A few Questions for Developers/Experts of Malwarebytes, URGENT!

[NJTech]

Hi.

I would like to get attention of the creators / experts of Malwarebytes. First I would like to say I have been a loyal Malwarebytes user with excellent successrates and is one item I leave in clients home as trial urging them to upgrade to obtain realtime scanning. Over 60% has done so and nothing but great feedback.

I'm having difficulty with a few people, concerning Malwarebytes recommended scan. I consider myself a experienced seasoned 15+ years of experience, so I ask that we can talk about this logically without suppressing opinions.

When I've encountered some clients that are heavily infected with multiple infections, I start the computer in safe mode, run a clean up of temp files either by own batch files or something like CCleaner. I then pursue to do a scan in safe mode with Malwarebytes. Once I done that, I boot in normal mode and follow up with a another scan, and usually compliment Malwarebytes with a couple of other scans, like Mcafee Stinger, and so on.

I've never had a problem with my method of scanning. I find it to be efficient, less time consuming and thorough. Having hearing that you MUST run in normal mode, I ask what are the consequences of my scanning technique?

With the world of ever evolving malware, and computers becoming unresponsive, malware themselves targetting Antimalware software, I find it easier to boot in SafeMode first, loading the standard minimal drivers with a high rate of the Malware infection not loading, giving the system breathing time... and running Malwarebytes in safemode a effective strategy. Yeah, I can stay in normal mode, and battle TSRs and manually try to kill of all kinds of spyware for hours so I then can do the 'recommended' way of running Malwarebytes in normal mode. This doesn't cut it in the real world.

Yes, from my experience I've come to know certain type of infections. If I see a simple Rouge Antispyware application warning the user to buy it, I run a simple scan in Normal mode and it's removed, simple.

If I recommend to someone else (knowing the symptoms of their infection) to run a scan in safe mode first, followed up by a scan in normal mode, what are the consequences?? Have I really gone against the Developers?

Is this prohibited?

Yes, I know some say it's designed to catch and remove in normal mode, but let's be honest, not everyone purchases the Real Time scanning ability.

I've used Malwarebytes in 64bit edition, it can't load realtime, you can do only a scan. How much difference is this compared to a safemode scan in 64bit windows? Isn't it equivalent, since Malwarebytes doesn't support 64bit fully?

What are the main differences Running Malwarebytes in safe mode / normal mode? The canned response of 'its designed that way' is not what I'm looking for, I need detailed information. What I can see is that in normal mode you might detect the malware in memory, rather than in safe mode. But if the malware is prohibiting the user fluent usage of the computer to run any task, malwarebytes still detects the troublesome malware in safe mode.

Does Malwarebyte load something in specific during a normal mode that it doesn't in safe mode? If so, How much of a big difference is it.

Malwarebytes run's fine in safe mode, and other experts can agree to a scan in safe mode first. When does the developers of Malwarebytes recommend a safemode scan??

Is there ANY danger at all running a scan in safe mode? Or consequences relating to it.

I see others saying they are 'malwarebytes' certified, how does one obtain this? From real world experience or reading a manual?

If I have many questions, please be patient.

[nosirrah]

I've never had a problem with my method of scanning. I find it to be efficient, less time consuming and thorough. Having hearing that you MUST run in normal mode, I ask what are the consequences of my scanning technique?

This goes into areas where I cant say much without giving away the internal workings but MBAM is stronger from regular mode . This is by design as the majority of new malware runs from safemode so you gain nothing anyway . There are also multiple infections that as part of their first step blow away the entire safeboot keyset so we do not rely on it being there .

[NJTech]

Yes safemode doesn't mean it's guaranteed to not load any malware. I still see some malware run in safemode. However if its a service/driver based malware, chances are high it won't load in safemode.

Some malware destroy the safeboot key, but I use a small reg file to fix bootkey in such cases. And isn't that in itself obvious??? Some Malware goes as far as trying to prevent you running in safe mode, since for some stubborn malware, safemode provides functionality to remove it. Superantispyware has this fix bootkey also embedded in their 'repairs' menu, a feature Malwarebytes might implement one day.

Thanks for responding. I'm not looking for any proprietary innerworkings of Malwarebyte, just information regarding my post. You think you can speak with some developers and ask them to post here?

[nosirrah]

However if its a service/driver based malware, chances are high it won't load in safemode.

I remember when this was true , it is trivial to bypass this with a small addition to the registry . Its been a while since I saw a rooter NOT do this .

