lol

[Guest techhead287]

Scanning with MBAM right now... every time it comes across a malicious file my current antivirus reacts...

[David H. Lipman]

Well, that's good.

 

A full installed anti virus application has two basic modes of operation. On Demand and On Access scanning.

 

On Access - Everytime a file is read or written to or form media, the anti virus will scan the file based upon signature and heuristic detection.

On Demand - This is where the anti virus application is specifically instructed to scan a file, folder or disk either manually or automatically via a scheduler.

 

As Malwarebytes' Anti-Mailware (MBAM) does its scanning of files, the fully installed anti virus application will scan the file as well.  Thus you are actually getting the benefits, at that moment, by two anti malware products and their varied signatures and heuristic detection capabilities.  Usually the anti virus application is at a lower level in the OS Kernel an thus it may react first and MBAM second (if both detect a given file).

 

I don't know why you labeled the subject "LOL" as as there is nothing to Laugh Out Loud at anti malware software working as it should.

[Guest techhead287]

I just labelled it LOL because I thought it was quite funny. My dad happened to have a lot of threats on his machine that I was scanning and BPS was popping up alerts everywhere saying "Threat Detected!" as MBAM scanned. It was kinda like a rouge...

[GT500]

If I remember right, I have been told that MBAM's scan process does something that will trigger some anti-virus software to scan each file that MBAM scans (there is apparently a way to design a scanner without causing this behavior, depending on your anti-virus software's settings of course). You can prevent this by excluding MBAM in your anti-virus software, thus preventing your anti-virus from monitoring it (which would be the best option for performance during the scan).

[David H. Lipman]

I have explained why.  Malwarebytes is opening each file's File Handle and thus will cause the anti virus application to scan that file.  I don't think "excluding MBAM in your anti-virus software" is possible nor the way to go. 

 

Assuming this is Grisoft AVG, AVG isn't scanning a Malwarebytes' executable,m it is scanning the File Handles opened by the Malwarebytes' process and this is a GOOD THING.  However, if one is performing an "On Demand" scan with Malwarebytes and they have already performed a full scan bu AVG then having AVG scan every file handle that is opened by Malwarebytes is redundant and will slow the process.  Under the circumstance where Malwarebytes' is performing and On Demand scan and the system has had a recent full system On Demand scan by AVG, the PC owner may choose to temporarily disable AVG such that only Malwarebyes will scan a given file and it will be done quicker due the removal of any added burden or latency introduced by AVG.

[GT500]

I have explained why.  Malwarebytes is opening each file's File Handle and thus will cause the anti virus application to scan that file.

Not every anti-virus scans files when they are read. Some will, by default, only scan when an application is executed or when a file is created/modified. Your system can take a huge performance hit when your anti-virus scans every file that is read.

I don't think "excluding MBAM in your anti-virus software" is possible nor the way to go.

It is actually a very good idea if you don't want the scan to take forever due to the extra disk activity of having your anti-virus software's real-time protection loading every file that MBAM is loading from the disk when it is scanning. You're basically doubling the amount of data read from the hard drive, which means that the scan will take twice as long.

Exclusions are possible in most anti-virus softwares, and if you can at least exclude a process then you can exclude mbam.exe (which is what I was talking about), and thus the files loaded by mbam.exe while it is running the scan will be ignored by the anti-virus.

I do not believe there is any good reason to allow your anti-virus software to check every file scanned by MBAM. While it should be safe, it is a waste of time and a performance killer.

[David H. Lipman]

Most anti virus application do not scan every single file by default.  They actually have default file types, smart file types and other constructs which limits their scanning based upon file context, file headers, file type and file extension.  They may also have an archival format list and email database list.  With archives they may also limit recursion depth, number of files and the maximum size.  All these are usually found under the more advanced settings for "On access" or "realtime" scanning.

 

However, whitelisting MBAM is not the answer.  The anti virus application can not and should not care what application, utility or process is opening File Handles, only that internal rules based system sees a File Handle is be opened for read or being opened for write and act according to said rules.

 

If one has already performed a full scan with AV application X, there is no need to have "On Access" or "Realtime" enabled when scanning with Malwarebytes because of the redundancy so one can thus temporarily disable the "On Access" or "Realtime" scanning when perform an On Demand scan with Malwarebytes.

 

One can extend that to any "On Demand" scanner such as those that are in my Multi-AV Scanning Tool.

 

Lets say they the base AV is AVG and the PC users uses my Multi-AV Scanning Tool's Sophos Module.  As the Sophos Command Line Scanner (CLS) scans each file, AVG will do so as well as the Sophos CLS opens the File Handles for read.  If that has completed and the user now wants to run the Trend Micro Sysclean Module then AVG can be temporarily disabled because AVG already scanned the files.

