Jump to content

exile360

Experts
  • Content Count

    28,299
  • Joined

  • Last visited

Everything posted by exile360

  1. Greetings, Your best bet if looking for proactive protection along with solid incident response would probably be Malwarebytes Endpoint Protection and Response. It offers all of the latest proactive protection and detection capabilities that Malwarebytes has to offer along with full incident response capabilities for suspicious activity detection, granular endpoint isolation (for cases where an active threat/suspicious activity is detected to prevent threats spreading further across your networks), as well as Malwarebytes' latest solution, Ransomware Rollback which allows for system and data recovery to quickly recover from ransomware attacks should any get through (especially valuable given the high success rate of targeted phishing attacks these days). You can learn more about this solution and find additional links to further documentation and resources here. I hope this helps, and if there is anything else we might assist you with please let us know. Thanks
  2. Just to add to the comments from Maurice above; the list of shielded applications for the Exploit Protection component in Malwarebytes are focused on the most frequently targeted applications by exploits for attack, especially those that are at the greatest risk due to being web-facing or where they are known to be exploited by Trojanized documents and media files including web browsers, media players, document viewing/editing applications and the like. The OS shell itself (explorer.exe) and other critical/core OS components are actively shielded and hardened by Exploit Protection (as well as by technologies built into the operating system such as DEP and some hardware features if your CPU supports them) however those shields/protections work differently than the shielding provided through the DLL injection performed on the applications listed in the default list of shielded applications for Exploit Protection. With that said, if you do use any browsers or other applications that regularly pull web based content (like sidebar/desktop gadgets for example) that aren't listed in the default list of shielded applications, you can add them to the list and use the appropriate profile for them; for example, for a media playback program use the Media Players profile and for a web browser use the Web Browsers profile or Chrome-based Browsers profile depending on whether the browser is based on Chromium, and likewise for a document/office type application use the MS Office or PDF Readers profile as appropriate depending on the type of application/documents etc. used by the application. I hope this helps a bit to clarify things.
  3. Greetings, I noticed your logs show that User Account Control is not set to defaults. It may be unrelated, however Malwarebytes like more modern software is coded to be fully UAC compliant and compatible so it may be worth a try to reset UAC to default and see if that helps: UAC Settings ================================== EnableLUA: On Consent Prompt Behavior Admin: Off Instructions on resetting UAC can be found on this page. Beyond that, if you haven't already, I would suggest signing up for an account at My.Malwarebytes.com to manage your license(s) for Malwarebytes using, if possible, the same email address you used when you originally purchased your license. Instructions on doing so may be found in this support article. If you aren't able to use that original email address because, for example, it is no longer active or you no longer have access to it for some reason then use your current email address and try adding your license to your account as shown in this support article. If you were successful in getting your account created and getting your license to show up there, then please try deactivating your previously active device to free up your license to be able to activate it on your current device/installation to see if that resolves the issue. You can totally reset your license using the Deactivate all function described in this support article. After that, if the problem still persists, then please contact Malwarebytes Support directly by filling out the form on the bottom of this page and they will assist you further. I hope this helps, and if there is anything else we might assist you with please let us know. Thanks
  4. Malwarebytes will label each as determined by the Malwarebytes Research team, so anything overtly malicious will most likely be tagged as actual malware. Anything detected as PUP would be things like adware and the like which aren't necessarily harmful, but could be undesirable, annoying or unwanted. You can learn more about what Malwarebytes classifies as PUP and why at the following links: https://www.malwarebytes.com/pup/ https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/
  5. Greetings, No, quarantining the detections will not corrupt Chrome. It is likely that some software you installed came with a bundled PUP (Potentially Unwanted Program) that altered your settings in Chrome, so Malwarebytes will restore it back to defaults if you allow it to quarantine the detections. Once that's done, if the detections return then it could be the result of the sync feature in Chrome. You can correct this by following the instructions in this topic. Please let us know if there are any further issues or if there is anything else we might assist you with. Thanks
  6. You could use 2010 if you have a copy of it. That's what I've been using for years and haven't had any issues (though obviously that's no guarantee that you won't, but I suspect it won't be plagued by the same issues as 2016 is).