Our goal was to be able to have the average noob user download our software , update it and then run a scan .

Safemode and restoring the keys might seem trivial to us but to the average user its just a bunch of complicated extra directions .

[NJTech]

I remember when this was true , it is trivial to bypass this with a small addition to the registry . Its been a while since I saw a rooter NOT do this .

Our goal was to be able to have the average noob user download our software , update it and then run a scan .

Safemode and restoring the keys might seem trivial to us but to the average user its just a bunch of complicated extra directions .

Point taken on making things easier to run in normal mode for average users. If one was to instruct a user on how to correctly scan in safe mode on situations a seasoned tech know its best, is this going against developers rules?

[nosirrah]

We instruct to use safemode when regular mode is not able to be reached OR a regular mode scan cant be completed for some other reason .

[NJTech]

And when a user cannot scan in normal mode for unknown reasons and you instruct to scan in safe mode, what are the major differences if any?

It's clear it works in safe mode and scan should be done in normal mode if it can be. So when Malwarebytes instructs to run in safemode, what are the differences? Is there ANY harm? What ability you'll be losing in safemode if any?? What advantage is there in normal mode that safe mode doesn't have?

Any experts out there with input for my original questions in my first post, please post when you have a moment.

[Matthew P]

Safe mode boots windows with limited drivers and processes. Things such as windows Uninstaller (or w/e its called) aren't loaded. Safe mode provides a safer way of fixing things if the normal way is not possible. Safe Mode is for troubleshooting mainly. In normal mode all drivers are accessible however, processes including any malware processes may be on in normal mode but witch can still usually be prominent in safe mode, however are sometimes not. Disallowing certain windows functions that malware could use to its advantage makes safe mode useful.

[NJTech]

I do have excellent knowledge on what safe mode is and thank you for your information. I can agree that even in safe mode, some malware may still load. I was wondering particularly if safe mode hampers in any way Malwarebytes scanning process.

Of course normal mode drivers/services are loaded and malwarebytes can detect most. But Malwarebytes still does target the driver/windows directory in safe mode. Is there any difference in the scanning engine/process in safe mode? I understand that in normal mode malware loads making it easier to detect by Malwarebytes, besides that, is there any difference in the scanning process in normal/safe modes? It's safe to say that scanning method is identical in both modes?

[Swandog46]

It is not safe to say. As nosirrah said, it helps nobody to give away details of our implementation in public, since malware writers can read these boards as easily as you can. But suffice it to say that the scan is NOT as powerful in Safe Mode, and normal mode scan should nearly always be used. It is not unsafe to scan in Safe Mode, just less effective.

[NJTech]

Appreciate your honest response. I'm in no way a malware writer or whatever. And I'm sure those skilled people can find out the workings of any program they need to know about.

So if I know a users infection is more than meets the eye (enter transformers theme here), can I say 'hey, run a safemode scan with Malwarebytes,, then followup with a malwarebytes scan in normal mode'?

[exile360]

There should certainly be nothing wrong with this technique. As long as the scan in normal mode is done at some point, because as Nosirrah (who is one of the developers) stated, MBAM is designed to work in normal mode. It's simply most effective when run this way. Other tools like Spybot Search & Destroy work pretty much the same in normal mode vs safe mode, but MBAM does not and that's the most important thing to remember. Nothing bars you from using it in safe mode, but the results just probably won't be as good as they would if run from normal mode. Of course, doing both as you are shouldn't cause any harm, just perhaps a bit more time consuming .

[OldMarine]

One of my concerns on many other IT forums is the posting of advice to start MBAM, ComboFix, even SDFix (still), and many others - and use "Safe Mode" as the starting point for all of these applications.

To me, it is as simple as reading the developers instructions and then follow the instructions.

I have always started out with downloading MBAM, installing it, and starting the Quick Scan in Normal Mode. Being appropriately paranoid, I always follow-up with a complete scan.

Without question there will be times when a box is so badly infected that we will be forced to use Safe Mode - or 'slaving' it off another computer - or some other extraordinary actions.

I think the key routine for us is to always start by using the process recommended by the developers, before we ad lib with our own methods.

[NJTech]

Ahh Mr. V.

I think I've already got my ruling. I can instruct someone someone to run Mbam in safe mode (if I feel the situation calls for it) as long as they follow up with a Mbam scan in normal mode. If the safeboot key is an issue (let's face it, if malware attacks this, it's going to attack it, it's not 'malwarebytes' specific..we ran repair this safeboot key with a small reg file and number of other ways, other antispyware already implement a feature to repair this key), I can instruct them how to repair this key, ok?

