Digerati

Sorry about the other two logs. I am awake now. FRST.txt Addition.txt

See old thread. Sadly, someone closed my old thread when it clearly was still active and being worked as recently as yesterday. So I am forced to open a new one. As requested, I have run mbam-check. However, only CheckResults.txt was created so that is the only file attached. CheckResults.txt

Well, I am not having problems with MBAM locking up, but I still frequently get the repeating "Nag" bubbles.

Thanks Ron. I have run and posted the diagnostics logs (including Addition.txt again) but note I rebooted yesterday afternoon and did not receive any warning popups this morning. Perhaps these logs can be used as a baseline, and should the problem return, I can immediately run new logs for comparison. FRST.txt Addition.txt CheckResults.txt

Reason? You just bark out orders and expect others to simply follow without providing ANY reasoning! Then you have a tissy fit and toss out comments like, "its your problem", "this person" and SHOUTING if the target of your "personal affront" wants some background to your suggestions. Do my own thing and won't even try something? Yeah right! When requested by AdvancedSetup, I totally uninstalled MBAM, installed an unreleased "beta" version, and posted logs - that's me not even trying something! You've given up on me? Great! And thanks, as I'd prefer not to hear from you again anyway.

??? My problem? No. I don't simply change default settings (especially with security programs) without any reason given. Hence me asking, "why?" Now your reasoning is to see if I stop getting the warning. I don't think you understand the problem. I don't have a problem being notified my database is out of date. In fact, I welcome that. I have a problem getting 3 pop-ups in immediate succession telling me the db is out of date. I only need 1 - especially when my response to the first pop-up is to "Update now". Since I rarely ever go more than 16 hours without using my computer, 1 day is the right setting, and makes sense to be 1. The setting I believe may be causing this is the "Frequency" to Check for Updates. I have it set to every 4 hours. That said, I also have "Recover missed tasks" unchecked. That tells me if a 4-hour check fails for whatever reason (for example, because the computer is sleeping, powered off or off-line), Task Scheduler will just skip it (the scheduled task), and wait for the next scheduled 4-hour check to come around on the clock. I wonder if that setting is being ignored as it appears each of the missed 4-hour checks start when the computer wakes again.

Mine only happens once a day so not sure it is the same problem. Regardless, I have purchased several copies for all my computers, kids, and other and will not hesitate to recommend it anyway. That's a bit hasty. This is a minor annoyance that does not impact security.

Sadly, it happened again this morning. 3 separate popups, one after the other, telling me the DB was out of date. Note the computer was up and running all day Saturday and most of Sunday so no way was the DB more than 1 day old (the setting to yell at me when DB is out of date). Also note the 2nd and 3rd notice were not hiding behind the first. They only pop open after the previous closes. It seems to me there needs to be a switch (or whatever coders call it) that says if the users has not responded to the first notice, stop sending new notices until the first is acknowledged. Also note I rarely ever shutdown or power off my computers - they just go to sleep. And about the only time I reboot is when an update requires it. FRST.txtAddition.txt

Done! Currently at 2.0.2.1010. In "hurry up and wait" status now - after 24 years in the military, something I am an expert at. Will keep you posted. Thanks Ron.

No, sorry to you both. Is there an accepted abbreviation for MBAM Premium? I used MBAM Pre thinking I was in line with MBAM Pro. I have MBAM Premium 2.0.1.1004. That could very well be, but in that case, I think it is still a problem (annoyance at least) because this time I was away from the computer for maybe 45 minutes. It goes to sleep after 20. I don't think it should keep tossing up the same error over and over again just because the user is not there to respond immediately. One persistent error message is fine. By "persistent" I mean it stays until cleared, rather than repeats over and over again).

Occasionally, upon waking up my computer, MBAM Pre throws up a bubble message above the System Tray saying my database is out of date. I have no problem with that. But when I click the update button, the error bubble goes away then immediately, MBAM throws up another out of date error message. Click again and sometimes it throws up a third. All in a matter of a couple (maybe 3) seconds. From my [non-programmer] end, it "appears" to me MBAM is very impatient, unwilling to wait until a connection can be established to your servers, the update downloaded and installed. That is, when I click the update button, while going out to fetch the update, it is also rechecking to see if I have the latest, and not finding it installed, tosses up the error bubble again. Mind you, I have a very fast cable connection. I think you need to build in a small delay timer (60 seconds is plenty) that starts when users click the "update" button that prevents MBAM from checking and/or tossing up the error again until 60 seconds later, and the update has had time to install.

Great!

Hmmm, must be getting old. I was going to suggest splitting the save and display log settings, but I see I already did! Well, I still would like to see it! Thanks - BTW great product, you guys, and congrats on its and your success.

You can ignore it yourself, for now and hope MB fixes it in an upcoming release. Or you can tell MBAM to ignore it. Or you can edit the entry to display Search. Or you can go into Start Menu Properties and change the option to display Search. I personally do not like using ignore for FPs because that is a work-around for something not right. Ignore, IMO, should be used for legitimate programs that MBAM does not recognize at all, but you know to be safe - not for items it improperly identifies. I feel I must say again that MBAM is, by far, worth keeping and using regularly. And if you don't have a real-time anti-malware solution, or your current subscription is about to run out, it should be on your short list.

No it is not malware - but it "could" be an indication of previous malware infestations if you did not change the setting manually.

