Malwarebytes' Blocking Update

Discussion in 'SpywareBlaster & Other Forum' started by Wide Glide, Jun 17, 2010.

Thread Status:
Not open for further replies.
  1. Wide Glide

    Wide Glide Registered Member

    Joined:
    Jun 17, 2010
    Posts:
    1
    Hello,
    While trying to check for a update to SpywareBlaster, Mbam is blocking
    IP-173.244.198.143
    This issue has also been posted at the Mbam Forum in the "False Positives"
    section HERE

    Regards
    Wide Glide
     
  2. DougCuk

    DougCuk Registered Member

    Joined:
    May 6, 2008
    Posts:
    60
    Location:
    London, UK
    I have this problem as well - and posted the report on the MBAM Forum.
    It would appear the update server used varies with geographic location and maybe local load.
    So some people never see this problem - while others get it occassionally - and some most of the time.

    MBAM support reports this IP is owned by an ISP (SoftLayer) that hosts malware and scam websites.
    It seems odd that Javacool would have an update server on this type of network.

    The update seems to work fine if this IP is unblocked - but obviously something needs to be done to resolve this issue.

    An IP trace resolves this address as - 173.244.198.143.static.midphase.com
    The SpywareBlaster program shows it accessing - updates1.spywareblaster.net
    However this url has a totally different IP address - so is not really used.

    A port monitor shows SpywareBlaster accessing the following address:
    206-55-108-109.global11325.loc45.simplecdn.net
    Not exactly sure what that means but it might be of some use in tracing the problem.
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Thanks for reporting the issue and hopefully Mbam will unblock the ip address (if possible)
     
  4. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Hi,

    Yup - SpywareBlaster uses a CDN (content distribution network) to serve the update content from the closest of many servers distributed worldwide, to ensure the fastest possible updates.

    The specific IP address that you connect to will indeed vary depending upon your geographic location, ISP, and other factors. (Said IP address is a CDN "edge"/cache server, which caches + serves content for multiple users of our CDN provider. There's a seamless mapping from (a) our update server domain name, to (b) our cached update content on the CDN edge server that's closest to you.)

    That happens to be the CDN edge server that you were directed to, based on the factors mentioned above (usually the fastest for your particular Internet connection at that particular time).

    Thank you for reporting this issue to MBAM. It looks like they mistakenly caught a CDN edge/cache server in their IP blocks. It should be simple enough for them to fix. :)

    Best regards,

    -Javacool
     
  5. DougCuk

    DougCuk Registered Member

    Joined:
    May 6, 2008
    Posts:
    60
    Location:
    London, UK
    MBAM support state that this IP address is in a block owned by a hosting company with a suspect reputation - midphase.com.
    However, as stated here, this specific IP address appears to be a fixed IP for a legitimate CDN server
    The server name for this IP comes back as - 173.244.198.143.static.midphase.com
    Browsing to the IP - http://173.244.198.143/ gives a 404 server response with the following name: SimpleCDN Upload Bucket

    MBAM at present seem unlikely to remove this IP from its standard blacklist - however the program does allow you to add individual blocked IP addresses to the Ignore List - so at present I have selected that option to get around this problem.

    The risk posed by unblocking this single IP appears to be minimal - as it is a known CDN server used by a trusted security application.

    The problem appears to be caused by a change within the network used by Javacool to supply updates - with the inclusion of a server hosted by a suspect company (midphase.com) - this is obviously not ideal for a security app designed to block suspect websites. A complaint to the CDN service would seem sensible, to get this server removed from the pool.
     
Loading...
Thread Status:
Not open for further replies.