  7. Interesting, I wonder what is bringing them back then? There's got to be some program on the system adding those entries to the registry. No harm I guess, but if you really want to track it down you could try a tool such as Process Monitor to see what programs access those keys/create those entries and you could even get your system checked in our malware removal area if you want to make sure that it's nothing malicious going on (I doubt it, but it my be best just to rule it out completely if you aren't certain). If you wish to do the latter then please read and follow the instructions in this topic then create a new topic in the malware removal area by clicking here and one of our malware removal specialists will assist you in checking the system and clearing it of any threats as soon as one is available. Again, I doubt that it is anything malicious, but they might have better luck tracking down the exact program creating those entries so it might be worth pursuing if you really want to eliminate them once and for all.
  8. OK, what about the registry? Have the entries returned under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules? If so, what happens if you delete the detected entries from there by hand? Do they still return on reboot? If so, then something is putting them back, though I'm not sure exactly what program that might be.
  9. Greetings, Thank you for reporting this issue. With regards to the detection of preinstalled software, please refer to this blog article. I will report this issue to the ADWCleaner Research team and hopefully get this issue corrected. In the meantime if you have any scan logs showing these detections of the printer/scanner software from HP that could really help. Thanks
  10. Excellent, I'm glad I was able to help If there's anything else we might assist you with please let us know. Thanks
  11. OK, go ahead and check within the Windows Firewall itself (not through the command line) just to make sure there are no remaining entries there. It may just be that they're being left behind for some reason and that's why they keep showing up. It's also possible that the software on your system that uses Java is downloading/reinstalling Java each time it is removed which could also account for it.
  12. Yes, ever since Avast acquired CCleaner (and a bit before as I recall) they've been expanding their portfolio of products in an attempt to generate more money (I guess offering a free AV with the option to pay to get more features wasn't doing well enough for them) and that includes things like system optimizers, registry cleaners and driver updaters; tools which are of questionable benefit to say the least, especially on modern Windows operating systems where the vast majority of performance related maintenance tasks are actually handled by the OS itself out of the box automatically (ever since Vista, Windows has been MUCH better at taking care of itself compared to XP and older Windows versions) so most of the time such tools end up at best not really doing anything to improve how the system runs, and at worst potentially making things worse. In the case of driver updaters it's actually pretty common for them to recommend/download the wrong drivers for some components because of the different models of hardware that are based on the same base model that manufacturers create for the big system vendors like HP, Acer, Dell etc. that use their own specifically tuned drivers for their individual systems/models, and while there is usually no harm in using the generic of the shelf driver for the base component from the component manufacturer like Intel or Realtek etc., there are cases where that generic driver isn't optimized for that specific component and you'd be better off with the driver direct from the computer manufacturer (i.e. HP if you have an HP computer for example) as it may have special tuning to provide better battery life, or better sound with the particular speakers built into your system if it's a laptop and it's drivers for the soundcard/onboard sound, or the driver may be tuned to get the best performance out of the particular graphics chip in your system based on how many watts of power it is being provided by the power supply for your system (which may be less than the default/off-the-shelf version of that same graphics card; again, to save battery life or to make the system more thin and light). It's the same reason I try to avoid getting drivers from Windows Update, because they usually only offer the generic drivers rather than the ones from specific system manufacturers for individual components. It's usually not going to cause any major issue like a BSOD (though I have experienced that when testing some driver updater applications in the past personally), but it's generally a lot easier and much safer just to get the right drivers direct from the system builder and many systems even come with utilities for this purpose that will check the manufacturer's database for any available driver updates and BIOS updates and the like, which means you get the right software and drivers for your system directly from the system manufacturer which leaves you much better off, at least in my opinion.
  13. Greetings, Please see if the instructions in this post help. It is a common issue with Chrome for detections to return and those instructions can usually resolve it. Please let us know how it goes. Thanks
  14. Greetings, Please remove the following entries from your HOSTS file and that should correct the problem: 0.0.0.0 keystone.mwbsys.com 0.0.0.0 telemetry.malwarebytes.com Instructions on how to reset the HOSTS file can be found in this Microsoft support article. If you do end up resetting your HOSTS file you will need to re-apply the Immunize function in Spybot Search & Destroy to get its entries back in the HOSTS file. Please let us know how it goes. Thanks
  15. Thanks for the details. With regards to the outdated update version, are you referring to threat signatures/databases for Malwarebytes? I just want to make sure I get it right for the Devs. Thanks
  16. Unfortunately I doubt that is possible, at least using the method used for other browsers as Chrome (and likely by extension, Microsoft's Chromium based variant of it) does not allow DLL injection into its processes, which is the default method used by Malwarebytes Anti-Exploit for shielding applications. That said, they have implemented a different method of protection for Chrome, so it is possible that this protection also extends to the Edge variant of it, however I do not know that for certain. It is also possible that the Malwarebytes Developers are waiting for it to come out of pre-release/testing before implementing any protection for it since they don't officially support any beta/pre-release software by default (and any protection they did implement would likely need to be changed by the time Microsoft releases the final version anyway since there will probably be many changes made to it before then architecturally). In the meantime, you could try adding it manually using the method described above however I am not certain that it would work or that Microsoft would not display some kind of error and possibly refuse to run because of it.
