Too many IP blocks from MBAM

Hi people,

since last week that I started using MBAM Pro as real-time beside my AV, it has too many IP Blocks, even sometimes cut my internet.

Anyone has any idea what might be causing it?
I found that one of those IPs has been because of one of the Extension in my Google Chrome (Ultimate Chrome Flag), but I’ve no idea about other IP Blocks, they happen with every new page I open in chrome.

I’m going Give up MBAM FPs because it even block IP of my ISP!!!

two most blocked IPs are:

67.212.77.12
67.212.77.13

just in random ports (from 50000 to under 70000), anyone has any idea about these IPs?

system: Win 7 x86, chrome 10, real-time protections: Avira PSS and MBAM, on demand scanners are SAS portable, Hitman Pro, use HostsMan with MVPS.

Don’t rly know.About the chrome extestion,it may get the information it provides?

for our tech guys, if some logs help, here is an example of MBAM protection log (a small one) and some other logs

(it did not allow me attach OTS so I uploaded here: http://boelectronic.heliohost.org/avast/OTS.Txt)

@Left123
Anyway, Thanks for reply :slight_smile:

Please remove immediately the link you provided with your ots log hxxp://boelectronic.heliohost.org/avast/OTS.Txt
avast alerted me for malware INF:AutoRun-gen2[Wrm]

It is not malware - just the way the ots text is constructed… I note that the process responsible is Avira guard … Does that make sense

Also could you attach the log - when it is posted like that I am unable to parse it

Edit the IP is in Germany - home of Avira

@essexboy: I guess you know that Avira WebGuard works as proxy for internet, so whatever comes from any HTTP traffic from every program will be going trough Avira WebGuard, so I guess someone else is the reason, I looked for IPs and have had no idea… ???
Avira.com and Avira.de IP is 80.190.154.32

Check this topic,it may help http://forums.malwarebytes.org/index.php?showtopic=71922

Yes, this topic explain why Avira WebGuard is listed as process who access that IP :slight_smile:

Here’s some info regarding those IPs.

67.212.77.12 –http://www.dshield.org/ipinfo.html?ip=67.212.77.12

Also, don’t forget that IPs may be shared by more than one domain. At some point it may block good domains, because the IPs are blacklisted due to other misbehaving domains.

I guess users of MBAM Pro could suggest the team behind it to add an option to exclude IPs, and IPs from being blocked if matching a given domain. This would prevent a situation such as the one you experienced.

Hi m00nbl00d

Thanks for the link, I’ve had already traced that IP but I like your link too.

and again yes, I know and I agree blocking IPs instead of URLs cause too much FPs and they at MBAM don’t mind about that! (That’s why in all the years I had MBAM Pro never used it as real-time protection and only used Auto-update /auto-scan)

I will ask about this problem I’ve in MBAM forum too to see what they say.

There is some info on this found here: http://forums.malwarebytes.org/index.php?showtopic=72833

I do not know what MBAM uses as list(s) to make up their “sinkhole”. But a lot of sites that should be blocked are not there, so still will infect users, sometimes undetected by av, and can be found here
: htxp://support.clean-mx.de/clean-mx/viruses
(not to be visited by the unaware, and then do not click any live links)
and there are more likewise sources where these sites to be blocked are reported.
A fact is that block lists always are a partial solution, a lot of these sites don’t work anymore, were cleansed or taken out and new undetected have taken their place, are not on the list yet, in the ever changing landscape of malicious IP’s.
So the vulnerability window still stays open to an extent…
Unmasked parasites gives you an interrelation between infected and infecting sites,
also check using the Google Chrome extension: http://hostspy.org/

polonus

The second post in that thread, from the same person, is quite amusing! As if the free version of MBAM provides real-time protection. ;D

Thank you polonus for your input!