Jump to content

If Mbam deletes more than X files from system32 prompt user.

Recommended Posts

I was thinking about what sort of feature could prevent the false positive situation you just encountered. What if you implemented something in malwarebytes that if it starts deleting (or detecting) more than X (maybe 4 or 5) files in a row out of the system32 directory to stop and prompt the user for action. Then display to the user how many other files it is detecting.

For instance

if this was in place the users hit wth the false possitive would have seen a box that would have said something along the lines of "We have detected 2,506 infected files in the system32 directory. This many files indictates a a possible false postive. Procceed with caution".

Link to post
Share on other sites

I think a better way to go about this issue is to add a safe list of system files and legit sha1 hashes and single those out or offer to send to lab.

The real issue here was detecting Windows files which led to nonbootable systems. Anything else can usually be reinstalled and fix the issue.

Link to post
Share on other sites

Neither way is going to be particularly effective. The first is not effective because I can kill 1 file on any windows computer and guarantee that it will not boot. All it takes is for the right file to be killed and presto - it's gone - and 1 file would most certainly be below any such threshold you're suggesting.

The second method would not fare any better b/c you're having to check every single file every time to match the hash in order to verify that it is in fact safe and to leave it alone.

It would be a lot easier and simpler to simply test it on a lot of machines in house before releasing it to the public. When I used to be much more active in the forums here as an expert, Bruce even told me his method of fishing for malware so he could build def files off what he encountered - it was pretty funny. But honeypots exist for that exact reason.

Now, for enterprise side, I think a centrally managed solution that tests the definition on its own before deploying it to the client machines would be a good idea as well as a second level of safety. Better to take one down than take your entire subnet down - which is what has happened in more than one case that I've seen reported in these forums already....

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.