Jump to content

exile360

Experts
  • Content Count

    24,959
  • Joined

  • Last visited

Everything posted by exile360

  1. We have frequently seen issues when Fast Startup is enabled. This is because when that feature is active Windows doesn't actually fully unload the registry and active memory which may result in issues with drivers and services during the startup process. You can find out more about the feature, as well as some of the pros and cons of using it in the following tech articles: https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/ https://www.windowscentral.com/how-disable-windows-10-fast-startup https://whatsabyte.com/windows/windows-10-fast-startup/ https://www.petri.com/how-to-disable-windows-10-fast-startup-and-why-you-might-want-to As long as everything seems to be working OK and you don't mind keeping self-protection disabled then that's obviously OK, I just wanted to provide this info in case you were not aware of it and in case you or anyone else has any other problems with Fast Startup enabled.
  2. The issue with your browser and computer freezing is unrelated to the messages being displayed in Chrome as that was specifically because Google decided to no longer allow any software to inject DLLs into the chrome.exe process, which the latest versions of Malwarebytes are now compliant with having removed Chrome from the list of shielded applications by the Malwarebytes Exploit Protection component in Malwarebytes 3. If you continue to have issues with Chrome and they seem to be related to Malwarebytes, then please create a new topic in this area to receive assistance with that by clicking here. If the issue is just with Chrome and is unrelated to Malwarebytes then you may try seeking assistance in our General PC Help area by creating a new thread in that area by clicking here or of course you may seek assistance from Google directly if you prefer by visiting their support area on their site.
  3. Greetings, Whenever a new full version which uses an installer is downloaded/installed it will always reset the service startup type back to the default. This is because during installation it ensures that the services and drivers are installed and registered and part of that process is setting the startup type for the service(s) meaning it will be configured to Automatic, which is the default. I do not know if the issue you had was resolved in the new version or not, however I would suggest testing it to see as it is a possibility as there were several bugfixes for various protection components in this latest release so it is possible. As for the other settings, I am not certain unless they were overwritten during the upgrade due to a bug in the installer, a change to the formatting/structure of the configuration files where those particular settings were stored, or due to corruption of the existing configuration files/settings during the upgrade install process, causing the software to revert to the defaults for those settings. I installed the new version on my own system using the same method you did and had no scheduled scan created (I had deleted the default one and had no new one configured and the schedule tab remained empty after the update/upgrade to the new version) and it also retained my license information so I'm guessing something must have gone wrong during the upgrade on your system, though I can't really speculate as to the cause. I did take a look at the setup log included in the logs you uploaded and it does show many of the files and directories under the Malwarebytes ProgramData folder being removed which is where Malwarebytes settings are stored so that would likely be why, but I don't know why it was removing them unless it was creating backups somewhere that I'm unaware of.
  4. Greetings, Until the release history page gets updated, you can find info about changes in the new version in the release notes posted in the release announcement here in case you are curious about the changes/new features and bugfixes included in the new version.
  5. Of course, but even beyond that, it is very often the case that when a threat signature is removed from the Malwarebytes database it is because it has been replaced by a superior and more advanced heuristics signature or algorithm that detects the same threat(s) as the one that was removed in addition to even more threats/threat families. When a Malwarebytes threat researcher analyzes a malware sample and goes to work on writing a signature/def to detect it, their goal is not just to target that specific file/sample, but to target/detect as many similar samples that might exist currently, may have existed in the past, and may not even have been created yet using that single signature/definition. This is also why, when a signature is removed from the database, even if it is solely because that threat has not been seen in the wild, it is even further justified because it doesn't mean that just that one file hasn't been seen, but any threat that the signature being removed would detect has not been seen which is generally the result of the bad guys moving on to a completely new threat/method of attack, and just like all software developers, the bad guys very seldom (practically never, really) return to their old code, because they know that because those methods/samples have already been seen by the security researchers throughout the industry, that the various AV/AM products (including Malwarebytes) will likely be able to detect it without even needing an update, and this is especially true now that Malwarebytes and other vendors are relying more and more on behavior based, signature-less detection methods, so whatever the bad guys do to attempt to evade detection, it must be something dramatically different and new, otherwise it will trip one or more of the user's layers of defense in their AV/AM product(s) and the attack