Knowledgebase
IP Protection Module
Posted by Christian Marvel on 09 February 2011 05:57 AM
IP Protection Module

    In v1.40, Malwarebytes introduced IP Protection into Malwarebytes' Anti-Malware, to prevent the user being infected in the first place. The following is information on what this does, and how it works.
  • What does IP Protection do?
  • IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges, for example, NetDirekt, which is host to the Internet Service Team.
  • How does it do this?
  • When you ask your browser to connect to a website, Windows uses DNS or the HOSTS file (depending on configuration), to convert that domain name into it's corresponding IP address (e.g. example.com <> 1.2.3.4). MBAM intercepts the packet communications, to determine whether or not the IP address is known for malicious activity, and if so, blocks the communication.
  • How does it inform you?
  • MBAM informs you a malicious IP has been blocked by presenting a bubble notification at the bottom of the screen (next to the system tray), and it also writes a log file.
  • What does this notification mean?
  • This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address. If this notice was presented when you were not actually doing anything on the machine, then I suggest having your computer looked at.
  • I got an alert and I wasn't even surfing, how's does that happen?
  • There are many applications on your system which have access to the Net and any of these can trigger an IP alert with no browser open. Most common offenders are P2P applications and IM clients, usually an ad will trigger an alert. An advanced or premium firewall will be able to give you a list of programs which can access the Net.
  • I received a notification on a safe site, why?
  • If a notification is presented on a safe site, and the site loads, it is likely the site was loading content that is hosted on an IP known for malicious activity. In this case, the site itself will be displayed perfectly fine, with the malicious content being blocked. If however, the site does not load, it is likely the site is also hosted on the same malicious IP address. It is also entirely possible that the site in question, shares it's IP address with other malicious domains. IP's and IP ranges are blocked if they are either dedicated to malicious content, or have a higher proportion of malicious content, than non-malicious. So for example, if 1.2.3.4 contains 1000 sites and over 50% are malicious, then 1.2.3.4 will be blocked (and even then, if we can get the hosting company to take down the malicious sites, then even better as we do not like blocking shared IP's or IP ranges if we don't have to).
  • How do I disable this?
  • We wouldn't recommend disabling it, but if you must, you can do this by right clicking the MBAM tray icon, and unchecking "IP Protection". Also see the Registry modifications below.
  • I got an alert for an IP or website I think is safe, how can I report it?
  • If you find a site being blocked, and either don't know why, or are sure it's safe, please report it to us at the False Positive Forum.
    IMPORTANT: When posting false postive reports, please ensure you post both the IP address affected, and if applicable, the domain name (e.g. example.com).
  • Does the IP Protection replace my firewall?
  • Absolutely NOT! The IP Protection included in Malwarebytes Anti-Malware is NOT a replacement for your firewall.
  • Where do I find the IP Protection logs?
  • You can find the logs for the IP Protection module here:
    File and IP Protection Logs
    • Windows 2000 & Windows XP:
      C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
    • Windows Vista & Win7:
      C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs
  • How can I add an IP so it won't be detected and can access a site I need to?
  • Visit the site and incur an IP block. Then right-click on the Malwarebytes system-tray icon after the block notification appears, and choose Add to Ignore List.


Registry Switches for Controlling IP-Blocking

Create the indicated registry value (labeled as key | value) with the indicated data and reboot to enforce the policies below. All of the values are of type DWORD
In order to create a registry value, open the Registry Editor (Click on Start -> Run -> and type in REGEDIT.EXE)
Browse to the key listed, and then right-click in the right-hand panel and choose New -> DWORD and create one of the listed keys and set the value as shown.
    x86 32 Bit Key: HKEY_LOCAL_MACHINE\Software\Malwarebytes' Anti-Malware
    x64 64 Bit Key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Malwarebytes' Anti-Malware
  1. silentipmode
    Description: With a DWORD value of 1, the protection module will block and log IPs silently.
  2. startipdisabled
    Description: With a DWORD value of 1, IP blocking will start disabled on reboot, although it can be enabled subsequently.
  3. disableipblocking
    Description: With a DWORD value of 1, IP blocking will be permanently disabled (cannot be toggled).

    Here is a Windows installer to create the IP Policy shortcuts.
    It basically runs the REG command line tool and sets the registry values or removes them.

    Caveats:

    1. Only installs on x86 (32 Bit)
    2. Only tested on English XP/Vista Operating Systems (may work on non English but preliminary tests indicate it does not work on other languages)
    3. Assumes user did not change default installation path: C:\Program Files\Malwarebytes' Anti-Malware
    4. Users on Vista will need to either have UAC disabled (not recommended) or right click on the desired shortcut and chose Run As Admin
    5. Reboot is required for most of these changes to function
    6. User must have Admin rights to run the installer

    If you hover your mouse over the shortcut it also has a tooltip description of what it does.

    This will also create an entry in Add/Remove to uninstall the shortcuts when the GUI is updated to support this on it's own which is expected to be released in the next release version of MBAM. download - mbam_ip_policy_shortcuts.zip
(1 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).