MBAM's handling of Driver Reviver as PUP

[whatmeworry?]

To my surprise, when MBAM Pro (Version: 2.01.6.1022, Malware Database: v2015.06.01.03) ran its daily scan today, it detected 49 PUPs, all related to a program called Driver Reviver.  I've had this program on my computer for several years, but today was the first time MBAM objected to it.  I have two questions:  1) What would cause MBAM to suddenly object to a program that has been on my computer for years?  2) My MBAM settings ask that I be warned about PUPs, not that they be treated as malware.  Nonetheless, MBAM quarantined these 49 files.  Why did it quarantine them rather than simply warn me?

 

 

[daledoc1]

Hi:
 
Welcome back.
 
If you think these detections might be a false positive, I suggest the following:

• Please follow the advice in this pinned topic: Please read before reporting a false positive
• Then, please post the requested information -- especially an MBAM scan log showing the detections -- in a new post here: False Positives - File Detections

The research team will review the information and advise you further.

 

Thank you,

[whatmeworry?]

Thanks, daledoc1, for your prompt response.  I'm frankly less concerned about whether MBAM's action was the result of a false positive than why MBAM quarantined the 49 PUP files even though my settings are that I should be warned about PUPs, not that they should be treated as malware.

 

I'm not concerned about whether this was a false positive because, after MBAM quarantined them, I decided that since I hadn't used the program in well over a year, I might as well simply get rid of it.  I ran Revo Uninstaller, but Revo was unable to remove the program, probably because MBAM had quarantined the program's uninstaller.  I then restored all the files from quarantine and ran Revo again.  That apparently worked, but it would have been less time consuming had MBAM simply warned me about these files, as my settings had asked.  So my main concern is with MBAM's ignoring my settings.  What do I have to do to get MBAM to just WARN me about PUPs?

[daledoc1]

Hi:
 

Thanks, daledoc1, for your prompt response.  I'm frankly less concerned about whether MBAM's action was the result of a false positive than why MBAM quarantined the 49 PUP files even though my settings are that I should be warned about PUPs, not that they should be treated as malware.

Alas, there's no way to know without some data (logs).
 
In addition to the previously requested scan log showing the detections (instructions are below), it would help to have some basic system info.
Please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt).

 

The 3 diagnostic logs, plus the scan log, will help the staff to determine what's going on, and a possible solution.
 
Thank you,
----------------


How to get SCAN logs or PROTECTION logs:
(Export log to save as a txt file for posting in the forum when requested)

• Open MBAM.
• Click on the HISTORY tab > APPLICATION LOGS.
• Double-click on the SCAN LOG which shows the date and time of the scan just performed (or the one you are asked to post), OR on the PROTECTION LOG showing the detection you are reporting (or the one that you are asked to post).
• Click EXPORT.
• Click TEXT FILE (*.txt)
• In the "Save File" dialog box which appears, click on DESKTOP.
• In the FILE NAME box, type a name for your scan log.
• A message box named "File Saved" should appear, stating that "Your file has been successfully exported".
• Click OK.
• Please attach the saved log to your next reply here in this thread.

[whatmeworry?]

Hi again, daledoc1.  Thanks for your response.  Apparently, when I got rid of Driver Reviver yesterday, I failed to zap the setup.exe file, so today MBAM flagged that as a PUP.  I should note that since I wanted to be sure to have a copy of the scan file, and since I didn't realize at the time that MBAM keeps copies under History, I said no, I didn't want to restart my computer.  Instead, I made a copy of the file, then went to the forum to see whether there had been any response to my most recent message.  I found your request for files.  So I've now attached 5 files:

 

1-2) 2 scan logs, yesterday's (pup49.txt) and today's (pup_again60215.txt)

3) FRST.txt

4) Addition.txt

5) CheckResults.txt

 

I'm hoping my not having re-started my computer today after receiving MBAM's notification about the PUP won't be a problem.  I'm also hoping that something in these files may help you answer my question about why MBAM ignored my setting about simply warning me about PUPs rather than treating PUPs as malware.

 

Thanks again for your help.

 

 

[daledoc1]

Hi:

 

Thanks for the update.

 

Alas, I don't think your attachments made the trip?

(I don't see the logs...)

 

Thanks,

[whatmeworry?]

How bizarre!  I added each one of them with the Attach file mechanism, and each one seemed to be uploaded.   I guess I'll try again.  pup49.txtpup_again60215.txtFRST.txtAddition.txtCheckResults.txtCheckResults.txt

 

I think I figured out what I did wrong the first time.  What I don't know is whether I also have to click on Add to Post for each file.  I've now done that, but it seems a bit strange to click on Open, then Attach this File, and then Add to Post.  Is this last step needed?

 

Oh well, sorry about their not being included the first time.

[daledoc1]

Hi:
 
You wrote:

 

Why did it quarantine them rather than simply warn me?