I see many views but not many detailed responses. Cleaning up a massive infected system isn't 5 minute task. It takes a bit of time for thoroughness, supplementing with other antispyware methods. There is not one application to handle it all, and we can surely agree yet. We haven't evolved the 100% remove it all antimalware, antivirus application yet. Strongly believe Malwarebytes is one of the top 2 apps in the field. Personally (and I'm sure others can agree) safe mode in many situations I've deemed efficient way to start, works great, I see absolutely no difference in detection/removal, if anything I see the program more responsive in safemode unlike it's counterpart which has all crapware starting up and multiple infections. I then follow up with a scan of 2 diff sorts in normal mode., Never a issue.

Since I recommend Malwarebytes in other forums this is the part of the generic response I'll be giving them, for Malwarebytes part:

Download Malwarebytes from Malwarebytes.com, Install it, update it, run a scan, remove objects, restart.

If you are having problems running Malwarebytes in normal mode due to pesky objects or other unknown reasons, Run Malwarebytes in Safe mode (me giving instructions how to),

and follow up with a scan in Normal mode.

If I feel the person has symptoms of items hampering his system, I'll recommend:

Download Malwarebytes from Malwarebytes.com, install it, update it, but dont run a scan yet.

(instructions to do a safe boot scan injected here)

Can't download? (I'll give instructions to download in another system, with a link to mbam current rules/definitions, place on a usb drive, boot infected system in safe mode, install mbam, install manual definitions, run scan/remove objects)

Once they cleared up of most/if not all the malware that prevents normal function in normal mode, I'll recommend to follow up with a Malwarebytes scan in normal mode

Both of my bolded instructions on top will be given with instructions with another antispyware app. If any developer needs to interject, kindly do so, as I will start using my 2 directions above on how to scan.

I can appreciate oldmariner guy coming here and stick with 'reading the developers instructions and then follow the instructions'. This is the basis of any beginning instructions. Instructions are meant by nature to evolve. From experience, us IT professionals develop systems and proven techniques that work.

How often do we see instructions 'Reinstall Windows' , but we indisputably have proven techniques, some do a manual registry restore in dos, others do a repair install, or other methods to save a user from hours of applying updates, data, reinstall program.

We have basic instructions how to use windows xp backup own utility, but we evolve and use more thorough , simpler backup backup software.

We have basic instructions on how to cook a steak, with dozens of chefs out there cooking with various methods.

We have basic instructions , how to use a screwdrivers, wash a car, paint your room, copy music from your ipod, and so on. We develop systems that stays within the constraints of the basic instruction idea but make it more efficient.

The way I polish and shine my vehicle is different than the way you do a 1minute hot wax thru your local carwash drive thru.

I've done the above bold in numerous situations and never had a problem. The short handful of problems I've faced if any is other, ranging for exe files being corrupted by virut virus beyond repair to other.

No one has answered the 64bit question. Malwarebytes cannot load realtime in 64bit. You can only scan. I'm supposing it doesn't load anything in particular in 64bit, if this is true, than by theory, there is no difference scanning in 64bit windows normal mode and scanning in 64bit safemode in malwarebytes in itself. The only difference being some malware being loaded in normal mode. But no difference in the Malwarebytes scan in itself.

I'll be using the bold scan methods above in bold to recommend, can I get a ruling on this.

[exile360]

Actually, Malwarebytes' now does run in 64 bit (including the protection module) as of version 1.37 . And as far as scanning goes, I don't believe there was ever a problem with it's ability to do what it does in normal mode in x64 as I run x64 and I've tested it. As far as effectiveness, MBAM is good at what it does and isn't designed to be a "catch all" solution and I've never heard anyone behind it's development claim that it was. It is an anti-malware tool designed to detect and remove the current nasties that the big AV companies miss and it does this quite well. I don't see anything wrong with your methods or instructions, but I do think MBAM's effectiveness is best seen in normal mode due to safe mode's limitations, as well as increasing the odds that MBAM will catch more infections because they're in memory. Finally, I'll just say this: I personally recommend, that if at all possible, you run MBAM in normal mode. If you can't, then either use another tool or even MBAM itself from safe mode etc.