will fail. This is the very reason that Malwarebytes never tried using signatures to detect malicious scripts and exploit code, because it is far too easy to modify and/or encrypt such attacks to bypass traditional signature based detection tools, and this is also why the Exploit Protection layer in Malwarebytes is by far one of the most proactive and effective layers of defense against modern threats because changes to the malicious scripts, including advanced/custom encryption routines become irrelevant because it isn't analyzing the contents of their scripts, but instead looks directly at process behavior (such as malicious code injection, attempts at OS security layer bypass like privilege escalation, DEP violation etc., memory buffer overflow attacks etc. etc.) because no matter what the actual script/code of the exploit may look like, the basic fundamental methods of execution and infiltration to perform its malicious tasks remain constant. This is also why the bad guys' tactics will change completely every so often where they suddenly pretty much abandon one method of attack/infection and move on to something completely different. It's the reason we had fake/rogue AVs as one of the most common/prominent threats at one time, but today virtually none of those exist, both because security vendors have become proficient at detection/stopping them, and because users have become educated about what they are and not to fall for their tactics of extortion, so instead they moved on to what we have now which is ransomware and tech support scams, by far the two most common threats over the past couple of years (not the only ones, but definitely the most common, especially if you don't count PUPs, which have always been very common, though there are more which are bundled with real malware these days) because those tactics are still working and reaping profits for the bad guys. As soon as users become wise about the tech support scams and stop calling the fake tech support numbers and paying the overpriced fees for fake assistance in cleaning their devices (which aren't actually infected in the first place), those too will vanish and some new method of scam/attack will emerge. In fact, the new plugin developed by Malwarebytes which is currently in beta already does an excellent job of targeting these kinds of scams, even if the websites are not known/contained in Malwarebytes web block databases because like so many other aspects I've spoken of, this new plugin uses behavior based methods to detect tech support scam sites (along with several other classifications of malicious websites) to protect users. That plugin is in beta and currently available for free for both Chrome (as well as other Chromium based browsers like SRWare Iron) and Firefox, with versions for Microsoft Edge and Safari in development and I can tell you from first-hand experience that it is extremely effective having used it since it was first created.
  6. It works on 7 thanks to the search function in the START menu (the user mentioned running IE 11 which means it's likely to be Windows 7). I figured it would work on 10 also, but not if they've changed the names of things or added something else with a similar spelling or altered the built in search algorithm/ordering of things (I've heard that in 8 and especially 10 that some things can't be found unless explicitly spelled out completely, probably to conceal more critical functions/areas to prevent accidental harmful changes).
  7. I don't think that file is actually the exclusions you created. I believe that file has something to do with items whitelisted by the Malwarebytes Research team. I did find references that appear to be the exclusions I created but they're stored within multiple files (likely because they apply to multiple modules/components like the various protection components as well as the scanner) and they are stored under C:\ProgramData\Malwarebytes\MBAMService\config. The excluded items/paths appear to be encrypted, but you'll notice a "type" category for each where it calls out "file" or "folder" and that the number of each corresponds to the number of each of those types of items you have excluded and that their ordering in the files is the same as they are listed in the Exclusions tab in the main UI. You probably need to backup that entire folder, however I still don't know if even that will work as they could be keyed to that exact installation somehow in order to prevent tampering/corruption issues so we may need to see what someone from the staff has to say on the issue, or you may test it yourself if you wish to see what happens when you restore them, especially if you're trying to replicate them on a different system (just make sure Malwarebytes isn't running when you replace the files).
  8. Exactly, my point was that the entire industry has had to take a different approach because the old way of using static signatures to detect known threats doesn't work any more because threats adapt and change too rapidly for that approach to remain effective. Malwarebytes, like the other AV/AM vendors throughout the industry, have focused more on a layered approach now because relying on signatures and massive databases no longer works to provide effective protection against live threats. This is why Malwarebytes culling signatures out of its database for threats no longer found in the wild doesn't reduce the protection that the product provides.
  9. Everything you need should be in the first post in this thread. I used the links myself to update all 3 browsers within the last couple of days, including Firefox.
  10. I would advise launching mbam.exe rather than mbamtray.exe if I were you if only because mbamtray probably can't launch the service/drivers with the necessary privileges while mbam.exe requires admin+ privileges and is the "normal" way of starting Malwarebytes manually.
