Jump to content
Shrugged

Auto-Quarantine

Recommended Posts

Is do not auto-quarantine in 2.0.3 RC1 handled in the same way as in 2.0.2.1012?

From the manual, Advanced Settings :

http://www.malwareby...rt/guides/mbam/

Automatically quarantine detected items: When unchecked, any threats detected will not be quarantined immediately. A notification will instead be presented, and you must choose how to respond. If you do not respond within forty (40) seconds, the threat will be quarantined automatically.

TIA

Share this post


Link to post
Share on other sites

Yes, it is handled the same way. Un-checking "Automatically quarantine detected items" in Advanced settings will yield the results you've quoted.

 

The system tray notification will pop up in the bottom right of your screen and give you different options in response to this new threat.  If you do not respond within 40 seconds, the threat is automatically quarantined.

Share this post


Link to post
Share on other sites

40 seconds and auto-quarantined, is that really a good idea, given the time that a bad updated ended up deleting a bunch of system files? Some folks may not be in front of the computer when this happens, having the popup wait for a reply or auto quarantined after a longer period would be better (at least an hour or so) at least that's my opinion...

Share this post


Link to post
Share on other sites

40 seconds and auto-quarantined, is that really a good idea, given the time that a bad updated ended up deleting a bunch of system files? Some folks may not be in front of the computer when this happens, having the popup wait for a reply or auto quarantined after a longer period would be better (at least an hour or so) at least that's my opinion...

 

You're echoing my thoughts on this, Ff. exile360 ,explained HERE  (post#7) the reasoning behind this.

 

I'd prefer 1.75's behavior of system freeze rather than an injection of a bad update.

Share this post


Link to post
Share on other sites

Thanks Shrugged for that info on exile's explanation, it makes sense what he is say, guess our only hope is that they do not release a bad update again.... ;)

Share this post


Link to post
Share on other sites

I would like to see an option to add a sound when a notification is presented.  If you use a screen saver and are multi-tasking the screen saver might come on and be on when a when a notification pops up.  If you have a sound option this will prompt you to log back in or move the mouse to get back to the desktop and see the notification in time to take an action.   Also, while I agree with the 40 seconds people are often away from their computer for longer than 40 seconds while it is on.  If there was a sound option you would hear it if the volume on the computer was set high enough and know to go to the computer.

 

Sounds can be annoying so that is why I am suggesting it be an option. 

Share this post


Link to post
Share on other sites

40 seconds and auto-quarantined, is that really a good idea, given the time that a bad updated ended up deleting a bunch of system files? Some folks may not be in front of the computer when this happens, having the popup wait for a reply or auto quarantined after a longer period would be better (at least an hour or so) at least that's my opinion...

I am very rarely in front of my computer when Malwarebytes preforms its scheduled scan. That's the point of scheduled scans. I do other things while the scan takes place. I'm going to have to do away with scheduled scans and do them manually while I set staring at the scan to make sure my computer won't get bricked by a miss step in the database. This is nuts.

 

I thought that's what removing the check mark from "Automatically Quarantine Detected  Items" meant. So basically this is a delay of 40 seconds? If so call it  "Delay quarantine 40 seconds"  of fix it to do what it seems to be. I never would have guessed that this really didn't mean that Auto quarantine  would still auto quarantine no matter the setting. 

Share this post


Link to post
Share on other sites

I am very rarely in front of my computer when Malwarebytes preforms its scheduled scan. That's the point of scheduled scans. I do other things while the scan takes place. I'm going to have to do away with scheduled scans and do them manually while I set staring at the scan to make sure my computer won't get bricked by a miss step in the database. This is nuts.

 

I thought that's what removing the check mark from "Automatically Quarantine Detected  Items" meant. So basically this is a delay of 40 seconds? If so call it  "Delay quarantine 40 seconds"  of fix it to do what it seems to be. I never would have guessed that this really didn't mean that Auto quarantine  would still auto quarantine no matter the setting. 

 

Doing away with scheduled scan might not in its entirety produce the result you desire.

