Jump to content

Script (batch) files and MBAM

Kessel75

By Kessel75
in File Detections

 Share

Recommended Posts

Kessel75

Kessel75

Posted
Posted

Hello, I'm new here and I don't really know where would be appropriate to post this question.

 

I wrote a batch wile in Windows 7. Now MBAM flags it as suspect.  I can understand (kind of) why it would do that, but if I look at this, I don't see how it would ever be possible for me to have it marked as "safe" and to distribute it to another person without it being flagged on their computer.

 

Someone here must have come across this and have a solution?  I can't have a batch file digitally signed, and anyway, that is complex and may be costly for something that is of use only to about 25 other people also playing the same game as I do?

 

There is no need to explain to me that a file name can not be made "safe" since anyone can alter the contents of the file  and make it malicious. I understand that. My question pertains to whether I can have a script file somehow easily and inexpensively "signed" to verify that it is safe.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

"Hello, I'm new here and I don't really know where would be appropriate to post this question."
 Malwarebytes Anti-Malware Help
 

That's interesting because Malwarebytes Anti-Malware (MBAM) does not target script files.  That means;  DOC, DOCx, XLS, XLSx, PPT, PPS, PDF, .CLASS, .RTF, .WRI, .TXT, .VBS, .VBE, .BAT, .CMD, .CHM, HTML, PHP, et al, are not targeted.  It targets executable type files.  If an executable file is renamed to have the extension of a script file then it will be targeted.  For example if malware.exe was renamed as malware.bat then MBAM will continue to target it.

Link to post
Share on other sites
Kessel75

Kessel75

Posted
  • Author
Posted

Ah. That may explain it. I wrote a front-end .cmd file for an executable file of the same name. Could that explain it? I can in that case simply rename my filename and the problem will be resolved?

 

I did consider posting in the location you lined to, but thought my question might *just* not qualify. :)

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Please take the file in question and place it in a ZIP file.

 

Use the button at the bottom of the text entry dialogue labeled "More Reply Options".

 

Please attach the ZIP file so I can examine it and give you greater details of what is going on.

 

 

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

This is interesting indeed.

 

The script isn't malicious.  At most an;  IF...THEN..DEL statement.

 

The file in itself, as I suspected, is not flagged.

 

Therefore some heuristic detection for the type of file and its location must be in play.

 

Can you please copy and paste in your reply an excerpt of the MBAM log that shows the detection activity.

Link to post
Share on other sites
Kessel75

Kessel75

Posted
  • Author
Posted

I could have sworn I replied to this post earlier.

 

In general, what I posted then (and that apparently did not make it here). Was a bit more background that explained why I might not be able to provide the log.

 

I wrote the script and have no problems with it. I distributed it to some fellow beta members to assist in obtaining older logs. One member installed the script in his Program Files folder (as opposed to on the desktop) That member reported the MBAM issue. I have asked him for copies of his log, but in general I'm not hopeful.

Further I thanked you (and do so again) for your assistance and for giving me the information I looked for. Even if no further response form you, I have the information on what MBAM would do and that it may be an issue with the file location or something similar. I might move my file and see if MBAM kicks up something, but right now I need to divert time/attention to something else.

 

Thank you again.

Link to post
Share on other sites
Kessel75

Kessel75

Posted
  • Author
Posted

OK, This is where I will fully understand if we all close this topic. My tester has given me his log, but it seems corrupted - or something. Frankly I don't expect anyone here to spend any additional time on this, not am I planning to.

 

I would like to thank both posters for their time and effort to help me understand this.

protection-log-2013-06-27.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Here is what we detected DETECTION    C:\CW3.cmd

 

The reason we detected it again is because of where it's located.   The user has an executable file in the root of the drive that really does not belong there.

This is often a tactic used by shall we say lazy malware writers and again why we detected it.

 

Move it to its own folder or possibly onto the desktop and we probably will not detect it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.