  11. Just as an additional note, Malwarebytes 3 has a lot more in the way of prevention than it does with regards to remediation/removal after the fact because most of the layers of protection in Malwarebytes 3 Premium (which are all fully functional in the free trial you're testing) are designed to stop an attack before it is able to actually install and launch an infection on the system. This is because thanks to more proactive, signature-less features like Exploit Protection and Ransomware Protection do not rely on threat databases to detect threats and instead look for malicious behaviors that occur during various stages of an attack. On top of this, technologies like Web Protection and Malware Protection (which also includes the new anomalous threat detection engine which uses cloud capabilities, Machine Learning (what most in the industry currently refer to as "AI" even though it is not technically true Artificial Intelligence in any real sense), and advanced heuristics algorithms) use information about known threats beyond just the threats themselves including common characteristics, where they come from and the servers they reach out to (i.e. malicious servers, malicious ads or malvertisements, malicious Command & Control servers etc.) to detect an attack and stop it in its tracks at various phases in the attack chain and that scanning/remediation of threats is actually the last line of defense in a long list of layers and strategies employed by Malwarebytes to defend a system against attack and infection. You can find out more about how these various layers of defense operate by taking a look at the diagram and information on this page. I hope this information is helpful.
  12. Greetings You have a Windows Update pending installation awaiting reboot, so please take care of that first by restarting your system. Beyond that, the only item of note I spotted in your logs was that UAC is disabled. I don't know if that's the cause of the issues, but it could be. To test, please re-enable User Account Control and then restart your system, then try performing another clean uninstall/re-install of Malwarebytes 3 using the Clean function in the Malwarebytes Support Tool. Instructions on enabling UAC may be found here and it should be configured to the second level from the top for Windows 7 as shown in the image on that page. In case you need them, here are instructions on doing the clean install: Run the Malwarebytes Support Tool Accept the EULA and click Advanced Options on the main page (not Get Started) Click the Clean button, and allow it to restart your system and then reinstall Malwarebytes, either by allowing the tool to do so when it offers to on restart, or by downloading and installing the latest version from here Please test for a bit and let us know how it goes and if it helps or not. Thanks
  13. Correct, it is marketed as an AV replacement because of the reasons I mentioned. Because of all of these layers and working through the various phases of the attack chain (or kill chain as it is sometimes referred to), Malwarebytes is able to stop threats during different phases of an attempted infection event, rather than using a massive database of threat signatures for known infected PE files (executables) which would not only do nothing to prevent new threats (i.e. at 0-hour/0-day), but would also result in waiting until an infection is downloaded to the system and attempts to execute before trying to stop the attack. Because Malwarebytes uses more advanced technologies like Exploit Protection, Web Protection and the new cloud and Machine Learning+heuristics algorithm technology in the anomalous threat detection engine, it is able to provide full protection without a massive database of hundreds of megabytes or more like a traditional AV would (which would also be a far less proactive approach, since doing so would only protect users from known threats, not new ones, and certainly not against file-less malware that doesn't use executables). As for the question about 6 months, I've never heard that statement from any official source, and I actually have first-hand knowledge that this is not accurate. Malwarebytes tracks stats on detections to determine which threats are still live in the wild, and when a threat is no longer being detected, its signatures are removed from the Malware Protection component's database which is the same database used by the primary component of the scan engine (though both the scan engine and Malware Protection also leverage heuristics as well as the anomalous threat detection engine with its cloud and Machine Learning capabilities). Culling of threats from the database has no bearing whatsoever on technologies like Exploit Protection, Web Protection, Ransomware Protection and the anomalous threat detection engine so most of what makes Malwarebytes an effective, proactive malware prevention solution does not rely on targeted threat signatures/databases, so culling of threats from those databases for any reason would not impact the level of protection provided by Malwarebytes. In fact, more often than not when items are culled from the database, it is not just because older threat signatures are removed because the threats they target are no longer found in the wild, it is also because newer heuristics signatures and algorithms have been implemented which cover/detect those threats in addition to more current/known threats as well as potentially large swaths of unknown threats (thanks to heuristics) so Malwarebytes is able to provide superior protection using a smaller database. Also, given how short lived modern threats tend to be and how frequent polymorphism is used by the bad guys to attempt to evade consistent detection by AVs, attempting to track all threats that have ever existed in a traditional detection database and rely on that as the primary layer of defense against infection would be a poor decision because it does not account for the reality of how modern threat engineering and tactics actually work in the wild. This is why Malwarebytes has invested so heavily in signature-less and behavior based technologies to augment their base Malware Protection component because their threat Researchers and Developers have discovered this truth. At one time, many years ago (several decades back) it was often true that a computer infection wouldn't change much and the bad guys would rely on attempting to infect large numbers of systems over a longer span of time, however due to the emergence of more modern detection and protection technologies like heuristics and AV/AM products providing more frequent database/signature updates, they have had to evolve how they do things and create threats that change far more quickly and more frequently, which has the inverse effect of making more traditional threat signatures obsolete. This is why culling out old signatures has little to no effect on the actual effectiveness of Malwarebytes and only serves to improve its memory usage, disk space usage and scan time performance. If culling signatures from the database would result in users getting infected, then the threat Researchers wouldn't do it because that would defeat the entire purpose of providing a product like Malwarebytes in the first place.
