Jump to content

NoelC

Members
  • Content Count

    40
  • Joined

  • Last visited

About NoelC

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. And of course there are several different kinds of update checks (definitions, program updates). None of which should require a temporary disappearing executable that attempts its own DNS resolution. Something I hadn't recalled before... The protocol was TCP, not UDP. -Noel
  2. For what it's worth, whatever ig.exe may be being created during a scan, it's not normally reaching out to the net. I just detected the activity the one time only so far, and I did not enable it to do so again. This is a time when cloud-integration also brings a responsibility to be aware of what your software is doing, AND that you're doing so only with the customer's blessing. I'm just here to make sure the Malwarebytes authors continue to understand that. -Noel
  3. > A good portion of protection and scans is cloud based. I appreciate your trying to be helpful, but please understand that I already know that. We're kind of working at two different levels here. There is a difference between Malwarebytes contacting the Internet through known pathways to known servers and what I observed. I have rules set up to allow some names to be resolved normally (e.g., keystone.mwbsys.com, sirius.mwbsys.com, cdn.mwbsys.com) specifically to support Malwarebytes. It's this business of "I didn't get the DNS resolution I liked so let me try to sneak a name resolution in a different way by writing a temporary executable" that doesn't fly. Unfortunately, that's a signature pattern of malware, and I'm not willing to try to figure out where Malwarebytes might write the magic executable next. That's just not a valid way to do "cloud based" operations. Perhaps this is designed-in fallback behavior to try to allow Malwarebytes to work even when fully blocked by a firewall. Perhaps it lowers support costs. I don't know. But it does represent an observed change in behavior. > ill stay with MalwareBytesPremium 3.8.3 for now to see how this shakes out over time. I haven't seen it try this ig.exe trick again over the past day. The problem may have been coincident with a temporary network outage here, and specifically happened when I Quit the Malwarebytes Service from the system tray. When I get more time I'll experiment with it. -Noel
  4. Uh, no. I absolutely don't want Malwarebytes contacting DNS servers on its own. I have my own DNS servers that block sites I don't want contacted, and here I see Malwarebytes trying to do an end-run and contact 8.8.8.8 port 53 all by itself. Wrong! Again I say: Malwarebytes, stop acting like the very malware you're here to block. If this cannot be accomplished, then it will be just another package that doesn't get to run here. -Noel
  5. Hello, When closing the MalwareBytes service after running a scan with your FREE edition, my (uncommon) firewall setup just caught (and blocked) the executable c:\users\noelc\appdata\locallow\ig.exe trying to resolve names using UDP to the Google DNS server (8.8.8.8 port 53). When I went to look at the ig.exe file, it was gone! That’s a very malware-like activity pattern, and it had me a little worried. Now, maybe you Malwarebytes folks are in such good understanding of the malware you typically find or block that you feel using malware techniques to help protect their own software is okay, I don’t know, but I don’t like it. Please stop thinking you can write an executable to some temporary location, run it, then delete it. That's just not good practice. And I don't care if Microsoft themselves do it. It's not good practice for them either. No doubt you need to evolve your implementation to keep ahead of actual malware that's aware of your implementation, but I try to never lose sight of the fact that the prevention could at some point become worse than the risk. For now I’m keeping the MalwareBytes software installed, but I’m watching it closely. -Noel
  6. No edit capability here? Correction for my post above: * I'm a vanishing breed of user who wants complete control over what his computer does. -Noel
  7. Hi Folks, I have a desktop workstation, optimized for serious computing. From time to time I want to run a simple scan, without having to run ANY Malwarebytes code (no services, no nothing) for all the rest of the day. I don't need active protection. I don't want background auto-update. I want 100.0% of my system resources maximized for my use for what I have the computer for. Then, occasionally when I have a free moment, I want to easily be able to invoke a Malwarebytes scan - which for many years now has just said "no infections", and then just be done. No, I don't want to have to ask the Malwarebytes service to exit from the system tray. No, I don't want to have to go into Autoruns and disable Malwarebytes components you feel I need installed and running. Why can't I do this one simple thing? Why does it have to be more complex, as though Malwarebytes is trying to take over and infect my system itself? My computer is actually for other things; Malwarebytes is just a "warm fuzzy" generator. You might say, "well, it's because we'd like to get paid for our work." I'll give you a hint: I still use Malwarebytes Free because I precisely CAN'T do a simple scan, as I described above. If I DID have the ability to do this simple scan without a subsequent "cleanup on aisle 2" operation, if your product did what I need, I'd have been paying you all along. Yes, your software has value; but as it is now I pay in frustration. Sure, maybe I'm a vanishing breed of user who wants completely control over what his computer does. But I still have money. -Noel
