MBAM Connection

Even though I have 'Anonymously report usage statistics' unchecked, MBAM still tries to phone home each time I scan a file with it via the context menu.

Anyone else seeing this?

 

Maybe it's checking for updates?

 

Ill check on this for you, the server side of things is not my end of the project.

 

Yeah, it does the same on my systems.

 

Thanks, Bruce, appreciate it.

------------------------

Thanks for the confirmation, Firebytes.

 

Same behavior here. The Pro version also does this (although randomly) when doing a Flash scan. It's on port 443 so i can't sniff the contents... Possibly checking for a valid license?

 

When anonymous statistics is enabled MBAM sends back data on the operating system, architecture, language and other system data (all of which is fairly generic and is used by us to target new translations and QA testing). Additionally anonymous statistics lets mbam send data about malware it detects.

When you disable anonymous statistics all of that stops. However, server/client communication still needs to happen for different types of functionality. As rottenbanana guessed, the pro version does check in with it's license for certain things. Updates also go through our servers (or our intermediary CDNs), which obviously involves a bit of server client communication.

There is one additional item this could be- even when anonymous statistics are disabled the mbam client will ping our server under certain circumstances. This ping doesn't contain any of the anonymous data mentioned above, but can be used to maintain a count of clients. This is the same data that comes through in the logs from updating, but by using this ping to maintain a count we can throw out the update logs much sooner, which is a priority for us as HTTP logs contain more information than we collect.

I hope this answers your questions- I'll make sure to follow this thread and answer any more that happen to come up.

 

Thanks for your response. Nice to have the license verification go through SSL, i'd hate to have the key transmitted in the open. So the above means MBAM won't send anything regarding infections, if the statistics option is unchecked? I always assumed infection data would be sent anyway, and that the checkbox only meant the generic stuff you mentioned.

Although i'm fairly sure i already know the answer, i'll ask anyway - do these statistics include folder/file names of anything outside the Windows directory? If general statistics is all it sends, i wouldn't mind enabling that option even though usually i hurry to disable anything of the sort.

 

If anonymous statistics is disabled we do not collect any information on the infections. That's your data to share or not.

We also do not include any folder or file names at the moment. If we ever do include any additional or enhanced malware statistics like that we will make sure it can be managed separately.

 

Now there's a policy i can support.

 

Thanks for the reply, Robert.

Please don't take any offense, but it sounds like you're either not quite sure why MBAM is phoning home after a context menu scan, or you're avoiding giving a direct definite answer. I don't believe it's checking for updates or validating any license, and it doesn't seem logical to be pinging your server every time a context menu scan is run, just to maintain a client count. What does seem logical, and what I suspect is going on, is that MBAM is sending home usage statistics, even if that setting is unchecked in the GUI.

Can you categorically state that this is not what's happening?

 

I'm not avoiding anything- I gave an overview of what is happening, but am still hanging around to make sure any follow up questions are answered. I personally designed this system, and (for security reasons) am the only person with access to the raw data, so I know exactly what is or isn't happening.


To clear up a few points-

This shouldn't be happening- there is no reason at all it should ping the server every time a context menu scan is run. The way the "pings" work is pretty simple- the client waits for a certain "trigger" action (which can be a scan, update, or registration) and, if the trigger hasn't been hit in a certain amount of time (one day) it'll send a ping. If you do two context scans in a row, after not having used mbam for a day, then the first scan will trigger a ping and the second one will not.

If you are still seeing multiple pings in short periods of time, please make sure you're running an up to date version of mbam. If the problem persists then we'll certainly look into it- but it's a bug, not intended behavior. In fact, we don't want to keep any data we don't have to, so those second pings (should they happen) get tossed out.

Can you define what you think as "home usage statistics" here? In theory a "count" is home usage statistics, and I already said we are maintaining a count. If you mean data about the home machine- language, os, malware detections, etc- then, as I already said, we aren't collecting that when anonymous statistics is disabled.

This is what I said in the original message-

Simply put, it doesn't make "logical" sense to use two separate systems to maintain one piece of statistical data (a client count), so instead of trying to hack two systems together we piggy back off of the one.


I'd be happy to answer more questions and clear things up if you have them.

 

Thanks for the explanation, Robert.

The context menu scans I performed were indeed a day or more apart, and I now understand why I was seeing an outbound connection each time. I just ran a couple of scans in a row, and as you mentioned above, only the first scan triggered a ping.

Please accept my sincere apologies for jumping to conclusions.