  14. The only idea I can come up with would be to uninstall/reinstall IE 11. To do so, click START and type p fe (or programs and features if it doesn't show up) and press Enter, then click on the Turn Windows features on or off link on the left, then untick the box next to Internet Explorer 11 and click OK and allow the uninstall to complete and restart your system when prompted. Once that's done, reverse the process by going through the same procedure but this time checking the box next to Internet Explorer 11, restarting when prompted, then checking for and installing any available Windows Updates and see if the issue is now resolved. If it persists, then you could try removing the update(s) from September, rebooting, then checking for updates again and installing them to see if the issue is resolved. If it still continues then I'd suggest contacting Microsoft Support or seeking assistance through the MS community: https://support.microsoft.com/en-us https://support.microsoft.com/en-us/contactus/ https://social.microsoft.com/Forums/en-US/home https://answers.microsoft.com/en-us https://social.technet.microsoft.com/Forums/en-US/home
  15. I think a big part of the issue is that the use case for this feature would be really limited since, at least by default, the current standard upgrade install leaves modified settings and exclusions intact. On top of that, the entire purpose of the clean uninstall utility is to wipe out all existing data to correct problems in scenarios where settings and configuration files might be corrupt, meaning it would be counter to its purpose to allow importing previous configuration files containing customized settings and exclusions. With that said, it is possible to backup your settings and exclusions as most of them are contained within the C:\ProgramData\Malwarebytes folder, so theoretically, as long as you're reinstalling the software on the same system, it should work to replace them once installed with ones from a previous installation, however I do not know if that would cause issues with the threat signatures, date/time data and other configuration data which may differ from one installation to another. As far as business products are concerned, I do believe they have this capability, allowing a user to import/export settings and they also have managed policies for the console controlled versions that will apply settings across multiple endpoints within an organization. For the consumer version, I don't see a whole lot of use cases for such a feature, though perhaps there is something specific you are trying to accomplish that the Product team hasn't thought of yet, so if that's the case please let us know what it is and I will make sure that they are made aware of your needs as that may influence their decision on whether or not to implement such a feature.
  16. Yes, Malwarebytes is marketed as an AV replacement, but the reason for that is not because of some new capabilities added to it to emulate old antivirus disinfection techniques, which is why it isn't being marketed as an antivirus. AV replacement means that it is capable of preventing infection by the same broad landscape of modern threats faced by systems today on the web, rather than using some limited database that only detects a small sub-set of infections currently in the wild. The reason for this is because with the addition of several new modules to the real-time protection layers, Malwarebytes is now capable of stopping attacks at multiple points in the attack chain without having to rely on huge databases of signatures and without having to capture samples of each individual malware infection after the fact. This is because the signature-less behavior based components like Ransomware Protection and Exploit Protection do not use signatures and instead stop attacks by detecting and blocking the behaviors that these phases of an attack/attempted infection display on a system. The information found in this page should help explain what I mean. Additionally, the more recent anamolous threat detection engine which leverages cloud capabilities, Machine Learning (what most vendors refer to as "AI" when in fact there is no true Artificial Intelligence in existence at this time), as well as advanced heuristics algorithms adds another layer to the more traditional detection and protection capabilities in the Malware Protection engine of Malwarebytes to add even further to the 0-hour threat detection capabilities in Malwarebytes 3. With all that said, it may be moot anyway, as I've been noticing a trend lately away from malware and towards more typical phishing scams, tech support scams, crypto currency mining, and PUPs (Potentially Unwanted Programs) by the bad guys with only a sparse set of exploits and rootkits, usually being used in an attack to install/launch one of the items in those categories rather than being used to install actual malware (other than the rootkits themselves, obviously, which I've seen being used mostly to install/protect PUPs as with the SmartService infection and others like it) and I believe this is related to the increase in the use of mobile devices to access the web, and because they do not use Windows, creating Windows malware has become more akin to attacking Mac OS or Linux, especially with the security improvements in modern Windows versions with the advent of UAC and many of the features in Windows 10 as well as the improvements in 0-day threat detection by vendors like Malwarebytes as well as the big name AVs, most of which now take an at least somewhat layered approach to protection through the use of several different modules/components to protect systems/devices. I do believe the transition to mobile is the biggest factor though, which also explains why Google Chrome has become the most widely used browser with the largest market share since many mobile devices are shipping with Chrome as the default/primary browser. This makes Chrome a bigger target for exploits, but Windows a smaller target for malware simultaneously and the bad guys go where the profit is, and profit is in the numbers they can infect to harvest data from or control (i.e. through botnets etc.).
