[False AI Detections - FSL Software]

I have two utilities that have recently had their DAT files flagged by Malwarebytes Free - for years they have been OK.
The utilities are IconRestorer and SuperFinder XT 
Both are from a company called Freesoftland  -  website:  www.freesoftland.net/products.html
The company website is also being caught by your blanket ".NET" domain restriction

Attached are the detection log and the two suspect files (both originally called FSL.DAT) 

Please whitelist these files and also the website if possible.

 

FSL_false_detections.zip FSL_detections.txt

[NetWorx.sys - Malware.AI.1892063303]

False positive for file C:\Windows\System32\drivers\networx.sys
This is part of the NetWorx Internet Bandwidth monitoring utility 
Its purpose is to monitor all network traffic and display transfer speeds and log the amount of data transferred.
The detected file is an old freeware version not the current release and has been in use for the last 5 years without triggering Virus or Malware warnings.

Malwarebytes v4.3.0 Free using detection update dated May 9th 2021 
Malware.AI.1892063303, C:\Windows\System32\drivers\networx.sys, No Action By User, 1000000, 0, 0.0.0, 953F5BC3510BBFA670C69847, dds, , CF29EDDACF75576AB82A683554AA4DD2, 50482EFCD2EC96D016E0C09753093BAB8F3A408D5D2B2477112217AAF1A6AB35
 

Virustotal scan shows 5 vendors out of 60 show as suspect
https://www.virustotal.com/gui/file/50482efcd2ec96d016e0c09753093bab8f3a408d5d2b2477112217aaf1a6ab35/details

 

networx.zip Mbam_v4_Scan.txt

[BrowserGuard on Chrome blocking www.instagram.com]

Have added Instagram to the "Allow List"  - but Browser Guard is still triggering a Phishing warning.

With the Allow List entry added you can open the Instagram.com front page or a specific user account OK. But as soon as you attempt to open any posts/image you again get hit with a Phishing warning screen - which you can over-ride (by clicking the "I want to continue to this site anyway" link  - but you have to do this every time. There appears to be no way to make this choice permanent.

[Problem with Winword.exe Shield]

I have now traced the problem to an interaction with another security application that I was trialing - that application is the Free version of "0patch Agent" ( www.0patch.com ).

Either program running by itself works fine - but when both are running the problem with Winword.exe surfaces. Both applications are attempting to protect Winword in different ways - and also 0patch lists MBAE as something it is capable of protecting - although I am unclear if it is actively "patching" MBAE in the free version. Disabling the protection for Winword.exe inside 0patch doesn't seem to eliminate the problem - but disabling the shield for Winword.exe in MBAE does resolve the issue.  One additional observation is that the problem does not appear to affect Excel 2003 (XLS files) only Word 2003.

I will evaluate whether I wish to continue using 0patch as it is obviously capable of causing weird problems running alongside other protection software - and there may well be other hidden problems that might arise. Constructing a layered security software setup is not always easy and strange interactions and instabilities are to be expected from time to time.

Just to complete the basic info I am running Office 2003 Pro inside Win7 x64 (fully updated) with Malwarebytes v2.2.1 Pro and Avast Free Antivirus v20.2  

I consider this issue "resolved" at this time.

[Problem with Winword.exe Shield]

I am experiencing a problem with build 164 that affects MS Word 2003. 

With MBAE running and with Winword.exe shielded there is a problem with double clicking DOC files to open them in Word.

Most often the first DOC file will open in Word - but thereafter attempting to open any other DOC file just hangs - and Word doesn't open - although Task Manager shows Winword.exe is actually running as a process, but no window is visible. These failed attempts to open DOC files just create additional Winword processes - but with no visible windows. 

After a long delay an error window appears with the wording "There was a problem sending the command to the program." - the window title just shows the full path to the DOC file - and Task Manager shows the error is coming from Explorer.exe.  

Starting Word directly via its shortcut is not affected (once any non-functional Winword processes have been closed in Task Manager) and DOC files can be selected and opened from within Word even when the shield is active.  

Disabling the Winword.exe shield in MBAE rectifies the problem.

[Cannot remove allow list entry]

I had to resort to uninstall and reinstall to regain the Allow List editing icons. 
Unfortunately this particular case doesn't allow you to use the sliders to reverse the Allow List addition. This is because the entry is the actual download link - which doesn't display a web-page, it just triggers the download. Also for this download you can't complete the download without ticking the box to add to Allow List.