 

Auto-update should also be disabled. If you were away from your machine with active protection enabled, an auto-update containing FPs would result in the negative outcome you're trying to avoid.

Share this post


Link to post
Share on other sites

Doing away with scheduled scan might not in its entirety produce the result you desire.

 

Auto-update should also be disabled. If you were away from your machine with active protection enabled, an auto-update containing FPs would result in the negative outcome you're trying to avoid.

Terrific!...just terrific.  Thanks for pointing that out Shrugged.

 

Come on Malwarebytes make a setting that's to the point and makes sense...I humbly offer the following suggested setting options....  "Do not automatically quarantine detected items without user input" or "User input required to quarantine detected items" or, even easier.... simply don't quarantine detected items if the box on the existing setting isn't checked.

 

Anything but what's there which is "Detected items will be quarantined even if you don't check this box, it will just take 40 seconds longer".

 

I suppose I will just have to shut Malwarebytes off when I'm away from the computer or if I'm going to glance away from the screen for more the 40 seconds... just to protect myself from my protection software..... :(

Share this post


Link to post
Share on other sites

Allow me to clarify a little bit.

 

Under Advanced Settings, Automatically quarantine detected items is specifically for real-time protection.  Real-time protection monitors what applications/files are being executed and will quarantine the file automatically if it is seen as malware.

 

Now, it sounds like you are talking about scheduled scans automatically quarantining items after a scan or scheduled scan has finished... That is a completely different case.  Items detected by a manual scan will never be automatically quarantined (The 40 second rule does not apply!).  Items detected by a scheduled scan can be automatically quarantined, but you need to set a specific option in the scheduled task's options:

post-119961-0-73083700-1413216432_thumb.

 

As shown in the screenshot, items in a scheduled scan will only be quarantined if the option Quarantine all threats automatically is checked.  This is shown by adding/editing a scheduled scan and clicking the Advanced button on the bottom.

Share this post


Link to post
Share on other sites

I am very rarely in front of my computer when Malwarebytes preforms its scheduled scan. That's the point of scheduled scans. I do other things while the scan takes place. I'm going to have to do away with scheduled scans and do them manually while I set staring at the scan to make sure my computer won't get bricked by a miss step in the database. This is nuts.

 

I thought that's what removing the check mark from "Automatically Quarantine Detected  Items" meant. So basically this is a delay of 40 seconds? If so call it  "Delay quarantine 40 seconds"  of fix it to do what it seems to be. I never would have guessed that this really didn't mean that Auto quarantine  would still auto quarantine no matter the setting. 

 

I hate to say it, but this is yet another bad decision on the part of Malwarebytes that causes me to hold off on applying updates!  For goodness sake, who is making these kinds of decisions?  While it's understandable for Malwarebytes to want to display a no-nonsense approach to dealing with potentially dangerous alerts, you need to first demonstrate beyond a shadow of a doubt that your doing so isn't going to harm out systems, as it has in the past! 

 

In addition, leave it to the user to decide whether or not they want Malwarebytes to take such drastic actions unilaterally.  Wouldn't it be infintely better if Malwarebytes took the same approach as Doctors do when treating their patients?  In other words, "First, do no harm!"?  If Malwarebytes is able to freeze a user's system after an unanswered alert has occurred, in lieu of just quarantining the target files (which may be false positives), wouldn't the user still be just as protected?

 

It's understandable to want to keep the user from hurting themselves by trying to do what you know would be best for them.  However, nothing is foolproof, and certainly nothing is without risk.  However, when other avenues of protection are available, avenues that are just as effective, as well as being safer for those who choose to not automatically quarantine files, would it not then be prudent for the software designers to explore those avenues, and incorporate functionality that enables the software to be safer to use as a result?

 

No one foresaw Malwarebytes deleting Windows System files back then, yet it happened nevertheless.  To presume that it will never happen again is unwise.  To allow the software to act unilaterally in a way that ignores such a thing could happen again, and so needlessly putting your users at risk of having that happen again is, IMO, as well as in my 30+ years of IT experience as a system developer, the height of folly!