  17. I did notice that in the first set of logs you posted that all of the registry entries for the Malwarebytes shell extension were missing. The new set shows that they are all present. I would speculate that if they show as missing prior to trying to use it once and having explorer.exe crash, that would explain why it works after that if they are getting created in the registry each time by successfully registering the shell extension. If I am correct, then something could be reverting the registry for some reason or un-registering the Malwarebytes shell extension causing this scenario to occur. If you use any type of system backup/restore solution that resets or rolls back changes on restart then this could have something to do with why this keeps happening.
  18. Excellent, thanks for the confirmation. If there's anything else we can assist you with please let us know. Thanks
  19. Greetings, What he was asking for with regards to an export is an export of the key from the registry so that he may take a look at exactly how it is formatted and written in the registry to determine why it is being detected and so that he might import it into one of his own test systems for testing to hopefully correct the FP. To create a registry export of the key please do the following: Click on Start and select Run or press the Windows Key+R on your keyboard In the Run box type regedit and press Enter or click on OK and click Yes if prompted by User Account Control Navigate to the following location by clicking the little arrows next to the appropriate folders to expand them: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Once there, right-click on the Winlogon folder and select Export and then save the file to your desktop or another location where you will be able to find it easily and give it a name such as winlogon Locate the file and right-click on it and hover your mouse over Send to and select Compressed (zipped) folder Attach the resulting ZIP folder you just created to your next reply
  20. Greetings, Please post a fresh set of logs now that you've performed a clean installation and reset UAC back to default: Run the Malwarebytes Support Tool Accept the EULA and click Advanced Options on the main page (not Get Started) Click the Gather Logs button, and once it completes, attach the zip file it creates on your desktop to your next reply Thanks
  21. You're welcome. As a frequent migraine sufferer myself I know where you're coming from. Unplug and take a breather. I hope you feel better and this was not a waste of resources, we're glad to help If there is anything else we might assist you with just let us know. Thanks
  22. If you create a Custom scan in the scan scheduler and click on the Customize Scan button just to the right of the scan type selection drop-down menu it should show a window similar to this one: If you click the > arrow highlighted in the above image it should expand the drive and list all folders on the drive. From there you may go through and select whatever folders you choose for the scan to be checked. It may take some time depending on how many folders you want scanned and how deeply they're nested, however once you've created it you can then configure the scan to run whenever you wish, including using the Edit function in the Scan Schedule tab to alter the start time/date so that you can essentially use it as a manual scan to have it run whenever you wish. Just set it for a time approximately 15~20 minutes in the future of the current time and it should launch without any issues. As for determining whether your chosen paths are included in the default Threat scan, it would be possible if you were to take a file that is detected by Malwarebytes and without executing it, create a copy of the file in the root of each folder you wish to have scanned, at the deepest level of each directory tree you want scanned (to test recursion for each path if, for example there are sub-folders within a particular directory that you want scanned). I would suggest using something relatively harmless such as a PUP installer. I can make some recommendations if you aren't sure what to use.
  23. Greetings, The most expedient way to receive assistance with any issues related to licenses and activation is to contact Malwarebytes Support directly via the options found on this page. They should be able to quickly resolve the problem so that you may activate your license on your current installation/system. If there is anything else we might assist you with please let us know. Thanks
  24. Hehe, I don't doubt that it's happened many times. I think back on the names of video games, movies and other fictional creations and wonder how often such things get flagged, though I suppose it would be intelligent of them to cross-reference as much as possible with basic tools like Wikipedia and Google to determine likely meaning of such references. I sort of think of all of this government surveillance as Google with intent. They want all the world's data/telemetry just like Google, but have a different purpose for it than Google (assuming Google doesn't seek to enter the political/military/security arena, though you never know I suppose ).
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.