Unless you tick the box to add the Allow List entry you get stuck in a loop - with two repeating warnings - the first one for the full download link itself - and if you override that you get the second warning for the domain url (s3.amazonaws.com). The only way out is to tick the box to add to the Allow List. One plus is that if you tick the box on the second warning (domain url) then the entry in the Allow List is a normal length and the editing icons display as normal.

You can test this by using the PC & Mac Download button on this page  https://www.amazon.co.uk/kindle-dbs/fd/kcp

The s3.amazonaws.com  domain needs white-listing. 

[Cannot remove allow list entry]

I have just encountered the same issue. 

I tried to download the Amazon Kindle reader for PC and Browser Guard blocked the download as suspicious - so ticked the box to over-ride and it added the whole download URL string including the filename - http…amazonaws.com/kindleforpc/55076/kindleforpc-installer-1.26.55076.exe

As noted the GUI doesn't cope with such a long entry and you can no longer see either of the two delete options (Remove All or the Trashcan icon) 

[False Positive - Stargateuk.info]

Thanks for the whitelisting.
But it would still be helpful to know what specifically was triggering the warning.
I hand code the whole site and would like to understand what to avoid in any future projects.

[False Positive - Stargateuk.info]

Stargateuk.info website is blocked as a Malware/Scams risk
This is my own simple website - all hand coded - with no fancy features. 
I am at a loss to understand why it is triggering this warning

I get the message "Website blocked due to possible suspicious activity"
I have to disable the Malware/Scams protection to gain access

The Malwarebytes main program (v2 & v3) have no issue with the site
Virus Total shows no problems either:
https://www.virustotal.com/#/url/fb6769f68b6840b5c1bdb4186d9a6889e794b6d6b870b001d16cbb9a07e0e609/detection

Would be helpful to know what specifically is triggering the warning
This is a new economy hosting plan from Godaddy
With simple hand coded HTML pages 
There are no scripts, counters, trackers or other apps running 

[Issues with 1.12.1.97]

Agree - there are big problems with Chrome v67 and v68

Opening links in a new tab gives blank page (endless loading), attempting to add extensions freezes during "Checking", attempting to open internal chrome pages freezes with blank page (eg Extensions, Settings) and chrome.exe modules remain resident after closing program - preventing a reload.

Reverting to build 90 solves all issues.

[Malwarebytes Anti-Exploit refuses to run]

I have now had this problem on two different occasions several months apart - on two different Win7x64 computers.

• When the problem manifests the symptoms are: 
• The Notification Area icon disappears and manually running the mbae.exe  results in no GUI window
• Protected programs no longer trigger a confirmation popup and mbae-test.exe shows protection non-functional 
• Restarting Windows makes no difference (this usually fixes one of cases of MBAE not working)
• The odd thing is there are no error messages and nothing is recorded in the Windows Event Logs.
• The MBAE service is started (and responds stop/start commands) and the Task Manager shows the three normal MBAE exe files are running
• A simple uninstall and reinstall does NOT fix the problem

On both occasions the fix was: To run uninstall and then manually delete the "C:\ProgramData\Malwarebytes Anti-Exploit" folder - which the uninstall had left behind - and then run the installer to reinstall the program. A reboot was not required.

I am wondering if a corruption of one or more of the files in the "C:\ProgramData\Malwarebytes Anti-Exploit" folder is behind this problem - as this folder and its content survives a normal uninstall - and deleting this folder has allowed a successful reinstall on two different computers that suffered this problem. 

I had been setting the config option "Log Protection Events" which I think writes to that folder - maybe when that log gets too big it causes a problem?

[MBAE stopped loading properly]

Not sure if this issue has been resolved - but I also had similar symptoms and error messages on a Win7x64 system running MBAE build 43.

I experienced MBAE loading but not working - the MBAE driver Failing to load with the error message quoted above - and the Notification Area icon failing to appear. 

I just posted about the issue & fix on another thread here:  Issues with Win7 & Google Chrome

The fix for me was to install MBAE build 57 - despite no related issues being listed as fixed - and all is now working fine. 

[MBAE 1.12 Build 37 - issues with Windows 7 and Google Chrome]

I too can confirm that installing build 57 has solved all my issues - MBAE is now working perfectly once again.  

I was also suffering the same "Unknown Software Exception" error - with Win7x64 using MBAE build 43 - on 2 almost identical Win7 desktop computers. 

The issue appeared to start after the Feb 2018 Cumulative Rollup (KB4074598) - and/or the update to Google Chrome v65...181 (x64) from v64.

