Skip to main content

Website still blocked after adding exclusion

Updated: 

Issue

This guide addresses cases where a website continues to be blocked by ThreatDown's web and network monitoring (Website Protection, Browser Phishing Protection, or Suspicious Activity monitoring) even after adding an exclusion in the console. This can occur due to configuration errors, sync issues, caching, or specific block types (e.g., IP-based detections).

Symptoms

  • Browser shows a ThreatDown block page (e.g., "Website blocked due to malicious activity," port scan, phishing, etc.).
  • Site remains inaccessible despite an exclusion being added.
  • Block may reference a domain, URL, or IP address.

Before Starting:

  • Verify you have admin access to the ThreatDown console and the affected endpoint.
  • Note the exact block message and URL/IP from the block page or Detection Center for accurate exclusion setup.

Resolution

Work through the following tasks in order until the issue is resolved.

Task 1: Verify Exclusion Configuration

Incorrect setup is a frequent cause.

  1. In the ThreatDown console, go to Configure > Exclusions.
  2. Check the existing exclusion:
    • Type: Use Website exclusion as it applies to Website Protection, Browser Phishing Protection, Suspicious Activity. Web Monitoring exclusions are for specific applications making web requests (e.g., Zoom.exe) and do not apply to general browser access.
    • Format: Enter the URL/domain exactly as shown in the Detection Center or block message (e.g., https://example.com, www.example.com.)
    • IP-based blocks: If the block references an IP (common for port scans or outbound connections), add a separate IP Address exclusion for the resolved IP (e.g., 192.0.2.1). Use tools like nslookup or ping to find the IP.
    • Policy/Scope: Confirm the exclusion is assigned to the correct policy(ies) and that the affected endpoint is enrolled in that policy.
  3. Save changes if edits were made. Exclusions typically apply within minutes if the endpoint is online and communicating.

Task 2: Check Endpoint Connectivity (If Machine Appears Offline)

If the endpoint shows as offline or not communicating in the console:

  1. On the affected machine, test connectivity using the Endpoint Agent Command-line tool:
    1. Open Command Prompt as Administrator.
    2. Run: 
      "C:\Program Files\Malwarebytes Endpoint Agent\UserAgent\EACmd.exe" -testconnections
    3. Review output for connection failures to ThreatDown servers (e.g., issues reaching detect-remediate.cloud.malwarebytes.com or similar).
  2. Verify the ThreatDown service is running:
    1. Open services.msc.
    2. Locate Malwarebytes Endpoint Agent (or MBEndpointAgent) → Ensure status is Running.
      1. Alternatively, from Command Prompt: sc query mbendpointagent → Check STATE is RUNNING.
    3. If service is stopped, start it: sc start mbendpointagent.
  3. Restart the machine if needed to re-establish the connection.

Task 3: Force Sync Protection Updates (For Online Endpoints)

Even if online, the exclusion may not have propagated.

  1. In the console, go to Manage > Endpoints.
  2. Select the affected endpoint.
  3. Click Actions > Check for Protection Updates.
  4. Wait a few minutes, then test the website again.
  5. This forces the endpoint to pull the latest policy and exclusion changes.

Task 4: Clear Browser Cache

The browser might load a cached block page.

  1. In your browser (Chrome, Edge, Firefox, etc.):
    1. Clear browsing data: Cache, cookies, site data. Focus on "Cached images and files".
    2. Use Ctrl+Shift+Delete (Windows) or Cmd+Shift+Delete (Mac) for quick access.
  2. Close/reopen the browser or try Incognito/Private mode.
  3. Test the site again.

Task 5: Escalate with Debug Logs If Issue Persists

If the website is still blocked after the above:

  1. Enable debug logging on the endpoint.
  2. Reproduce the block. Attempt to access the website and note the exact time.
  3. Collect diagnostic logs.
  4. Disable debug logging afterward.
  5. Open a support ticket with ThreatDown:
    • Include: Block details (URL/IP, error message), exclusion screenshot, endpoint OS/agent version, debug logs, reproduction timestamp.

Additional Tips:

  • For network/firewall interference: Ensure no other security tools block ThreatDown communications. See Network access requirements and firewall settings for Nebula
  • Temporary workaround: Disable Web Protection in the policy for testing (not recommended long-term).
  • Exclusions apply quickly with real-time communication; offline devices need reconnection.

For more on exclusions, see:

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more