Jump to content

Malwarebytes Flagging Inbound IP as Blocked Website


chuckr1958

Recommended Posts

chuckr1958

I am running Emby version 4.7.5.0 and Malwarebytes started to flag inbound website activity from subnet 185.220.xxx.xxx as Trojans and Explicit events. I have the folder in Appdata whitelisted but I can't add different IP's each time it pops up.

Not sure how to address it. 

Link to comment
Share on other sites

Hi, thanks for reporting. @cayars can try to reproduce and report the false positive to malwarebytes if need be.

Link to comment
Share on other sites

On 6/27/2022 at 4:07 PM, chuckr1958 said:

I am running Emby version 4.7.5.0 and Malwarebytes started to flag inbound website activity from subnet 185.220.xxx.xxx as Trojans and Explicit events. I have the folder in Appdata whitelisted but I can't add different IP's each time it pops up.

Not sure how to address it. 

That's a good thing!

Do you have any friends or family complaining they can't get access to your Emby Server? Have you given access to anyone in Germany where these IPs are located?

This isn't Emby being flagged as a false positive but the specific IP address of the client.  In order to get "banned" like this it takes multiple hosts reporting the IP address (in short time frame) with activity such as dozens of specific exploit attempts to gain entry to the server.  If you were to take a look at your router logs I'll bet you'll see a lot of activity by these IPs that your router hopefully blocked. Malwarebytes didn't get involved until the person found your open port and tried to use it.

I see hundreds of these a day in malwarebytes and other "honey trap ports" that other IPS picks up and reports back for blocking.

Theses blocks are short lived, meaning MB downloads this info daily and the exploit attempts are recent not days old but hours old so it's doubtful it's one of your users who got a bad IP. If so tell them to try connecting again tomorrow.

Just for info you can often take the IP block and do a google search on it to pull up reported activity.

I would not adjust MB in any way unless your at the server watching the Emby Logs in real-time.  If you turn off MB for 5 minutes during this type of activity I bet you'll see a bunch of errors in the Emby log with calls to non-existent URLS they other system is trying to exploit as it runs through it's exploit playbook.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...