rdasheiff

Thanks, that was a clear and educational explanation of my observations and the product. I conclude and agree there is no bug and mbar is working as predicted and correctly. I will close this thread. :-)

Rich, sorry, forgot to attached log files, here they are system-log.txt mbar-log-2021-05-22 (08-51-26).txt

Rich 1) Yes, mbar is clean to uninstall just by deleting the folder (no registry traces). However, all programs are not as compact so I monitor. 2) It wasn't just Regshot which didn't see the HKLM\DRIVERS tree, but I also ran Windows regedit which also failed to see that tree (and saw it after reboot). I'm unaware the Registry can have hidden values. This tree is protected and often can't be opened (to protect it from "accidental" deletion from the user, or malicious deletion or changes from malware). 3) "If our driver is still active that may not allow access back to the registry till you reboot." 3) I retested and the Registry entry disappears as soon as the program starts, doesn't need to download updates. So the driver must be doing it. The driver and services must be stealthed as nothing shows up in Taskmanager. 4) Additionally, you tested this in Windows 7 (which I thought of doing as well), but Win7 has a different directory tree than Win10. Win7 does not have HKLM\DRIVERS\DriverDatabase instead it is located as HKLM\SYSTEM\DriverDatabase 5) Nevertheless, even if mbar "only" hid them, that sounds a bit too invasive for a program supposed to help protect and mend malware attacks. As with any bug, it is idiosyncratic to a particular OS version and what may be installed. That is why they are so hard to find and fix.

When ever I want to test a program (beta or not) I install and run it in a virtual machine. I have an old rootkit program (Sophos Anti-Rootkit v1.5.4 year:2010) which seems satisfactory, but rather than download and install their new free version 2.9 (which seemed overly extensive, i.e. doing more than just rootkit), I decided to try out this Malwarebytes beta v2021.05.22.03. I also monitor what is installed (and deleted) using Regshot 1.9. As it turns out, there is no uninstall for the beta, so if one wanted to remove it completely, such programs as Regshot are indispensable. After testing the beta and looking at my Regshot output, I was shocked to find it deleted all drivers in the Registry (luckily these are re-created by Windows on re-boot as they are critical) HKLM\DRIVERS HKLM\DRIVERS\DriverDatabase HKLM\DRIVERS\DriverDatabase\DeviceIds HKLM\DRIVERS\DriverDatabase\DriverFiles HKLM\DRIVERS\DriverDatabase\DriverInfFiles HKLM\DRIVERS\DriverDatabase\DriverPackages Values deleted: 30275 I then went and checked at what exact stage this happened, and identified it occurs at the start of the program when it asks to update the malware definitions. It might be pecular to my virtual environment and the Win10 edition I used - but even so, this is more than a 'bug'. Obviously I didn't install the beta on my host computer. The virtual environment was VMware Player 16, running 64-bit Microsoft Windows 10 Enterprise Evaluation, Version 10.0.10240 Build 10240, codenamed "Threshold 1", the first release of Windows 10. I have attached the Regshotx64.txt (6.5MB) output for Malwarebytes software engineers to look at if they wish. Regshotx64.txt