Jump to content

quarantine not working as I expected


Recommended Posts

Hi,

 

Just purchased a couple of copies of MBAM after using teh free version for a while.  I wanted to test the realtime aspects of pro and so I downloaded the spycar test suite.  I extracted the files (after diabling avast as this blocked the file download to begin with) and when I click on one of the executables e.g. HKLM_Run.exe MBAM pops up a notification saying a threat has been quarantined.

 

All good so far.

 

The I go into the quarantine and can see the threat, can delete it etc. but the actual exe file that caused the problem in the first place was never removed from the drive.

 

Is this normal?  I would have expected the exe file to be removed. 

 

Thanks

Paul

 

Link to post
Share on other sites

Hi, smipx013:

 

In addition to Durew's advice....

 

Actually, MBAM does not detect the eicar file. ;)

 

The eicar detection is for an ANTI-VIRUS.

MBAM is not an anti-virus.

To test whether MBAM is working, you may wish to follow the steps described here: How can I verify that Malwarebytes Anti-Malware is working?

More info here: https://forums.malwarebytes.org/index.php?showtopic=141986#entry788966

 

Cheers,

 

daledoc1

Link to post
Share on other sites

Hi:

 

Ehrm, smipx013 did use the spycar-suite as mentioned in the article you linked to.

 

Indeed. :)

The links to the KB topic & forum post by our Forum Admin were merely to enhance the information for those who might casually happen upon this thread via a browser search engine.

(It's not uncommon for folks to confuse "eicar" and "spycar", and/or to assume that MBAM is an antivirus that "should" detect the eicar file.)

 

Nothing more, nothing less. ;)

 

Cheers,

 

daledoc1

Link to post
Share on other sites

The I go into the quarantine and can see the threat, can delete it etc. but the actual exe file that caused the problem in the first place was never removed from the drive.

 

Is this normal?  I would have expected the exe file to be removed.

Actually, the copy of the file that was executed should have been removed. If you didn't extract the file from the ZIP folder and just double-clicked on it to run it, then a copy of the file was extracted to TEMP, and that's the copy of the file that actually attempted to execute, which is the copy that MBAM blocked and quarantined. The same goes for if you extracted it and then ran it. The copy you attempted to run will be the one that gets quarantined, not the ZIP folder (since any item within a ZIP archive is actually dormant and cannot run directly from within the archive). If that's not what you're seeing, then yes, it sounds like a bug.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.