I had a minor contributing input for that book - but still good resume material!

I went by Bill_Bright over there.

Thanks - a bit modified since I first used it on CastleCops 5 years ago, but I relate to (hide behind ) it quite well.

Exactly! I did the same thing. But to many, their computer is simply a tool or communications "appliance" they use at home, work or school. They should not need to know how to analyze a detection string - it should be spelled out in front of them. Oh well - good discussion!

I call them that because that is what they are - right or wrong, whether we like it or not - a legitimate item falsely tagged as malware (or bad, infected, or a hijack) is a False Positive. I agree with the separate but "fixes" automatically "implies" "broken" and in "need of fixing". I did not break Windows, or make it less secure, or vulnerable to compromise when I selected the option via the Start Menu Properties menu to not display Control Panel in the Start Menu. Agree? "Items of Interest" or the like may be a good fit instead of "Fixes" - as long as the program explains why, and does not mislabel them prematurely with "trigger words". But still, it should do so only when necessary. A single "clue" about a harmless user setting in the Registry should not be reported at all, IMO. However, IF there are other substantiating clues, such as the Control Panel also missing from My Computer, or entering control in the Run box fails to open Control Panel, then I would want to be alerted to this still unverified, potential "Item of Interest". There are certainly hundreds (1000s) of possible user settings that may be changed by user choice, legitimate installed programs, and/or by malicious code. Does (should?) MBAM report on each? I agree with that completely. And in this case, when "0" = Do not Display, "1" = Display, and "2" = Display as Menu, none are "Good" or "Bad".

Ummm, while a good idea, it is not necessary to reinvent the wheel. This simply requires backing up the Registry before making changes. I use ERUNT. But the real point is these items (the FPs I received and reported above) should never be reported in the first place, never quarantined, and never deleted. They are not threats, do not represent vulnerabilities, nor are they evidence of malicious activity. These Registry entries reflect simple user settings, easily accessible from Start Menu Properties. Changes from the defaults may provide "clues" to previous malicious activity, but the lines in the Registry themselves are not malicious, were put there by Microsoft - not badguys, and need not be removed. What makes this bad is how the findings are reported, then handled. The badguys have forced non-IT users like dancingwoman to (correctly) err on the side of safety. The 4 FPs I had were defined as "malware", "Bad", "Infected", and "Hijack.StartMenu" - 4 scary words that, for these 4 FPs, are simply not true! To make matters worse, the suggested "fix" incorrectly removes (does not change back to default, but removes!) these legitimate options, without the user's knowledge. That's not right. So this is a problem that needs to be addressed right away. Users should not have to implement a work-around, or manually fix the fix for something that was not broken in the first place. BTW, while grumbling, these are minor issues, but they do detract from an otherwise most excellent product. The dynamics of malware, and the methods to thwart it make FPs inevitable. Nevertheless, zero FPs should be a goal sought as aggressively as identifying 100% of the malware if the "perceived integrity" of the program is to remain beyond reproach. If a security program regularly (and over several updates) mis-identifies multiple legitimate objects as "malware", "Bad", "Infected", and "Hijack.StartMenu" it is not much of a stretch to at least wonder if it is also mis-identifying malicious objects as "safe". The expectation for zero-defects may not be fair, but that's the price you pay for being one of the good guys - you are always held to a higher standard. A few small specks of mud on a white hat quickly makes it look dirty.

You could not "ignore"? If nothing else, you could just cancel out of MBAM without taking any action. I would not do that - it is still a trustworthy program. Google.

I think these false positives need to be readdressed, and justifying them simply because malware has been known to make these type changes is not good enough - barely (if that) circumstantial. When I, as the user of this XPPSP3 machine, can very easily right click on the Start Menu > Properties > Customize > Advanced and select "Don't Display this item" for a whole set of display options, MBAM should not report them as infected objects. These are not infections, nor are they vulnerabilities. It does not present a security risk if I decide I don't need to see my Control Panel in my Start menu. I received the following 4 false positives today. Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.Interestingly, I also do not have Favorites, My Music, My Network Places, My Pictures, Network Connections, or Printers and Faxes displayed and they were not reported. I did, however, set System Administrative Tools set to "Display on the All Programs menu", but that was not reported as infected either. False positives are inevitable, but should be used to tweak the code and not allowed to live on. For me, since I never auto-delete anything, and have a few years under my belt, FPs are a minor inconvenience, unless frequent or repeating, then they become annoying, and can eventually become show-stoppers as faith in the product wanes, rendering the product untrustworthy. That would not be good here. For less experienced users, FPs can be frightening and as we have seen already, often result in users removing totally valid registry keys, BREAKING, in effect, options. How can that be good? Or faith building?

I don't know. Disk space is cheap. As good as any program might be - I would not want MBAM promising to be the one program (or suite of programs) anyone will ever need. The market is already flooded with 100s of those types, and none are good enough to trust as the sole protectorate of me, my systems, or my family - hence the need, and beauty of MBAM. It fills the gaps like expanding foam insulation. Depends on which side of the table you sit. If business is such that you need more employees, there are large pools of unemployed to draw from - is good thing when looking for expertise in very specialized areas. But if you are one of the unemployed and you have nothing on your resume to make you stand out (degrees, certifications, and most importantly, verifiable experience), then it can be quite difficult.

Incredibly fast for me!