 

If 40 seconds after an unanswered infection alert Malwarebytes were to begin to quarantine suspect files, only to once again proceed to mistakenly quarantine system files instead, especially after the user had explicitely set the program's options to not have that happen... well, I'll leave that for you to contemplate. 

 

If I was the project manager, there would be absolutely no way I would ever allow that to be a possibility!  And, if someone higher up decided that they wanted me to do that, I would tell them why I couldn't, and if they then tried forcing my hand... I would immediately quit the project without looking back.

 

Never say never...

Share this post


Link to post
Share on other sites

Allow me to clarify a little bit.

 

Under Advanced Settings, Automatically quarantine detected items is specifically for real-time protection.  Real-time protection monitors what applications/files are being executed and will quarantine the file automatically if it is seen as malware.

 

Now, it sounds like you are talking about scheduled scans automatically quarantining items after a scan or scheduled scan has finished... That is a completely different case.  Items detected by a manual scan will never be automatically quarantined (The 40 second rule does not apply!).  Items detected by a scheduled scan can be automatically quarantined, but you need to set a specific option in the scheduled task's options:

attachicon.gifScheduled_Advanced.png

 

As shown in the screenshot, items in a scheduled scan will only be quarantined if the option Quarantine all threats automatically is checked.  This is shown by adding/editing a scheduled scan and clicking the Advanced button on the bottom.

 

Thank you, Jekko, for the clarification.

 

Are there any thoughts by MB to changing version 2.x's 40 second rule, in real-time protection, to the behavior as happens in v1.75 or even to an entirely different behavior?

 

Anyone who happens to land on this thread via search --- read the whole thread so you can strategize accordingly.

Share this post


Link to post
Share on other sites

Shrugged,

 

Unfortunately there are no plans to change the functionality of that 40 second rule for real-time protection for MBAM 2.x.

Share this post


Link to post
Share on other sites

Thank you, Jekko, for the clarification.

Are there any thoughts by MB to changing version 2.x's 40 second rule, in real-time protection, to the behavior as happens in v1.75 or even to an entirely different behavior?

Anyone who happens to land on this thread via search --- read the whole thread so you can strategize accordingly.

Shrugged, Unfortunately there are no plans to change the functionality of that 40 second rule for real-time protection for MBAM 2.x.

Jekko,

Thank you for taking the time to get and post the answer.

Share this post


Link to post
Share on other sites

Jekko,

 

Thanks for replying It took me a while to find the thread again.

 

At the very least MB should change the wording on the setting to represent that it is a 40 second delay to quarantine if not selected.

 

I find it interesting that in the User Guide under Scheduling Advanced Mode it's noted that Automatic Quarantine is not necessarily the best choice..

 

While automatic quarantine may seem to be the best course of action, it could have negative implications if a false positive was encountered. A false positive is the categorization of a legitimate file as a malicious file.

 

On the other hand under Advance Settings

 

 

Automatically quarantine detected items: When unchecked, any threats detected will not be quarantined immediately. A notification will instead be presented, and you must choose how to respond. If you do not respond within forty (40) seconds, the threat will be quarantined automatically

 

It would seem that there is a conflict of opinion regarding a Automatic Quarantine in the user guide.

Share this post


Link to post
Share on other sites

And at the same time, both statements are true.  An FP will bite you, as will unquarantined malware.  The first statement is there specifically due to the nature of a FP and its effects.  The second statement is there to let you know that the 40-second timer kicks in, and the writer of the document can't change the behavior of the program.  The writer of the document CAN let you know what to expect.

Share this post


Link to post
Share on other sites

As I understand those statements, the first statement is for scheduled scans, if auto Automatically quarantine detected items is selected in the scheduled scan then it has a big implication if there was a false positive, if it is not selected the items are detected and logged and the user has to choose what to do with them.

 

In the second statement, Automatically quarantine detected items is the real time protection that is always running, that would only affect the PRO/Premium users...