[NJTech]

Now support 64bit? Awesome. My point wasn't questioning the ability of Mbam's effectiveness in 64bit when it wasn't supported. I've used it in a few 64bit Ultimate installations. I don't recall a driver being loaded and the realtime scanning being effective, but I never had any issues. My point being it scanned precisely like it would in safemode. Yes in normal mode you can catch malware in memory, but that is by design every antivirus/antispyware application. In safe mode during a serious infection, chances are high that most won't load, giving a bit of lee way to work. Mbam wont detect the malware in memory because it didn't get loaded, any other scanning engine is the same way. And I'm very confident that Mbam along with a couple of my other favorites target the specific hotspots directories/registry and known areas where malware tends to lurk. Eradicating it there and booting to normal mode result in a high percentage the malware won't load into memory. I love having the freedom to run my scans the way I want. I know many experts here already can 'feel' a machine and simply start a scan in safemode, and follow up with other scans in normal mode.

I love when people recommend certain things to me, it gives me the freedom to hear professionals speak, without suppressing opinions. How many times we get our car inspected at the local 'ase' certified mechanic shop, when one mechanic 'recommends' change our rotors later and brakes now, while another mechanic 'recommends' change both the brakes and rotors now because it's more effective, or some recommend changing our timing belt now or changing it in another 8,000 miles. These are professionals, what does the human logic do..we tend to find favorable the least costly repair recommendation, while others take the recommendation and spend the money now for all changes. Go to a restaurant and get recommended by the waiter to try the lobster and fried apples dish, we pass and go for a steak if we desire.

Yes that's way off topic, hopefully I defined what recommend means:

Recommend: -v to advise, as an alternative; suggest (a choice, course of action, etc.)

as appropriate, beneficial, or the like: He recommended the blue-plate special.

The doctor recommended special exercises for her.

I won't make a 'recommendation' to a user to cause any harm or jeopardize his pc condition. Only to help achieve the goal of eradicating malware.

If my seasoned experience see's a user struggling with pesky items that won't go away after numerous scans with diff software, I'll make my recommendations, that my experience has proven to be effective with no harm whatsoever.

Since there is no objection to my scenarios posted in bold, I'll polish them with other scan software, and use them for recommendations. With running in normal mode situations I see fit. Thanks for not suppressing my questions here andhonest responses.

[exile360]

You're very welcome . I'm honestly not sure if it ever loaded it's driver in x64 or not, I never ran ProcessExplorer or ProcessMonitor to check it. Either way, go with what works. Safe mode is certainly a commonly used alternative to normal mode when stuff just won't run. Another thing to keep in mind: If there are multiple user accounts on the PC, MBAM will need to be run (at least a quick scan) on each to scan each respective registry because it currently contains no method to load alternate user hives the way that Spybot Search & Destroy and some other tools do. Most of the time MBAM will effectively kill the true root of the infection by eliminating the executables and .dll's, but often removing the orphaned registry entries is necessary to prevent error messages once logged in (the old pop up saying "Cannot find badtrojanthatyouremoved.dll". I'm glad the software works for you. If you have any more questions please let us know.

[OldMarine]

exile360,

Your comment about running MBAM with each account/profile is the first time I have seen that suggestion and I will change my procedures.

If that information is already posted on the Home Page or in the application instructions, I could not find it (just looked again).

Also (I'll start a separate thread if that is protocol), I've been loading either AVG/AVAST Pro and MBAM Pro on my customer's computers and removing SAS and SpyBot, but you run all three on your system.

Is there a 'protection' reason you are doing that, or are you just checking the competition?

Thanks,

OM

[exile360]

Regarding scanning all user accounts, it isn't on the homepage or anything, but is recommended by the experts and developers of MBAM and has been by them many times here on the forum. It generally isn't necessary to do so to kill the actual infections themselves as most infections affect all user accounts and can be killed that way, it simply helps to make sure you remove any traces in the registry that might be left over in individual users' profiles.

As far as what I use, I'm actually pretty paranoid when it comes to security. If a user chooses to use multiple security products together as part of a layered defense, MBAM is seldom one of the programs you have to worry about as far as compatibility goes. It generally plays very well with others . As far as what's realistically needed for most users, generally a good antivirus, a good program like Malwarebytes' and a good software firewall are enough. Even so, it can still be a good idea to keep a couple of extra on-demand scanners handy and do a free online virus scan every once in a while just to double check that your PC is in the clear.

[OldMarine]

exile360 - concur with both the multi-layers and 'paranoid protection'.

Thank you.

[exile360]

You're welcome .

If you need anything else just let us know.