Jump to content

exile360

Experts
  • Content Count

    25,031
  • Joined

  • Last visited

Everything posted by exile360

  1. No, the entire reason that ADWCleaner still exists as a standalone tool/separate download is specifically because it uses its own databases and targets some items that Malwarebytes does not currently. If all of the detections in ADWCleaner are integrated into Malwarebytes 3 then it is likely that ADWCleaner will be retired at that time just as JRT was when all of its detections were integrated into Malwarebytes 3 and ADWCleaner.
  2. Ah, I see what you mean. Yes, I tried it that way too, until I realized that the test app is actually playing the role of the browser (I tested it against HitmanPro.Alert to be sure and found the same; not on every test, but that if I just ran the test EXE (which HMP.A is already coded to monitor/detect), it would detect the test exploit attempts when launching calc.exe directly without selecting Internet Exploter; this is why I tested it with Malwarebytes this way because I figured this must be the reason for the apparent failures, especially since I know for a fact that such exploit methods are already targeted by Malwarebytes and most of them have been since before the Exploit Protection technology was even integrated into Malwarebytes 3 so I knew something had to be wrong). It may be wise to ask over in the Anti-Exploit Beta area located here to get direct confirmation/technical details from the Developers, as they will be able to provide much more detailed/accurate info than I can as all I have is the data from the tests I ran on my own.
  3. Whoa, a backdoor/RAT? Nasty business .
  4. Actually, it does make sense because the way the test tool works is to attempt to launch a "malicious" application (i.e. calc.exe) so the test executable is playing the role of the browser being exploited to launch the "malware" (again, calc.exe, which obviously isn't malware, but it's the same principal of how exploits work to execute arbitrary/malicious code and/or launch outside executables like Trojans and ransomware).
  5. It appears that most if not all of the detections on VirusTotal are heuristics/generic hits/detections, meaning the file could actually be malicious or it could just have one or more characteristics that make it appear to be malware such as using a particular kind of compression/encryption (a packer, which many of the detection names appear to indicate) and since a packer can be used for any kind of file, including malware but also safe files, this might in fact be a false positive. While there are certain packers known to be used by malware authors quite often, it isn't impossible for a developer who isn't creating malware to also use the same one so this isn't the most reliable means of identifying a file as malware (though virtually all security vendors do it in order to play it safe as they'd rather have 1 false positive than allow a lot of malicious files to go undetected). Once the Malwarebytes Research team has analyzed the file they will classify the item accordingly and whitelist it if it isn't a threat.
  6. To disable the scan at startup, you can change how the scheduled scan works. By default it is set to run as soon as possible after missing its last scheduled time (like if the PC was off during its normal scheduled scan time). To do so, open Malwarebytes and go to Settings>Scan Schedule and double-click on the entry there to open the edit window and click on Advanced near the bottom which will expand the edit dialog, then uncheck the box next to Recover missed tasks then click OK. It should no longer scan when the PC starts up, just be aware that if the PC is off when a scheduled scan is set to occur, it won't run again until the next scheduled time. As for Bittorrent, if it is blocking downloads by blocking seeders/leeches (IP addresses from other Bittorrent users), then you'll want to exclude Bittorrent's main EXE (the one showing up in the Malwarebytes Web Protection tray notifications as the source of the blocks) by following the instructions found on this page under the section called Exclude an Application that Connects to the Internet. You can find more info about why peer-to-peer (P2P) applications like Bittorrent are often blocked by Malwarebytes Web Protection by reviewing the information found here. If that wasn't the issue or you need assistance with something else please let us know. Thanks
  7. Greetings, I've tested with that tool on several occasions and as I recall it did actually detect/block the heap spray tests. When testing, be sure to add the HMPAlert test EXE to Malwarebytes Exploit Protection shielded applications list (I used the default "web browser" category, as this seemed to make the most sense given the frequency of exploit attacks on browsers and their plugins) and while it did not block all of the tests, it did block most of them (though there were a couple of cases where the HMPAlert test tool just crashed, however I considered those as failures of successful exploit attack as well since an exploit needs to actually succeed in executing code to work, not just crash its parent/attacking process).