 

NOTE:  If "On Demand" scanner X scans a PC with anti virus application Y installed, it will add overhead and lengthen the scan time but it will not double the scan time.

[Guest techhead287]

Thanks for all the replies.

 

I already knew that whenever MBAM scanned a file, the other AV would scan it too, I was just saying that it was quite funny when MBAM was scanning the temp folder, because there were about 100 threats in there and all the popups from the other AV were making it look like I had a rouge installed on my system.

[GT500]

Most anti virus application do not scan every single file by default.  They actually have default file types, smart file types and other constructs which limits their scanning based upon file context, file headers, file type and file extension.  They may also have an archival format list and email database list.  With archives they may also limit recursion depth, number of files and the maximum size.  All these are usually found under the more advanced settings for "On access" or "realtime" scanning.

This is true, however you still take a performance hit from the AV monitoring what mbam.exe is doing. You should also take into account that the on-demand scan does not scan every file either (depending on scan settings of course), and the ones that are scanned may be more likely to be scanned by your AV than if it was scanning every file.

However, whitelisting MBAM is not the answer.  The anti virus application can not and should not care what application, utility or process is opening File Handles, only that internal rules based system sees a File Handle is be opened for read or being opened for write and act according to said rules.

If what you describe is true, then exclusions would always be useless. Simply because an API is called does not mean that an AV springs into action. Behavior is monitored based on what process accessed what API, and thus excluding the process would prevent an anti-virus software from monitoring the usage of an API such as one used to open a file. If there is an anti-virus that works in a different way, then I am not aware of it (and it does not make sense as suddenly exclusions would no longer work properly).

If you don't believe me, then do a test where you compare the scan times and disk usage of each process when running a MBAM scan with and without mbam.exe excluded in your AV. Obviously every AV works a bit differently, and you will most likely see differences in the scan times based on which AV is running real-time protection.

If one has already performed a full scan with AV application X, there is no need to have "On Access" or "Realtime" enabled when scanning with Malwarebytes because of the redundancy so one can thus temporarily disable the "On Access" or "Realtime" scanning when perform an On Demand scan with Malwarebytes.

Actually, in a case such as running a scan with MBAM, exclusions are always preferred over disabling the anti-virus protection completely during the scan. Disabling the AV protection should be reserved for tools that are difficult to create exclusions for, when running a tool that you don't intend on running again or keeping installed, or when troubleshooting issues.

[David H. Lipman]

Exclusions between anti malware products are to decrease adverse interactions between products, not for the act of scanning files.

 

Any On Demand scanner can be told what is to be scanned and how.  Either through a GUI, registry tweaks, INI file, .CONF file or via command line switches.  Attached are two help files for Anti Virus Command Line Scanner related command line switches for Sophos and Avira. 

 

READCLI.rtf

scancl.rtf

[GT500]

Exclusions between anti malware products are to decrease adverse interactions between products, not for the act of scanning files.

That's not always true.

Any On Demand scanner can be told what is to be scanned and how.  Either through a GUI, registry tweaks, INI file, .CONF file or via command line switches.  Attached are two help files for Anti Virus Command Line Scanner related command line switches for Sophos and Avira.

I already know this, however not every scanner has the ability to define what types of files are to be scanned (unless the Malwarebytes team has added that to MBAM in the past couple of years and I didn't notice).

[David H. Lipman]

I already know this, however not every scanner has the ability to define what types of files are to be scanned (unless the Malwarebytes team has added that to MBAM in the past couple of years and I didn't notice).

 

Actually, MBAM does based upon if the file contains 'MZ' as in an executable or; 'PK', '7z' or 'Rar', etc,  as an archive file types based reading the first several bytes of the file's header and Malwarebytes does give a choice to include or exclude archival file types.  While this is a limited subset to what other scanners can do it does; "...define what types of files are to be scanned...".

 

To do that, Malwarebytes opens the File Handle of the file and minimally reads the the first several bytes and that is when the fully install anti virus "On Access" scanner will intercept that call and scan the file if the AV software "On Demand" (aka; realtime) scanning is enabled.

[GT500]

To do that, Malwarebytes opens the File Handle of the file and minimally reads the the first several bytes and that is when the fully install anti virus "On Access" scanner will intercept that call and scan the file if the AV software "On Demand" (aka; realtime) scanning is enabled.

However, I don't think you understand how anti-virus software intercepts the call to open the file. Obviously every anti-virus software can work differently, however in my experience they will intercept the call to open a file by monitoring a process, and therefore excluding that process would prevent the AV from intercepting the call to open the file. This is why I recommended exclusions.