  17. Excellent, I'm glad to hear it I be Avast's driver updating utility was based on Slimware's (probably a white-label/re-skinned version of it) which would explain the duplicate drivers and registry entries shared between them. Nice detective work! If there is anything else we might be able to help you with please don't hesitate to let us know. Thanks
  18. Greetings, Could you please provide some details about the additional information you'd like to see reported? That would help greatly with ensuring that the feature meets your needs and requirements and it would obviously be a lot easier on the Developers if we could provide some specifics on what they should work on for logging. Thanks
  19. Greetings, Based on a quick search it appears that the file is a component of a Slimware Utilities application; likely the same one detected in the other entry (SlimCleaner Plus from the look of it). It is up to you whether or not to keep it installed, however the following should prove informative with regards to what Malwarebytes detects as PUP and why: https://www.malwarebytes.com/pup/ https://blog.malwarebytes.com/malwarebytes-news/2016/10/malwarebytes-gets-tougher-on-pups/ https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/ https://blog.malwarebytes.com/cybercrime/2015/06/driver-updaters-digital-snake-oil-part-2/ https://blog.malwarebytes.com/cybercrime/2015/07/pup-makers-digital-snake-oil-part-3/ https://blog.malwarebytes.com/threats/registry-cleaner/ https://blog.malwarebytes.com/puppum/2016/12/why-malwarebytes-detects-pc-pitstop-as-potentially-unwanted/ https://blog.malwarebytes.com/malwarebytes-news/2017/11/winning-the-battle-against-pups-on-your-computer-and-in-u-s-district-court/ https://blog.malwarebytes.com/puppum/2016/07/pup-friday-cleaning-up-with-5-star-awards/ https://blog.malwarebytes.com/puppum/2016/08/systweak-redux-our-response/ Regarding legal precedent, please refer to the following articles which cite two cases involving Malwarebytes and vendors blocked as PUP: https://blog.ericgoldman.org/archives/2017/11/section-230c2-protects-anti-malware-vendor-enigma-v-malwarebytes.htm https://blog.ericgoldman.org/archives/2018/09/section-230-helps-malware-vendor-avoid-liability-for-blocking-decision-pc-drivers-v-malwarebytes.htm The following links should also prove informative as to why many items are classified as PUP by Malwarebytes: https://decentsecurity.com/#/registry-cleaners/ https://support.microsoft.com/en-us/help/2563254/microsoft-support-policy-for-the-use-of-registry-cleaning-utilities http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2853053 https://www.howtogeek.com/171633/why-using-a-registry-cleaner-wont-speed-up-your-pc-or-fix-crashes/ https://www.howtogeek.com/162683/pc-cleaning-apps-are-a-scam-heres-why-and-how-to-speed-up-your-pc/ https://lifehacker.com/5482701/whats-the-registry-should-i-clean-it-and-whats-the-point https://lifehacker.com/5033518/debunking-common-windows-performance-tweaking-myths https://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/ http://www.howtogeek.com/98465/htg-explains-when-do-you-need-to-update-your-drivers/ https://www.howtogeek.com/233115/the-only-way-to-safely-update-your-hardware-drivers-on-windows/ http://www.tomshardware.com/answers/id-1857635/good-free-automatic-driver-updater.html http://www.tomshardware.com/answers/id-1974868/trusted-driver-updater.html https://www.howtogeek.com/172839/10-types-of-system-tools-and-optimization-programs-you-dont-need-on-windows/ https://computer.howstuffworks.com/question1751.htm https://lifehacker.com/5415355/do-you-really-need-more-than-4gb-of-ram https://www.tomshardware.com/reviews/memory-module-upgrade,2264.html https://www.howtogeek.com/128130/htg-explains-why-its-good-that-your-computers-ram-is-full/ https://techlogon.com/2011/03/28/will-more-ram-memory-make-my-computer-faster/ In all likelihood uninstalling the Slimware Utilities application would eliminate the detection for good, however if you wish to keep it then please right-click on the detections at the end of the next scan and use the option to ignore the item and it will be added to your exclusions so that it is no longer detected in the future. I hope this helps, and if there is anything else we might assist you with please let us know. Thanks
  20. Greetings, This is most likely because of limitations in the scan engine used for VirusTotal. The actual desktop product has many more features and functions and updates much more frequently (if connected to the internet) than the build in use on VT. It is also quite possible that the build on VT has not yet been updated with the latest engine included in the recent 3.8.3 release of Malwarebytes which would definitely impact what it can and cannot detect even if the signatures/databases are the same between the two as nearly all Malwarebytes releases include detection/engine enhancements which are not backwards compatible with older engines/releases (older versions/engines will simply ignore new threat signatures that they are not coded to use/understand resulting in lower detection rates).