  8. You're very welcome If you are using a large HOSTS file (as with HostsMan or from a source such as hpHosts/hosts-file.net or the mvps HOSTS file etc.) then that probably is what's causing it. If not, and you really want to find out what it is then you can use a tool such as Process Monitor by Microsoft Sysinternals and filter by the process mbamservice.exe (the process used by Malwarebytes for scanning, among other things) and try to identify what it is checking at the time where it gets stuck.
  9. It's just a spam/paid affiliate site. This is pretty much how these fake/PUP anti-malware/antivirus products get pushed on unsuspecting users these days with false "tests", inaccurate and deceitful claims and false statements about the effectiveness of legitimate/reputable products. All things being equal, there's no way that Avira (much less any of the other legitimate products listed) did worse than 3 fake/scam products on a real test. It's the same fake, sponsor generated garbage that you'll find all over the web, especially if you search for the name of any of those "top" products it lists in its results. You'll find a very suspicious similarity between this and many other pages, all of which are run by paid affiliates seeking to push those particular products in order to make profits for themselves. Hopefully this site will be added to the Malwarebytes Web Protection database soon because any site pushing those products belongs there (and many of them already are) so that users will be protected from this trash.
  10. Excellent, you're very welcome. If there is anything else we can help you with please let us know. Thanks
  11. If the detections keep returning then it could be a threat on the system that is resurrecting them that isn't being detected. I would recommend following the instructions in this topic and creating a new topic in the malware removal area including the requested information and logs by clicking here and one of our malware removal specialists will assist you with this as soon as one becomes available. They should be able to assist you in cleaning up the system without needing to reinstall Windows.
  12. Yes, that's for My.Malwarebytes.com. I don't know what the problem is, however you'll need to contact Support as I explained above and they will be able to help you with it. Unfortunately we on the forums don't have access to those systems so there isn't anything we can do, but the Support team will get you taken care of.
  13. Apologies, that was the direct download link from their site but I guess they use a tracker to block hotlinking. I've corrected the link above so it should now work.
  14. Yeah, "this changes" and "this updates" were kind of a dead giveaway.
  15. That's great news, I'm glad that I was able to help ! Malwarebytes is not an antivirus and has been engineered specifically to be able to run it together in real-time with an active, up-to-date antivirus solution so you shouldn't have any problems. With that said, the combination of technologies in Malwarebytes Premium should be sufficient on their own to keep you safe online if you do ever decide to run it without an AV, however the choice is entirely up to you because the Developers of Malwarebytes have always, and continue to work hard to ensure that it doesn't conflict with antivirus and other security solutions as much as they possibly can and the Malwarebytes Quality Assurance (QA) team is always testing each release of Malwarebytes Premium alongside many different AVs to check for any compatibility problems so that they can report them to the Developers to fix. Now, having said all of that, there is actually a known issue with some versions of Kaspersky which is documented here so if you run into any problems enabling the Web Protection component in Malwarebytes, then you may need to disable the rootkit scanning component in Kaspersky. I believe this issue occurs because when Kaspersky's rootkit scan runs, it prevents many types of drivers from loading and Malwarebytes Web Protection uses a driver for its protection that it must unload and reload each time Malwarebytes updates the Web Protection database (a block list of known bad websites) meaning after Kaspersky has run its rootkit scan which runs automatically when the system is idle I believe, it prevents Malwarebytes from loading Web Protection the next time that Malwarebytes updates. I believe that's the only known issue though, and I don't recall hearing of any other antivirus compatibility problems recently. If there is anything else we might assist you with please don't hesitate to ask. Thanks
  16. Excellent, the Support team should be able to get this taken care of for you then. Thank you for reporting this issue and I hope that it is resolved quickly. If there is anything else we might assist you with please don't hesitate to let us know. Thanks
  17. exile360

