing the update.

it is not recent . it used to be like that for sometimes now. At list i had it last year and it did so for me

[justenough]

Quote:

Originally Posted by gery

it is not recent . it used to be like that for sometimes now. At list i had it last year and it did so for me

You may be right gery, I'm certainly capable of not seeing the separate website browsing option in MBAM when it's been right in front of me.

[Page42]

Quote:

Originally Posted by justenough

I knew that MBAM had malicious website blocking, but a couple of days ago I first saw that you have the choice to run it real-time without also running 'filesystem protection'.

Perhaps this is the answer you seek...

Version 1.51 (May 31st, 2011)

Website Blocking is now disabled when protection is turned off.

Version 1.60.0.1800 (December 27th, 2011)

Settings for Protection Module behavior can be changed without protection being active.

Malwarebytes Anti-Malware History / Updates

[itman]

~snip~

Quote:

There are two more things I want to add here. Let’s say you download a sketchy piece of software, and once you start the installation process, it starts installing malware as well because they get paid money for every installation that people do. This is not an uncommon issue, whether it’s adware or toolbars, some free applications make their money this way. In those cases our IP blocking module detects that connection and blocks it. So you can actually continue your install without installing any malware. So, that’s number one.

Number two is let’s say you download malware from a specific server that we failed to detect. That’s our miss and unfortunately the malware is now installed. However, we can still mitigate part of the problem, because as soon as it starts pulling other malicious software from a server that we do know, we will block that transfer. This can prevent vital components of the malware to be downloaded, thus lowering the risk for you.

I find this hard to believe. If MBAM Pro had this capabilty, it would be in essence operating as an outbound firewall. Great idea though especially for users of Vista and WIN 7 firewalls that only use inbound protection.

[nosirrah]

Quote:

I find this hard to believe. If MBAM Pro had this capabilty, it would be in essence operating as an outbound firewall. Great idea though especially for users of Vista and WIN 7 firewalls that only use inbound protection.

Malwarebytes does not care what kind of connection it is or if its inbound or outbound. If the connection is to a black listed IP then the connection will fail and no data will be transmitted.

This comes in handy for these situations:

Undetected downlaoder attempts to gets it friends from blacklisted IP.
Undetected trojan tries to upload your data to a blacklisted IP.
Exploit on a site tries to pull payload from a blacklisted IP.

I am sure you guys can think of more cases like this but the main point is that this technology does a lot more than block bad sites from loading.

This is not a real firewall though as nothing is evaluated, connections are simply blocked. This allows you to use the firewall of your choice so that the two forms of web blocking combined can synergize each other.

[jmonge]

this is a cool feature indeed

[The Hammer]

Will this conflict with Avira Premium(Paid)2013?

[siketa]

Quote:

Originally Posted by The Hammer

Will this conflict with Avira Premium(Paid)2013?

No.
It is made to be used along with standard AV.
But just to be sure, you can exclude Avira's folder in MBAM and vice versa.

[Frank the Perv]

Quote:

Originally Posted by nosirrah

Malwarebytes does not care what kind of connection it is or if its inbound or outbound. If the connection is to a black listed IP then the connection will fail and no date will be transmitted.

This comes in handy for these situations:

Undetected downloader attempts to gets it friends from blacklisted IP.
Undetected trojan tries to upload your data to a blacklisted IP.
Exploit on a site tries to pull payload from a blacklisted IP.

I am sure you guys can think of more cases like this but the main point is that this technology does a lot more than block bad sites from loading.

This is not a real firewall though as nothing is evaluated, connections are simply blocked. This allows you to use the firewall of your choice so that the two forms of web blocking combined can synergize each other.

Good Explanation.

MBAM is ~ Snipped as per TOS ~

A very good product on multiple levels.

I hope they keep developing and improving the product at the same rate that they have since its inception.

And -- MBAM achieved another impressive score in the most recent MRG tests.

http://www.blog.mrg-effitas.com/

100% passed in Zero Hour test. (SAS got 100% fail -- again)

Good stuff.



-ftp


.

[Osaban]

Quote:

Originally Posted by The Hammer

Will this conflict with Avira Premium(Paid)2013?

When I installed Avira Premium 2013, it asked me to uninstall MBAM even though its real time protection was disabled. I did as suggested, and re-installed MBAM afterwards with its real time protection disabled, and no problems (apparently anyway).

No matter what, it remains a controversial issue whether MBAM can really co-exist effectively with any AV on any machine, with its real time protection activated. It is good enough for me to have it on demand.

[The Hammer]

Quote:

Originally Posted by Osaban

When I installed Avira Premium 2013, it asked me to uninstall MBAM even though its real time protection was disabled. I did as suggested, and re-installed MBAM afterwards with its real time protection disabled, and no problems (apparently anyway).

No matter what, it remains a controversial issue whether MBAM can really co-exist effectively with any AV on any machine, with its real time protection activated. It is good enough for me to have it on demand.

On demand is basically what I have now with the free version anyway. Thanks.

[Osaban]

Quote:

Originally Posted by The Hammer

On demand is basically what I have now with the free version anyway. Thanks.

I find that to pay for a licence it's not only good to support them (a very dynamic team indeed) but it will update automatically, which is very important even when using it on demand.

[The Hammer]

Quote:

Originally Posted by Osaban

I find that to pay for a licence it's not only good to support them (a very dynamic team indeed) but it will update automatically, which is very important even when using it on demand.

What your saying certainly has merit. But I always check for updates before an on demand scan.

[siketa]

Quote:

Originally Posted by Osaban

I find that to pay for a licence it's not only good to support them (a very dynamic team indeed) but it will update automatically, which is very important even when using it on demand.

...and updates are incremental....
No need to download whole database each time you update it.

[justenough]

Quote:

Originally Posted by nosirrah

Malwarebytes does not care what kind of connection it is or if its inbound or outbound. If the connection is to a black listed IP then the connection will fail and no data will be transmitted.

This comes in handy for these situations:

Undetected downlaoder attempts to gets it friends from blacklisted IP.
Undetected trojan tries to upload your data to a blacklisted IP.
Exploit on a site tries to pull payload from a blacklisted IP.

I am sure you guys can think of more cases like this but the main point is that this technology does a lot more than block bad sites from loading.

This is not a real firewall though as nothing is evaluated, connections are simply blocked. This allows you to use the firewall of your choice so that the two forms of web blocking combined can synergize each other.

Before reading this, I wouldn't have thought to use MBAM as a reinforcement for the firewall. Great to hear, since the strength of the firewall that comes with Windows 7x64 has been a long-term unresolved question for me. I've tried all the main 3rd-party firewalls and always return to the Windows one because it is basically invisible in use, never causing any trouble and is probably adequate for the job. In my particular set-up what this blocking module adds to internet security is on its own more than worth the price of MBAM.