Jump to content

Malwarebytes quarantining it's own files?


Wildcat1981

Recommended Posts

I downloaded and installed the new version and the first scan quarantined what looks like Malwarebytes files.  I told it to ignore once, so I assume it put them back where they belong.  But then this morning I found the problem that others have had where Malicious Website Blocking is not enabled.  The only thing that would get it back on was a re-install.  I had tried updating the database, restarting, and rebooting. I'm not sure if the files it thinks are threats and the disabling of the website blocking is related?

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/13/2014
Scan Time: 5:51:17 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.13.09
Rootkit Database: v2014.10.11.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Kevin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 391702
Time Elapsed: 42 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\mbam.sys, No Action By User, [f92b0e478c0faa6d6661e6e977247e60],
Unknown.Rootkit.Driver, C:\WINDOWS\SYSTEM32\drivers\mwac.sys, No Action By User, [0664f6335f108f38fe08c3ca747311ee],

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Staff

Hi,

 

You can safely ignore these detections - looks like there's a mismatch between reads from the kernel and windows API here. This might happen once in a while.

As for the Malicious Website Blocking, please see here: https://forums.malwarebytes.org/index.php?/topic/158722-malicious-website-protection-disabled/

Link to post
Share on other sites

I ran another scan and told MBAM to add an exclusion for those two files.  But the next time a scan ran, those same to files showed up as threats again.  I said to add an exclusion for each of them again, but I don't think it is sticking because the log says "No action by user" just like in the log above where I selected "Ignore this time". 

Link to post
Share on other sites

  • Staff

What do you get/see when you open Settings > Malware Excludions?

Do you see both of them there? If not, can you add these manually there via the "Add File" option?

Did you reboot afterwards?

 

As for the cause why it sees both files as unknown rootkit drivers...

Also, if still the same and still detection, I suggest that you reinstall Malwarebytes, because the fact that it sees those two files as unknown rootkit driver means there's a misread for them.

Also, what Antivirus or other Security product do you have installed? Because it could also be interference from the other AV where it sees changes for these new mbam driver files (since this is a new version) and causing these misreads in mbam. So it's always a good idea to add an exclusion for Malwarebytes files in your other AV as well. (If that was the case, please let us know, so we can try to reproduce this).

 

Or, do you have any program installed like Driver Booster or a system optimizer program or something similar? Because we have also seen this behavior where it forges contents of newly installed drivers.

Link to post
Share on other sites

The exclusions do show up in the settings.  However, they still get flagged as threats with each scan.  I am about to reboot to see what happens, I have not rebooted yet.  If I do a re-install, is it necessary to un-install first?

 

I have both Norton's Internet Security and Webroot Secure Anywhere running at the moment.  I do not have any Driver Booster type programs running.

 

I'll let you know if rebooting makes any difference and if not will try re-installing.

 

Thanks!

Link to post
Share on other sites

I deleted the old version to be thorough and re-installed again and did another scan right away.  Again, those two files show up as threats.  Interesting that this did not happen until I downloaded the new version.

 

Even if there is a mismatch, shouldn't those files be ignored if they are in the exclusion list?

Link to post
Share on other sites

Webroot does not have a way to do that and Norton's does but Norton's does not think those two files exist, even if I make system and hidden files visible in file explorer.But if I disable both antivirus programs it still behaves the same, or if right click on those files and have webroot or Nortons scan those files neither one has a problem with them. 

Link to post
Share on other sites

It is interesting to note that, in both Norton's and MBAM, when I go to exclude those files, both are not able to see the drivers in that directory, so if I go to manually add those two files through browse, MBMAM is not able to see them.  I can see them in File Explorer though.  I don't know if that has anything to do with the issue or not.

Link to post
Share on other sites

I think I have an idea what the problem might be.  I use Rollback Rx.  I was reading another post on this forum and I noticed that someone had a similar problem and you deduced that the problem was because of Rollback RX.  Perhaps I should not even turn on rootkit scanning in mbam if I am using Rollback RX.  Maybe that doesn't make sense since Rollback RX would likely look like a Rootkit?

 

BTW, the post I was reading said that there was a fix for the Rollback RX incompatibility.  Is that not in the current version yet?

Link to post
Share on other sites

  • Staff

Let's try a few more things.

 

  1. Please uninstall one of your AVs.  Having too much security software on the same machine can cause issues so it's usually recommended to only have one AV.
  2. Please try running a scan in safe mode to see if the same detections are found.
  3. Please try running a scan with MBAR and see if the same detections are found.
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.