Jump to content

Kaspsersky AV Reports Suspicious Activity when Updating MBAM


Recommended Posts

I not sure if this is the right forum for a false positive with Kaspersky AV 8.0.0.454. I am running KAV 8.0.0.454 and did the manual update for MBAM 1.37 . KAV reports suspicious activity: MBAB-setup is trying to download driver in a hidden way. What choices in KAV : Allow or Add to Exclusions? I would assume Quarantine and Terminate are not the correct choices.

Link to post
Share on other sites

Greetings :P . This is a known issue with Kaspersky and it is due to it's heuristics engine which automatically flags any program that installs a driver the way that MBAM does, just have Kaspersky allow it and it should be fine.

I've been using Kaspersky Internet Security togheter with MBAM free version for a long time. Would you pls. then explain why only with this last version of MBAM I've received for the first time the warning that MBAM was attempting to install a hide drive (obviously mbam.sys)?

Thanks in advance for your answer

Rocky

Link to post
Share on other sites

Guest remixed

Nobody seems keen on addressing this issue, which applies to all Kaspersky products, it dosn't bother me but in my judgement (and brief poll) the casual MBAM user is gonna go with Kaspersky's current recommendation!

Link to post
Share on other sites

  • Staff

@remixed: That's true unfortunately, and is my only hinderance in widely advising novice users to use the two together so I usually recommend they use Avira just so they don't have to worry about remembering to tell Kaspersky to allow it every time a new version is installed

@Rocky: The driver was changed quite a bit in 1.37 and that most likely has a lot to do with it, also if you're running Vista 64, 1.37 would've been the first version that the driver actually functioned in which is why Kaspersky would give the alert because it wouldn't concern itself with a "dormant" driver that didn't function. I never got these alerts myself either (note I'm running Vista 64) until version 1.37, but users running 32 bit Windows versions have been getting these alerts every time they installed a new version of MBAM if Kaspersky was running at the time.

Link to post
Share on other sites

Guest remixed

Nope, i run Vista 32 & XP pro 32 and this is the first EVER time i've received a 'Red' alert recommending quarantine or deletion. Sure, on previous occasions Kaspersky has questioned or prompted for a decision when a new version is installed but this kind of alert is a first!

Link to post
Share on other sites

  • Staff

Ah, I see. It either has to do with a change in Kaspersky's heuristics or the many changes to the drivers that MBAM uses with version 1.37. Probably the latter, although I did have to reboot after a recent KAV update a few days ago, meaning they did alter some part of the KAV engine itself.

edit: I just found this on the KL forums. Looks like "whitelisting" by them for MBAM is not an option. Users will just have to live with it and the uninformed will still be breaking MBAM on installation because Kaspersky suspects it of being a threat because of the way it installs its drivers. Bummer :P .

Link to post
Share on other sites

Thanks for the answers

But is there anybody who can explain the reason of a hidden driver installation (mbam.sys) which is of concern for many users (because obviously the antivirus in this way can not monitor the application any longer!)?

Thank you

Rocky

Link to post
Share on other sites

Thanks for the answers

But is there anybody who can explain the reason of a hidden driver installation (mbam.sys) which is of concern for many users (because obviously the antivirus in this way can not monitor the application any longer!)?

Thank you

Rocky

Btw I use win Vista and winxp both 32, but as already said it is really the first time that I get such a warning.

It doesn't matter; however what i would like to understand is WHY MBAM driver needs a hidden installation, which is not covered by any AV products (not only Kaspersky)???

Thanks in advance for a kind reply from someone of MBAM great team.

Rocky

Link to post
Share on other sites

Btw I use win Vista and winxp both 32, but as already said it is really the first time that I get such a warning.

It doesn't matter; however what i would like to understand is WHY MBAM driver needs a hidden installation, which is not covered by any AV products (not only Kaspersky)???

Thanks in advance for a kind reply from someone of MBAM great team.

Rocky

Its not just KAV.... loads of other vendors are picking up the drivers and .tmp files on installation...

I am trying to see why..... submitting to online

scanners............................................................. :P

Link to post
Share on other sites

  • Staff

I'm not part of the MBAM development team, but I believe the driver works the way it does to be able to get lower level access to the system to check for rootkits, hidden malware etc and be able to remove it (very similar to the drivers used by many AV's themselves). I believe if the driver installed normally it would be much more easily blocked or disabled by an infection that could already be present on the system. I could be wrong of course, this is just my guess based on the observations I've made about MBAM and how it works.

Link to post
Share on other sites

Hi guys,

I'm also a mod at the Kaspersky forum so perhaps I can explain this a bit further.

What is happening is that MBAM is trying to install it's protection driver, and Kaspersky is intercepting this attempt and alerting you to a hidden driver installation.

Some rootkits (TDSS, Bagle) and bad malware install a driver in order to bypass antivirus and security tools by invisibly installing a driver. However, security software and legitimate programs also need to install drivers in order to protect your system. Hence, an alert is given by Kaspersky in order for you to decide if you trust the program installing the driver or not. If you know and trust the program making the driver install, it is fine to allow...however, if you are not doing anything (e.g. updating software or installing a new version) and suddenly get such an alert (citing a program you do not know or recognise) it may be wise to block it and investigate further.

The reason MBAM triggers such an alert is because v1.37 includes a new, improved protection driver which needs to be installed in order to complete the update. Previous updates did not need to do this because the update did not include such fundamental driver changes.

Kaspersky will not be removing this detection because it is a very important interception point for a number of rootkits and removing this detection mechanism would leave people running their programs vulnerable to rootkit installation.

To sum up, in the case of updating MBAM it is perfectly safe to allow.

Link to post
Share on other sites

  • Root Admin
I am using Kaspersky Anti-Virus & notice this behavior.

What I do is to pause protection in Kaspersky Anti-Virus before I upgrade Malwarebyte to a newer version.

As is the recommendation with ANY software install. If you read the fine print for many applications they ask or tell you to DISABLE your Anti-Virus while installing.

If you're still having problems with installation or update of MBAM please DISABLE your Anti-Virus temporarily and follow the directions below.

Basic procedures to correct freezing issues often due to other Security Software

If these procedures do not correct the problem please create a new post seeking further assistance

  1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

  2. Restart your computer (very important).

  3. Download and run
    this utility
    .

  4. It will ask to restart your computer (please allow it to).

  5. After the computer restarts, install the latest version from
    here

    Note:

    If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

BEFORE

registering and starting the Protection Module, locate the Exclusion List for your Anti-Virus. Probably under an advanced menu in the program.

Add the following folders, sub-folders if you can, at a minimum add the files to the exclusion to be safe.

  • C:\Program Files\Malwarebytes' Anti-Malware

  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

  • C:\WINDOWS\system32\drivers\mbam.sys

  • C:\WINDOWS\system32\drivers\mbamswissarmy.sys

  • C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

  • C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

  • C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.