Jump to content

Should MBAM PRO Detect PUPs During Downloads?


Recommended Posts

Should files normally identified by MBAM as PUPs (potentially unwanted programs) be detected during downloads when MBAM PRO real-time protection is enabled?

 

I was testing my MBAM PRO real-time protection by downloading a Sysinternals Process Monitor installer from Softango.com that is known to be bundled with unwanted third-party add-ons.  MBAM scans should detect this wrapped installer (SoftangoDownloader_SysinternalsProcessMonitor.exe) as PUP.Optional.InstallBrain.

 

When I attempted to download this file with MBAM PRO real-time protection fully enabled, the malicious website blocking feature prevented my browser from connecting to the server at www.humipapp.com (i.e., the IP address was identified as a potentially malicious website).  So far so good.

 

When I tried the download with MBAM PRO real-time protection partially enabled (i.e., with malicious website blocking disabled) I saw a pop-up in my system tray from my antivirus software (Norton Internet Security's File Insight) claiming the downloaded file was safe and the file downloaded to my hard drive.  I right-clicked on the file SoftangoDownloader_SysinternalsProcessMonitor.exe from WIndows Explorer and a MBAM scan detected this file as PUP.Optional.InstallBrain.

 

Is it possible that my antivirus (NIS) real-time protection interfered with MBAM PRO's heuristic scanning during the download, or does MBAM PRO's filesystem protection only detect PUPs when they are scanned and/or executed?

------------
MS Windows 32-bit Vista Home Premium SP2 * NIS 2013 v. 20.4.0.40 * MBAM PRO v. 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

Link to post
Share on other sites

  • Root Admin

Often not as many times the inclusion of PUPs is located within a bigger installation program and until you go to run or install the program the PUP files inside cannot be seen.

Blocking IP sites can be very normal depending on where you go or what is running on your computer. If you think you might be infected then I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

Link to post
Share on other sites

Hi AdvancedSetup:

 

Thank you for your prompt response.

 

I had read the MBAM support article here titled "What's the differences between the Malwarebytes Anti-Malware Free and PRO versions" and it states in part:

 

"The realtime protection module uses our advanced heuristic scanning technology which monitors your system to keep it safe and secure by blocking unwanted downloads or executable files from running. Another important feature is our malicious website blocking, meaning that sites known to be malicious will not load on your system thereby avoiding a potential malware infestation."

 

I wasn't entirely clear if that first sentence meant that MBAM's heuristic scanning should detect unwanted files like PUPs during the download process (full stop) or if MBAM's heuristic scanning should block unwanted downloads from running.  Your response has clarified that statement and I'll assume the wrapped installer containing the PUP would be blocked by MBAM PRO if it was executed.  Fortunately, I didn't run the installer so my system was not infected.

------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 27.0.1* IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

Hi AdvancedSetup:

 

Further to my previous post, a friend offered to install MBAM PRO on a virtual machine (VM) running Windows 8.1 Pro Preview.  This VM does not have NIS installed.  MBAM PRO was configured with partial realtime protection (filesystem protection enabled, malicious website blocking disabled).

With this configuration, MBAM PRO allowed the wrapped installer SoftangoDownloader_SysinternalsProcessMonitor.exe to download without incident but blocked and quarantined the .exe file when it was executed.  This supports your comment in post # 2 that the file would likely be detected by MBAM PRO's realtime protection at execution.

 

post-16430-0-50282500-1395019725_thumb.p

Thanks again for your excellent support in this forum.

------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 27.0.1* IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

  • Root Admin
blocking unwanted downloads or executable files from running

 

Yes, but as an example.  Let's say you download the latest version of Nero CD labeling software.  That software is quite valid program but it does contain OpenCandy (PUP) and no way that I'm aware of to opt out.  Well the program is valid so we don't block it from download, or launch.  Depending on how the installer then runs we may detect the OpenCandy and offer to remove it.

 

When we say we block unwanted downloads we mean KNOWN THREATS that will infect  your  computer.  PUP is a category of its own that is not currently listed as a Known Threat.  However there are some installers that are a known threat that do include them and we will stop the download of said application no based on PUP alone but because the application installer is a known threat to your computer.

 

Sort of a fine line and difficult to list as we block hundreds of thousands of files and programs.  Not an easy task and one has to pay attention to what they're downloading and doing on the Internet.  We'll certainly try our best to help protect your computer but there is no 100% guaranteed prevention except to disconnect your computer from the Internet and not share any disks or files.

 

You may want to read the following article on the subject of trying to keep the computer safe.

 

The complexity of finding, preventing, and cleanup from malware

 

Thanks

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.