Initially MBAE (build 43) appeared to recover after dismissing the error - but for unknown reasons the problem then progressed over the next few days to a situation where MBAE was loading into memory but failing to trigger when a protected app was started. Then the GUI stopped working - none of the shortcuts (desktop or notification area) worked and even running the EXE direct would not open a MBAE program  window. Finally even the notification area icon stopped loading. 

Alongside this I also began to experience Google Chrome crashes - which stopped when I uninstalled MBAE build 43. I tried uninstalling and then reinstalling MBAE build 43, and build 40, but neither worked and I also tried a full uninstall and removal of all MBAE registry entries - but never succeeded in getting build 43 to work again. However installing build 57 over the top of the non functioning build 43 has solved all the issues - everything is now working fine. I didn't try build 48 as the change log didn't appear to list any fix for this problem - but maybe that would also have worked.

Setup: Win7x64 Home Premium, Intel Core i5 3570 (3.4Ghz Quad Core) - Ivy Bridge Chipset - MBAM v2.21.1043 - Avast Free v18.2

[bunch of stuff blocked all of a sudden such as all of google]

Just collected database update v2018.01.27.07   - which so far looks good 

I am still using MBAM Premium v2.2.1.1043 which was suffering the same problems as v3 

I was seeing blocks on IP range 172.217.23.xxx plus many Facebook, Google and AdBlock-Plus URL's  

Disabling Web Protection was effective but not ideal - but latest database update appears to be OK

[Is the free version only has threat scan? and none other in the new version]

I really do not know what you are seeing - if the following doesn't deal with your query please post more details or a screen shot. 

The menu runs down the left side of the screen - select the Scan "Tab"
This has the same three options as previous versions of the program 
- Threat Scan, Custom Scan and Hyper Scan 
Hyper Scan is only available to users of the Premium or Trial modes

[Database Updates and Version Info]

I agree - the new "Database Version" numbering system is a pointless downgrade of the available information. 

[Question about "End of Life" for MBAM2]

And I had much the same concerns as yourself "WhatMeWorry"
- which was why I authored the topic that 1PW suggested 
- which now has a MalwareBytes Staff reply from Celee

So for those of us who "prefer to defer" the upgrade we have some more time before we are forced to jump. 

[Database Updates and Version Info]

OK so to summarize that very comprehensive reply from Celee:
1. Database updates WILL continue after the June 8th ("End of Life") date for MBAM v1.75 and v2.2.1
   - however there is no guarantee as to how long that will continue.

2. And MBv3 only shows the "Database Version" in the "About" tab 
   - where it is titled "Update Package Version"

[Database Updates and Version Info]

Re question 2:   I was looking for a "Database Version"  item - I had assumed the two "Package Version" items referred to program modules not Database updates. Will look at this again on a live system - where I assume the Update Package Version should change multiple times a day if it is in fact the Database version number.

Re question 1:  The "End of Life" date in the linked Lifecycle page is shown as the 8th June 2017 for BOTH v1.75 and v2.2.1  (and v3.0.4) - so the implication would be that all these versions cease to get updates as of that date (the "End of Maintenance" date shows as December 2016 for all three). I assumed this was a heavy handed way of forcing everyone onto v3.1 - which is fine if that version is stable and de-bugged for all OS platforms and security package combinations. But could be a problem for those of us still using older OS's and/or combining Malwarebytes v3 with less popular security packages. MBAM v2.2.1 works well on older slower systems and plays happily with most other security packages - I am yet to be convinced about installing v3.1 onto these types of systems - so the June 2017 date is a concern. 

 

[Database Updates and Version Info]

I have multiple Malwarebytes (Anti-Malware) licences - but I have been holding off on allowing the upgrade from v2 to v3  -  basically waiting for the v3 product to become fully debugged and stable before swapping over.  I have two questions:

1. The Home Products Lifecycle page https://www.malwarebytes.com/support/lifecycle/ appears to indicate that support for MBAM v2 will cease on the 8-June-2017. Does this mean that all database updates will cease for installed copies of MBAM v2.2.1 - as from that date?

2. I have run a few tests installs of the v3.1 product - and one thing I can't seem to find is any display of the currently installed database version number/date - it just displays "Current". In MBAM v2 the database version info was shown on the tooltip popup from the notification area icon and in the Dashboard display. Where is this info now shown? 