  21. I just wanted to clarify that the detected entries had nothing to do with the HOSTS file because they don't, nor do they redirect or block anything in any way the way that the HOSTS file can/does; they simply tell Internet Explorer that the listed sites are to be placed into specific zones to use the specified settings for those zones. While ADWCleaner does detect these entries, that does not in any way indicate that it is claiming that the program that created them is a PUP because these types of entries are not exclusive to those applications. Those applications just happen to use this built in functionality provided by Microsoft for Internet Explorer as documented in the Microsoft article I linked to above (and nowhere in that article does it even mention Spywareblaster or Spybot Search & Destroy or any other third party program because just like the HOSTS file, the Zonemap/Domains registry keys are a built in function of the operating system itself, not a feature that is specific to any one program). The reason that ADWCleaner detects these entries is only because if they were to indicate anything other than a data value of 4, Internet Explorer would treat them quite differently which could put the user in peril of having malware, PUPs, toolbars or any number of other dangerous or unwanted software onto the user's system, and because ADWCleaner is not looking at the value data, only checking for the existence of such sites in the Zonemap/Domains registry keys, they end up getting detected. It is a bug in the engine of ADWCleaner that needs to be fixed so that it can differentiate between entries with a value data of 4 for the Restricted zone and say a value data of 2 for the Trusted zone. As for your issues with HostsMan, I can only speculate that either the DNS Client service needs to be disabled and the DNS cache needs to be flushed, or else perhaps there is a conflict with your current DNS settings (I personally avoid such issues by having HostsMan set all entries in my HOSTS file to the null address of 0.0.0.0 rather than the frequent default loopback address of 127.0.0.1, particularly since I use an alternate DNS configuration that requires me to set my DNS address to 127.0.0.1; this has the added benefit of making site lookups that are blocked by my HOSTS file marginally faster since a null address lookup is faster than a loopback address lookup since Windows will not retry the failed connection on a lookup failure as it does by default with 127.0.0.1 entries).
  22. Thanks for the update. Fingers crossed that the issue is resolved, but if not then we're definitely willing to continue troubleshooting the problem to try and find a permanent resolution. Thank you for taking so much time and putting so much effort into diagnosing this issue with us. It is much appreciated. I also made a note of your feedback regarding exclusions and will be passing it along to the Product team so that hopefully they might make it more user friendly in the future.
  23. Thanks for the assist Ron. I know we've seen this issue before, but it is pretty rare and I'm not certain if we ever found the exact cause or not. I was hoping that a simple exclusion or configuration setting could resolve it, but we've been unsuccessful so far.
  24. That's understandable as some apps do still use Java. In particular I recall that the 3DMark benchmarking suite uses it along with some game launchers (can't recall which ones exactly off the top of my head), however if you happen to launch an app that requires it, you'll see a message box saying that Java wasn't found and is required so then you can just go grab the latest version of Java from here and that should resolve the issue.
  25. Glasswire created them because Glasswire uses the same WFP (Windows Filtering Platform) APIs as the built in Windows Firewall, but those entries actually belong to Java, which GlassWire doesn't require as far as I know (I've used GlassWire in the past myself and don't recall it ever installing/using Java, though that may have changed in more recent versions).
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.