    Winmerge

    Greetings, It sounds as though the program is most likely triggering a behavioral detection because the Ransomware Protection component in Malwarebytes monitors all processes very closely to observe their file activities, especially for any delete operations among other things due to the fact that one of the first things ransomware will do is delete the files it is encrypting to remove the unencrypted copies from the system. To report the program as a false positive please create a new topic in the ransomware false positive area by clicking here and provide details about the detection such as the name of the software, a copy of the file (zipped and attached if you can, or at least a link to a scan page from VirusTotal for the exact file being detected) and a link to the program's download page if possible and the Research team will review the software and correct the false positive. In the meantime, until this gets resolved you may exclude the item from detection as ransomware by following the instructions under the Exclude a File or Folder section on this page and selecting Exclude from detection as ransomware only to exclude the process from the Ransomware Protection component in Malwarebytes. If there is anything else we might assist you with please let us know. Thanks
  18. Greetings, If you are referring to My.Malwarebytes.com then you will need to contact Malwarebytes Support directly. You may do so via the options on this page. You don't need to create an account with Support, they will assist you directly via email as soon as they are available, but please do be sure to monitor your Junk/Spam folder(s) in case their response gets placed there by your email provider by mistake. If there is anything else we might assist you with please let us know. Thanks
  19. Yes, it will only work one time. The cache rebuilds itself every time you visit the same page, so if it initially gets blocked and you see Malwarebytes notify you, unless you close your browser and clear the cache with CCleaner again, it will most likely default to the same behavior of not showing the block page or notification even though it still won't connect to the blocked website.
  20. You're very welcome Also, if you have Malwarebytes Premium it should save your license key so that you won't have to activate it again once you reinstall it. You can also create an account here if you haven't already (just click where it says Sign up down at the bottom of the sign in area and enter the requested information) and it will allow you to see and manage your subscriptions/licenses that you've purchased from Malwarebytes.
  21. You can also grab the character string following the detection which should be listed in the log entry for the item. You should be able to locate it if you open Malwarebytes and navigate to Reports and then locate the item showing Malware blocked and double-clicking on it then making a note of the text directly beneath the Threat field at the beginning of the entry (you may expand the column header if there is insufficient room to display the entire entry) and the text displayed beneath the ID field located at the end on the right side of the line. That will tell the Research team precisely which signature in the database hit the file so that they will know why it was detected. If they have no copy of the file and cannot locate it based on its hash (quite possible for a custom executable not widely available to the public), then the hash will not help them to determine why the file was detected. As for your comments regarding functionality, while I do understand what you're saying, I also know for a fact (because I used to work on it personally with the Developers and Researchers so I know quite a lot about the inner workings of its engine/detection/removal capabilities and policies) that it would not remove the shortcut without creating a copy of it in Quarantine, so if Malwarebytes removed it that is where you will find it along with the actual file itself that it removed. If the shortcut isn't there, then Malwarebytes didn't remove it and I know that there is a setting in Windows to have it remove any shortcuts that are no longer used/no longer point to a path/file that actually exists on disk so if that is the default for your version of Windows (I don't know as I'm on Windows 7 myself) or that setting has been modified to do so, then it was the OS that deleted it, not Malwarebytes. With regards to the notifications and the tray as well as the Quarantine tab, I actually do agree with you. There should be more ways to find out what happened more easily and address it if it is a false positive and you wish to restore and exclude the item. I have suggested some similar changes in the past and will do so again and point them to this thread with your comments and experience. I cannot promise that things will be changed as it is ultimately up to the Malwarebytes team, however I can assure you that they do not ignore user feedback and if they feel it is what most users would want and that it is beneficial, they will implement it once they have the bandwidth available to do so (i.e. probably when they are making other changes to the UI and flow of the program; likely in some major release as that's typically where they reserve such changes for as do most software vendors). As Firefox noted above, you can change the display duration for notifications, but out of the box it is on a rather short timer so I may also recommend that they change the default for that, or perhaps provide an option to display certain notifications for a longer duration (still controllable by the user of course as some may still want it to be up for a shorter period of time) and to show ones like this where something has been quarantined automatically for a longer period of time.
