Jump to content

As Usual New MBAM version new dection


Recommended Posts

As usual a new MBAM version. Kaspersky does this....

3/27/2009 6:38:11 AM Proactive Defense Detected: Trojan.generic Malwarebytes' Anti-Malware C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE

Will this ever be resolved????

Link to post
Share on other sites

Unfortunately probably not, because of the generic detection algorithm used by Kaspersky in their Proactive Defense Module that's designed to heuristically detect new types of threats. MBAM uses drivers that make it look suspicious in this light, but they are needed to be able to detect and remove real rootkits and trojans.

Link to post
Share on other sites

Generally speaking, certain embedded files that are part of legitimate programs like MBAM or specialized fix tools, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features or files that appear suspicious or can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's Heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

Link to post
Share on other sites

Unfortunately probably not, because of the generic detection algorithm used by Kaspersky in their Proactive Defense Module that's designed to heuristically detect new types of threats. MBAM uses drivers that make it look suspicious in this light, but they are needed to be able to detect and remove real rootkits and trojans.

I'm getting frustrated as hell. I have been fighting this battle in the Kaspersky forum since it started and they won't do anything except merge the topics and then lock them and its still detected.

Link to post
Share on other sites

no probs or alerts my end latest kis & mbam.

I have a registered version with it running scheduled updates and scans on a daily basis. It runs as a service so i guess thats why their proactive detection is flagging it. It has been a non-stop battle with them. They wont white-list it or do anything else but delete posts. It even detects mbam when the prog is what they called "whitelisted locally"

Link to post
Share on other sites

It's probably flagging it because of the way MBAM loads it's drivers when it runs (as a service as I recall). The only way around it that I could see would be to add all of MBAM's components to KAV's trusted applications list making sure to select all 3 check boxes for each one in KAV/KIS. If the drivers are causing it then you'd have to add them under the Exclusion Rules section. I can't test it unfortunately as I'm running Vista 64 and MBAM's protection module doesn't currently work in x64.

Link to post
Share on other sites

It's probably flagging it because of the way MBAM loads it's drivers when it runs (as a service as I recall). The only way around it that I could see would be to add all of MBAM's components to KAV's trusted applications list making sure to select all 3 check boxes for each one in KAV/KIS. If the drivers are causing it then you'd have to add them under the Exclusion Rules section. I can't test it unfortunately as I'm running Vista 64 and MBAM's protection module doesn't currently work in x64.

So far i white-listed mbamgui.exe, mbam.exe and mbamservice.exe. Is there anything else that needs to be white-listed besides those three programs?

Link to post
Share on other sites

You could try whitelisting MBAM's drivers in C:\Windows\system32\drivers using the exclusion rules section under trusted zone to see if that helps. The drivers are mbamswissarmy.sys and mbam.sys. You could also do the same for the non-exe components in MBAM's program folder.

Ok, I added those exe's from the mbam dir. I also put the drivers in the exclusion list. We will have to wait and see when the next version comes out if that helped at all. Its a shame an AV company will not cooperate with a good anti-malware program.

Link to post
Share on other sites

Yeah no kidding. I don't know what the exact problem is, but it would be nice if they taught their heuristics to play nice with MBAM.

The answer that i was given was since it puts and auto-run and runs as a service that it is "suspicious behavior" and is detected as trojan.generic. But they wont white-list it in their database i guess it is a big deal to do it> **shrug** Their tech support forum has started deleting my post when ever i mention it now. **shrug** Maybe Marcin can get involved and get something done about this. **crossing fingers**

Link to post
Share on other sites

It would be nice, as Marcin and the others around here know that many of us around here use KAV/KIS. Of course, KL probably wouldn't listen to him either :D .

Hehehehe. Tell him to go straight to the top and talk to Eugene. He should be able to fix it. =)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.