Share this post


Link to post
Share on other sites

Firefox,

That's how I understand it as well. Scheduled scan it's not recommended because of a possible FP. For Maleware Protection and Malicious website protection it is OK. Perhaps a FP will not occur under the latter, I can only hope not.  I am a premium user.

 

@Gonzo, Just to clarify, It was not the writer of the "document" I was referring to.

Share this post


Link to post
Share on other sites

EDIT to add by Shrugged -- This concerns V2.x.

 

@SCR4514 --

 

This has gotten a little confusing as we're mixing discussion between manual scans (including scheduled ones) and active-protection. They differ in their reaction to detections as relates to Auto-Quarantine.

 

1) Manual scan as explained by, @Jekko :
 

Now, it sounds like you are talking about scheduled scans automatically quarantining items after a scan or scheduled scan has finished... That is a completely different case.  Items detected by a manual scan will never be automatically quarantined (The 40 second rule does not apply!).  Items detected by a scheduled scan can be automatically quarantined, but you need to set a specific option in the scheduled task's options:

 

https://forums.malwarebytes.org/index.php?/topic/158478-auto-quarantine/#entry889118

 

The salient point is -- the 40 second rule does not apply. If you choose to not Auto-Quarantine in your scheduled scan settings a detection will wait for your decision on how to handle it.

 

2) Active-protection as explained in the manual, Advanced Settings:

 

 

Automatically quarantine detected items: When unchecked, any threats detected will not be quarantined immediately. A notification will instead be presented, and you must choose how to respond. If you do not respond within forty (40) seconds, the threat will be quarantined automatically.

 

 

The 40 second rule pertains to active-protection's detection behavior in regards to Auto-Quarantine.

 

Active-protection is constantly (assuming it's enabled) scanning to protect your computer. If a false positive laden update happened to occur, rare though that might be, MB's active-protection module would spring into action and earn its keep. It would immediately quarantine if you had selected to Auto-Quarantine in Advanced Settings. If you had chosen to not Auto-Quarantine, you'd have 40 seconds to make a decision before the program would take that decision out of your hands.

 

One strategy for those who worry that false positives could start quarantining system files and brick your machine -- NEVER do unattended updates. Active-protection will not likely turn on you on its own. It follows whatever the then current instructions (database) are, for better or worse.

 

Hope this helps to clarify further.

Share this post


Link to post
Share on other sites

@Shrugged  Thank you for your clarification. I think that's pretty much how I see it. However, I don't see how not doing unattended updates would rectify a FP issue. If the specific process or program that would be affected by the FP started and the previous update, attended or not, contained the FP and the user was not in front of the computer for 40 seconds the quarantine would take place, but I may be missing something here. For me the choice of mitigating this remote yet possible issue is a daily image of my drive at boot prior to Malwarebytes starting and before an Internet connection is established.

I understand the difference between automatically scheduled scans, manual scans, Malware protection and Malicious website protection. What I'm having trouble getting my head around is that a automatic quarantine is not recommended in one instance yet there is not choice in the other. I am far from a software engineer so to me a FP is a FP no matter where, when or how it's detected. To be perfectly honest I wouldn't know if it was a FP in 40 minutes let alone 40 seconds. I'm sure that there are those that do but I don't know any personally.

 

To my way of thinking, be it correct or otherwise, not checking this setting, in "Advanced Settings" means no Automatic Quarantine period. Checking the option means that it will be Automatically quarantined, sort of a yes or no type setting.  In as much as Malwarebytes has already stated that there is no plan to change the operation of the 40 second automatic quarantine I suppose continued posting on the matter is some what pointless. Thank you for presenting the subject and your continued discussion.

 

@ Malwarebytes.   Not everyone reads the manual to determine the definition of a specific setting that seems to be clear on it's face yet is some what misleading or confusing in practice considering that there is a similar setting with similar verbiage under "Automated Scheduling" " Advanced settings".  For clarity, please change the Advance setting to identify that there is a 40 second delay before automatic quarantine even if the check mark is not placed on the "Advanced settings" >  "Automatically Quarantine detected items" setting.

 

Thank you for your time and attention.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.