Safe updating of database

[Artie]

Today's disastrous experience with a database update resulting in the wholesale quarantining of system files, while a very unusual phenomenon, suggests the need for a safe way to do these updates. The solution, appears to me to routinely create a System Restore Point, before installing the update. This routine should be part of the update process. Microsoft has been doing this for years with Windows update. While I can't recall the last time I had to reverse a Windows update, it is reassuring to know that I can if I don't like the results. While this evening I was not able to use Malwarebytes Anti-Malware to restore the quarantined files in my Windows 7 system, Windows System Restore was able to fix the problem and restore my system to the state prior to my downloading the defective database.

[John L. Galt]

While that is good in theory, PRO users have the ability to enable a setting in the protection module under the scheduler that checks for updates in realtime - every 5 minutes. If an update is actually released every 5 minutes, that might pose a problem when MBAM is trying to retrieve a new update and the system is still in the process of making its System Restore backup.

Of course, I realize that the program could be re-written so that it does not check for an update while the system restore is in progress - but then it would also have to wait or any type of scan the user might have set for it to automatically run as well. Which basically makes it not-so-realtime

I think it would be easier to test the database against a lab full of machines in various types of configurations and OS versions - after all, even a single test on a single computer should have made any tester go completely crazy and realize that this was not fit for end user consumption at all. A roomful of 15 or 20 PCs of varying age and OS would not run more than a few thousand dollars, but that small investment would have saved what's looking like could be potentials tens of thousands of dollars lost in terms of man hours and productivity lost.

I now have 3 systems I have to tackle in the AM - one being my own mother's and I'm not getting paid for that one for sure. And I have a feeling at least one of my clients is going to have something to say to me - I just got her on MBAM about 6 months ago.

[esoteric17]

Disaster is an understatement. While I spent about 6 hours last night doing system restores that recovered most (but not all), that was only about 80 machines that were all in one location. I cannot imagine what others are going through who have this product installed on hundreds of machines in multiple locations.

We have also taken extensive measures to ensure that a false positive like this never happens again.

I would like to know what "extensive measures" are/have been taken. What is your change management policy? Where is your testing lab, and what types of machines & OSes do you have in your lab, if you have one at all? As stated above, these definitions should have FUBARed nearly any machine. What is your testing process? After using this product for many years, I was very excited when you came out with MalwareBytes Enterprise. After yesterday, this has me seriously reconsidering MEE in a corporate environment due to lack of change management & thorough testing.

[RubbeR DuckY]

You will have an exact list of changes we're putting in place by next week.

[DarkSnakeKobra]

You will have an exact list of changes we're putting in place by next week.

Thanks Marcin I was wondering the same thing.

[visage]

You will have an exact list of changes we're putting in place by next week.

Marcin, is it now safe to run Malwarebytes and let it update as normal?

I have my own MWB's and a few friends MWB's turned off and disabled from starting up.

[AdvancedSetup]

The update itself is safe but depending on what the current database is one would need to potentially be aware and not reboot until certain that the computer was not running this old database. Open MBAM and go to the Quarantine tab and make sure that there are no OS related files there. Then check for updates which should then update to the latest database. The program and normal database is safe to use, this was simply a mistake and one that is under scrutiny right now and under manual observation while further processes are put into place to prevent this from happening again.

[John L. Galt]

You will have an exact list of changes we're putting in place by next week.

Hey, Marcin, my apologies if I stepped on any toes with my last post - I know your team is hurting hard right now. They did good, though, all things considered.

I'd love to be in charge of a lab for test def files lol. That would rock - nothing but trying to break machines repeatedly and then imaging them and starting all over...Sounds right up my alley...

On a lighter note - I wish it wasn't under such circumstances that we got to converse - how are you doing?

Thanks Marcin I was wondering the same thing.

The update itself is safe but depending on what the current database is one would need to potentially be aware and not reboot until certain that the computer was not running this old database. Open MBAM and go to the Quarantine tab and make sure that there are no OS related files there. Then check for updates which should then update to the latest database. The program and normal database is safe to use, this was simply a mistake and one that is under scrutiny right now and under manual observation while further processes are put into place to prevent this from happening again.

Good to know. Not in the interest o finger pointing, mind you, but in the interest of setting up methods to prevent this from happening again, including redundant checking....

[visage]

The update itself is safe but depending on what the current database is one would need to potentially be aware and not reboot until certain that the computer was not running this old database. Open MBAM and go to the Quarantine tab and make sure that there are no OS related files there. Then check for updates which should then update to the latest database. The program and normal database is safe to use, this was simply a mistake and one that is under scrutiny right now and under manual observation while further processes are put into place to prevent this from happening again.

I restored my MWB and updated it, database went from v2013.04.16.05 to v2013.04.17.01 and it's looking good so far.

[John L. Galt]

I believe it was 2013.04.16.12 that was the culprit - anything after that should be fine (thus far).