  22. That makes a lot of sense because the caching is definitely different between different browsers like Chrome and Firefox. You *might* be able to eliminate that as a variable by clearing cache/history as you did along with running a tool like CCleaner which is typically more thorough, however even then it is still possible that they guard their cache against being cleared for performance reasons so it may or may not work but it would at least have a better chance of working. On my own system I'm using everything from an ad blocker, to a HOSTS file, to a DNSCrypt client so it is quite often the case that I do not see web block notifications from Malwarebytes across any of my browsers (I use SRWare Iron which is based on Chromium the same as Chrome, Firefox Portable, and Internet Explorer 11) so as long as Malwarebytes is actually working and preventing access to the sites contained in its block list (which it is; I've tested it on multiple occasions to verify this personally), I'm not too bothered about not seeing the block notifications or the Malwarebytes redirect/block page in my browsers (though admittedly I do see the webpage more often now, at least in Firefox and SRWare Iron now that I have the Malwarebytes browser extension beta installed which uses the same databases as the Web Protection component in Malwarebytes 3 in addition to some other goodies for blocking bad stuff).
  23. Yep, good idea. These days especially, big data=big money so more sites and companies are tracking user activity and data than ever before with companies like Google and Microsoft doing things that quite frankly would have been classified as straight up malicious adware and/or spyware back in the early days of such threats (long before Malwarebytes ever existed) so using tools such as the Malwarebytes browser extension beta, a good ad blocker, a good tracking server block list (functionality available in Adblock Plus among others) and/or using an ad/tracker/telemetry blocking HOSTS file (such as the one provided by Malwarebytes' own Web Protection Research team over at hosts-file.net) is a good idea if you are concerned about privacy and tracking online.
  24. Just to provide some additional info for anyone who might come across this thread, below is the dialog displayed when Malwarebytes detects and quarantines an item via its Malware Protection component where I've highlighted key components that should prove helpful to anyone having similar issues with the current implementation: While it does indeed use the term blocked in the large, bold green text at the top, just below that it does explain that the item was automatically quarantined (this is standard practice for the vast majority of anti-malware and antivirus applications, including Windows Defender which ships with all modern versions of Windows by default). Below that is a button called View Quarantine which, when clicked will open the main Malwarebytes UI to the Quarantine tab where you may see what was removed and also restore the item if you choose, however it is accurate that you must navigate to Settings>Exclusions to exclude an item from detection if you wish to do so as there is no way to do so from the Quarantine tab and there is no Restore and Exclude or "Restore and Ignore" functionality built into Malwarebytes as some (though not all, as I've only seen it a couple of times across many AVs) other products have. As for the program's START menu shortcut, I'm not certain why it was removed as I just tested with a shortcut for a detected EXE placed in the all programs START menu for all users as well as the one for the current user (my user account) and neither was deleted by Malwarebytes. I also tested with an item pinned to the START menu and it was not removed either, though Windows did display a prompt asking me if I wanted to delete each of the shortcuts when I tried to open them after Malwarebytes had removed the executable they were pointing to which is standard behavior for Windows in general for any such item. I believe there is a setting in Windows that will automatically check for and remove any obsolete/missing items from the START menu, however unless you deliberately configured your system that way I don't think Windows would remove it by default. That said, there is another possibility. If Malwarebytes has a threat signature specifically targeting that shortcut, it would be removed when you tried to open it. This is standard practice for things like PUPs and some malicious threats when they are known to create shortcuts on the user's system for the sake of thorough cleanup/leaving no traces of the detected software behind. It is also normal if a scan was run for Malwarebytes to remove the detected executable as well as any shortcuts and startup entries (such as an entry in any of the RUN keys in the registry pointing to the detected item) pointing to it, however the real-time protection in Malwarebytes that detects an item when you attempt to execute it does not work this way (again, unless there was a signature specifically targeting that shortcut directly, which is not very common, especially if it was a heuristics detection; the most likely source of a false positive). Also, for anyone who wishes to decide what Malwarebytes should do with detected items in its real-time protection layer, they can change the setting highlighted below to Off (it is on by default, again because this is standard practice throughout the industry and generally speaking, most users seem to want Malwarebytes to take action automatically when an item is detected rather than having to make the determination themselves whether or not to remove an item that has been detected, however the option is there to disable this behavior for power users who prefer to decide what to do with detected items): If an item is detected and you believe it to be a false positive you may submit it to the Malwarebytes Research team directly for review by following the guidelines explained in this pinned topic and creating a new thread here for files detected as threats both by the scanner as well as the Malware Protection component in Malwarebytes. Other areas are provided for false positives within the other components of Malwarebytes here, each section including pinned topics on how and what information to provide for the Research team to be able to act on your false positive reports. I hope that this information is helpful and for the record, I too agree that an option to disable the free trial during installation would be beneficial being a power user myself.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.