Booting with Windows PE

[frameloss]

Officially, mbam isn't supported when running against an external hard drive (which is essentially what you are doing when using a bootable setup.) It won't clean the registry, which is a pretty big problem.

Here is a quote from "Forum Deity" from another thread discussing this:

"our product is not designed for doing flat-file analysis. It is designed and works best when running from Normal Windows Mode. You should be using your Anti-Virus product for flat file and archive scanning and removal. We are working on some other projects hopefully due out later this year that we hope will really help a lot more on some of the tougher infections. Stay tuned please...."

There are reasons you might want to pre-scan a system to remove any executables before fully booting into Windows and performing a full cleanup. I'll say it one more time. This isn't a supported use of mbam. Support won't help you, and I don't have time to get into more details than I have documented so if you do this you are on your own.

Edited December 23, 2011 by exile360
Link removed

[exile360]

Please be aware that there's more to it than just the registry. When scanning an inactive Windows installation, all of our whitelisting/countermeasures put in place to not remove necessary system files is completely disabled. This means that if you do scan with MBAM from a bootable CD, you may end up with a system that won't boot. We'd also appreciate it if you not post such links here on our official product support forums.

[exile360]

By the way, our new Chameleon technology which is included in our upcoming 1.60 release of Malwarebytes Anti-Malware pretty much negates any need to run MBAM outside of Windows. The beta is currently available here and for users of previous MBAM versions, several tutorials on getting MBAM running when blocked by infections can be found here.

[frameloss]

We'd also appreciate it if you not post such links here on our official product support forums.

Sorry, I was just trying to help people out, there have been a lot of repeated requests to do exactly this. You should just delete the entire thread, and I won't mention it again.

[frameloss]

Sorry, I was just trying to help people out, there have been a lot of repeated requests to do exactly this. You should just delete the entire thread, and I won't mention it again.

In fact, I'll even remove the blog post.

[frameloss]

By the way, our new Chameleon technology which is included in our upcoming 1.60 release of Malwarebytes Anti-Malware pretty much negates any need to run MBAM outside of Windows. The beta is currently available here and for users of previous MBAM versions, several tutorials on getting MBAM running when blocked by infections can be found here.

Does it eliminate the need to login as an administrator? What if those credentials aren't already cached locally? Do I now need both a network connection and to type my admin credentials potentially exposing them to a piece of malware and allowing them to be sent to a C&C?

I am investigating using MBAM for my employer, and really haven't used it much other than on a few test systems that I intentionally infected. In this environment, user's have restricted accounts and cannot install software. The person responding (sometimes me) probably has never logged into that computer before, requiring it to communicate to active directory to get a local admin privileged account. You have to agree, this scenario really calls for offline analysis.

MBAM is really useful and does a great job, but not adding to the list of already compromised credentials when responding to a compromised machine is really an important feature. I can't see any other way to do this than using a boot disk when I am cleaning a computer. You have a big market for corporate customers, and I am not opposed to paying for this functionality. I am not trying to argue, just letting you know there is still a need for this ability.

[exile360]

I understand your concerns, but even in a corporate environment, using MBAM from an offline disc is not allowed/authorized under our corporate EULA. If you're using the consumer version to do a corporate evaluation then this too is an EULA violation and also won't give you a clear perception of how useful MBAM can be in a corporate environment, as the consumer version is not meant for that purpose (if you contact corporate@malwarebytes.org they can provide you with a corporate evaluation so that you can test it out and see what the corporate version offers as it has many features not available in the consumer version).

[shadowwar]

One thing to understand. Malwarebytes does not behave like an antivirus. Detections are not made on just files alone. For example say a sample sets a static registry run key. We detect that registry key and link back to the file. You dont have this in a PE environment. Thus probably 1/3 of our detections will be disabled in this environment. Not to mention our whitelisting would be broken too cause we also use registry whitelisting.

Another example. The userinit registry key if It gets replaced by malware. Malwarebytes may delete the file only in a offline environment and the key would never get corrected by our engine. After this you reboot and try to boot windows. Windows would not be able to log a user on then.

Our whole engine is written to be run on a live environment. If we were just an antivirus then what you are suggesting would be a good idea. Unfortunately being antimalware and a live environment engine what you are suggesting here is a VERY bad idea and could really damage a system.

That being said we are working on an Enterprise edition version which would allow remote installs and scans without user interaction necessary. This should address some of your concerns that you had.

[frameloss]

Thanks guys, I'll contact your sales group to get a demo going.

[shadowwar]

Thanks for understanding.