When there is an issue with a false positive or bugged database update it was always possible in the past to state the database version you were using when reporting the problem - not sure how you would do this for v3.1 - where is this information now?  

[False Positive - Unchecky.exe]

Latest database 2017.5.5.1 detects Unchecky.exe 

Utility is an adware install blocker from www.unchecky.com

Virustotal report https://www.virustotal.com/en/file/9087d96d56527d3e310420cde70ca23b6e3fbf4683882b8dcf29af174218df71/analysis/1493966153/

unchecky.zip

Unchecky_detection.txt

[Malwarebytes suddenly reporting outgoing malicious website warnings]

Checking the Protection Log in MBAM on my system this issue started immediately after an IP Database update from  v2017.3.2.1 to v2017.3.2.2

[MBAM is not performing database update at Power-on (after being OFF overnight)]

The problem with the MBAM Scheduler not working during the bootup sequence is system dependent. 

Which is why it was so difficult to replicate and identify the fault.

 

I have been investigating this problem in conjunction with a Malwarebytes staff member and we established that most faster computers and virtual machines seem to work ok. However many slower (older) systems and those using wireless internet connections do often fail to complete a "recover if missed by" update task during system startup. 

 

There are two reasons for this failure of the update task:

1. The MBAM Scheduler is attempting to run the update task too early in the boot sequence

    On slower systems the Windows networking services have not finished loading and initialising

    The failure is invisible to the user with no error message - but the attempt is recorded in      

    the MBAM Scheduler config file and can be seen using the mbam-check utility. 

   

This is compounded by the fact that the scheduler (at present) is only running the update task once

- admittedly it does make multiple attempts over a second or two to find a working server

- but it then gives up and waits for the next scheduled update event.

 

2. The second problem is caused by the MBAM Scheduler running before the internet connection has re-connected to the router - this again is a system dependent problem - and can also vary from startup to startup. Encrypted wireless connections being the slowest to re-connect.

 

The suggested file by Exile360  (MBAM Product Manager) is to have the MBAM Scheduler retry the failed attempt after a few minutes. This will not affect those fast systems that already work correctly - and it should eliminate the problem for the slower systems. 

 

-------------------------------------------------

 

I never had a problem with the "recover if missed by" option in MBAM v1.75 - it just worked - and the reason for that is it waited long enough for the system to boot and the internet connection to re-connect. Once the proposed scheduler fix is made the "recover if missed by" option should then work as it did in MBAM v1.75

 

As for the "correct" use of the "recover if missed by" option:

My understanding is that if you set the repeat frequency and the "recover if missed by" to the same value that should give full catch-up cover, with no gaps. Thus setting a 6 hour repeat frequency - with "recover if missed by" also set to 6 hours (once the scheduler is fixed) should cause MBAM to update at boot and repeat every 6 hours. 

 

Setting the "recover if missed by" to a higher value than the repeat frequency should do no harm but provides no extra cover. Setting the "recover if missed by" to a lower value leaves gaps in the schedule - which means the system will not always update at startup - but may wait until the next scheduled update.

 

Once the scheduler is fixed the popup warnings about databases being out of date should be largely eliminated

- in the mean time change the setting in the  "Update Settings" panel if it is bothering you. 

  

[MBAM is not performing database update at Power-on (after being OFF overnight)]

Many, many thanks Samuel !!

 

Automatically re-attempt the update task after a few minutes should solve both the issues I described:

1. My original finding that the MBAM Scheduler tries to run the "recover if missed by" before Windows services have fully loaded

2. The MBAM Scheduler attempts to run before the WiFi connection has re-established a link to the router - when waking from sleep.

 

I know how tricky it can be to re-create all the tweaks and tricks of a previous software version when writing a new version

- it's easy to miss a few - but extremely frustrating for the users who were used to the previous honed and bullet proof version.

[MBAM is not performing database update at Power-on (after being OFF overnight)]

The results I posted above hold true for a cold start - where the Delayed Start option has an effect.

 

However when resuming from sleep/hibernation the results are not so good:

- all the services are already loaded and just wake up without going through the boot sequence

- the scheduler triggers immediately it wakes and runs the "recover if missed by" update task

- but wifi internet connections normally take a number of seconds to re-established - so the update can fail 

I suspect that a wired internet connection may re-establish faster and thus allow the update attempt.

 

Changing the MBAM Scheduler service to Automatic - Delayed Start can be effective during cold starts

However the task must be delayed for much longer - as it was in MBAM v1.75 - to stand a chance of running in all startup situations.