 
The short answer is because your log shows that MBAM is actually configured to "Treat (PUP) Detections as Malware":
 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/1/2015
Scan Time: 11:41:44 AM
Logfile: malware49.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.01.03
Rootkit Database: v2015.05.31.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

<snip>

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

 
"Enabled" means "Treat Detections As Malware" (i.e. Quarantine)
"Warn" means "Warn User About Detections"
"Disabled" means "Ignore Detections"
 
Having said that, while PUPs are not "malware", per se, most folks don't want PUPs on their system. 

This pinned topic explains why: What are the 'PUP' detections, are they threats, and should they be deleted?
 
Getting back to your original question, if you think these detections may be a false positive, then we suggest the following:

• Please follow the advice in this pinned topic: Please read before reporting a false positive
• Then, please post the requested information -- especially an MBAM scan log showing the detections -- in a new post here: False Positives - File Detections
• The research team will review the information and advise you further.

OTOH, if you would like free, expert assistance with scanning and cleaning the system from PUPs/adware/malware, then we suggest that you might want to please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue.

Thanks,

[whatmeworry?]

Thanks, daledoc1, for your response.  I'm afraid, however, that you may be incorrect in saying that "Enabled" means that MBAM will treat PUPs as malware.  That's ONE of the options, but not the one that I chose, as you can see in the screenshot that I have attached:

 

As the screenshot shows, I have chosen "Warn User About Detections."  If Enabled is supposed to mean only Treat as Malware, then there's something wrong with the MBAM user interface, since it clearly offers me the possibility of simply being warned, and that's the option I chose. 

 

Since I've removed Driver Reviver from my computer, I'm not really interested in finding out whether MBAM's suddenly calling it a PUP is a false positive.  It's possible that MBAM has new information that leads it to consider Driver Reviver a PUP, or it may be that their call is a false positive.  I'm much more interested in calling attention to the apparent disconnect between my having chosen "Warn User About Detections" and MBAM's ignoring that choice.

 

 

[daledoc1]

Hi:

 

Sorry, but I was only reporting what your log shows.

It shows that the setting for PUPs was to "Treat Detections as Malware" = quarantine.

I suppose there could be an issue with the mbam-check utility not logging correctly.

However, we have not seen any trouble with that reported here in the forum.

Perhaps if you recently upgraded your version of the MBAM (especially if it was an on-top upgrade), something got mixed up with the settings?

 

I would suggest cleanly reinstalling the program by carefully following the best practices in this pinned topic: MBAM Clean Removal Process 2x

 

If that doesn't resolve your issues, we would need a FRESH set of all new logs in order to provide the data to the QA team: Diagnostic Logs

If you need to run FRST again, please download a fresh copy of the FRST installer and be sure to place a checkmark in the "Addition.txt" option.

Then, please attach a new set of all 3 logs to your next reply.

 

Thank you again,

[Porthos]

Was there not a post a while back about auto quarantine a and a 40 second delay ?

[whatmeworry?]

Thanks, Porthos, for your message.  After reading it, I did a search and found a message from 2014 that talks about auto-quarantine.  I confess that the ins and outs of the discussion made me a bit dizzy .  It seems to me, however, that if I simply say I want to be warned if MBAM discovers PUPs, that's different from asking it to treat PUPs like a threat.  And since I DO have my Settings set to warn user about PUP detections, that should result simply in my being warned.   But apparently MBAM's right hand doesn't know what its left hand is doing.

[whatmeworry?]

 

Sorry, but I was only reporting what your log shows.

It shows that the setting for PUPs was to "Treat Detections as Malware" = quarantine.

I suppose there could be an issue with the mbam-check utility not logging correctly.

However, we have not seen any trouble with that reported here in the forum.

 

Thanks, daledoc1, for your response.  I think there's clearly a problem with MBAM.  My screenshot shows that I have chosen to be warned about PUPs.  That should be the end of the matter, but apparently it's not.  The scan log says nothing about my wanting PUPs to be treated as malware.  They simply show that I have a PUP setting enabled, but what I've enabled is just to be warned.  That was one of the three options, the others being to ignore detections or to treat them as malware.  Presumably selecting ignore might result in "disabled" being checked, I don't really know.  But surely the other two options should both qualify as "enabled," which is apparently why "enabled" rather than "disabled" is checked in my settings.  It makes no sense to have an option to warn user about detections unless that option is honored by MBAM.  So I guess now you DO have a report of something not working correctly in MBAM.

 

If I have time, I might try what you suggest about reinstalling the program, but it sounds like it might take more time than it's worth to me right now.  So for now I think I'll leave things alone.  MBAM's recent PUPs discovery was the first discovery of any sort in ages. 

 

Again, many thanks for your time, your effort, and your advice.  I really do appreciate them.

[exile360]

If MBAM is set to warn about PUPs or PUM then the mbam-check log and scan logs should show 'warn' rather than 'enabled' or 'disabled'. I suspect that the config file containing this setting is not configured correctly so a fresh install might be the best thing for it.