  8. I've been looking at the following page to know whether there have been updates. It seems like it's been quite a while since I've seen an update... https://www.malwarebytes.com/support/releasehistory/#malwarebytes-premium Two questions: 1. Is the above the right place to look to determine whether a new version has been updated. 2. Is 3.5.1.2522 the actual latest release? Thanks! -Noel
  9. Thanks, Devin. Let me know if there's anything more I can do. Oh, and could you please verify that the version of the dll (3.0.0.26) that I restored from my backup is the one that's supposed to go with the latest MWB package (3.5.1.2522)? -Noel
  10. Also bear in mind I didn't retain the updates; the system has been reverted back to the December patch level. -Noel
  11. I seem to have accumulated a lot of stuff in there. Bear in mind this was not a Windows in-place upgrade. I brought a Win 8.1 x64 Pro MCE system up to date from December patch level to June patch level. Any particular folder you'd like me to send you from this set? C:\TEMP>dir C:\Windows\Panther /s Volume in drive C is C - NoelC4 SSD Volume Serial Number is 00ED-C11E Directory of C:\Windows\Panther 11/13/2013 01:05 PM <DIR> . 11/13/2013 01:05 PM <DIR> .. 11/13/2013 12:07 PM 42,475 cbs.log 11/13/2013 12:08 PM 68 Contents0.dir 11/13/2013 12:13 PM 68 Contents1.dir 11/13/2013 12:11 PM 2,844 DDACLSys.log 11/13/2013 12:13 PM 5,718 diagerr.xml 11/13/2013 12:13 PM 16,086 diagwrn.xml 11/13/2013 01:05 PM <DIR> FastCleanup 11/13/2013 12:08 PM 28,812 MainQueueOnline0.que 11/13/2013 12:13 PM 27,456 MainQueueOnline1.que 11/13/2013 01:05 PM 434,176 setup.etl 11/13/2013 12:11 PM <DIR> setup.exe 11/13/2013 12:13 PM 540,754 setupact.log 11/13/2013 11:59 AM 0 setuperr.log 11/13/2013 12:08 PM 440,576 setupinfo 11/13/2013 12:11 PM <DIR> UnattendGC 08/22/2013 07:18 AM 929,792 _s_AEE9.tmp 08/22/2013 08:41 AM 442,772 _s_B40C.tmp 14 File(s) 2,911,597 bytes Directory of C:\Windows\Panther\FastCleanup 11/13/2013 01:05 PM <DIR> . 11/13/2013 01:05 PM <DIR> .. 11/13/2013 01:05 PM 1,908 diagerr.xml 11/13/2013 01:05 PM 1,908 diagwrn.xml 11/13/2013 01:05 PM 456 setupact.log 11/13/2013 01:05 PM 0 setuperr.log 4 File(s) 4,272 bytes Directory of C:\Windows\Panther\setup.exe 11/13/2013 12:11 PM <DIR> . 11/13/2013 12:11 PM <DIR> .. 0 File(s) 0 bytes Directory of C:\Windows\Panther\UnattendGC 11/13/2013 12:11 PM <DIR> . 11/13/2013 12:11 PM <DIR> .. 11/13/2013 01:05 PM 4,123 diagerr.xml 11/13/2013 01:05 PM 3,813 diagwrn.xml 11/13/2013 01:05 PM 58,469 setupact.log 11/13/2013 01:05 PM 123 setuperr.log 4 File(s) 66,528 bytes Total Files Listed: 22 File(s) 2,982,397 bytes 11 Dir(s) 605,448,335,360 bytes free -Noel
  12. I can't offer any other reason a Windows Update should remove the above mentioned file, but MRT didn't log the deletion. That being said, it's certain that the Windows Update process is what caused it. It's not the first time I've seen it happen during a Windows Update (I compare my AutoRuns output every time I run a Windows Update). This is the pertinent section of the MRT log. --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.61, June 2018 (build 5.61.14929.3) Started On Fri Jun 15 07:14:11 2018 Engine: 1.1.14901.4 Signatures: 1.269.297.0 Run Mode: Scan Run From Windows Update Results Summary: ---------------- No infection found. Microsoft Windows Malicious Software Removal Tool Finished On Fri Jun 15 07:16:40 2018 Return code: 0 (0x0) I can only guess that if they're engaging in anti-competitive behavior they wouldn't log it. -Noel
  13. I have before and after listings from the following SysInternals AutoRuns command: autorunsc64 -a * The one just before the application of cumulative Windows 8.1 updates on June 15 at 7am showed this: MBAMShlExt HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3} Malwarebytes Malwarebytes 3.0.0.26 c:\program files\malwarebytes\anti-malware\mbshlext.dll 1/25/2017 5:37 PM The one just after the update showed this: MBAMShlExt HKCR\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3} File not found: C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll Do you know of specific logs emitted by the MRT? I'll be happy to dig into them. -Noel
  14. My take on this problem: mbshlext.dll is being deleted during Windows Updates by the Microsoft MRT. I have evidence of this. Of course a MalwareBytes reinstall brings it back, but it shouldn't be deleted in the first place. -Noel
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.