Why is MBAM doing this?

[Cartel]

MBAM does things without asking, like re-enabling UAC settings and re-enabling the Windows Defender and the IP Helper service.

Is that really necessary?

 

 

[daledoc1]

Hi:
 
Staff will correct me if I am wrong, but I've never heard of MBAM doing any of that, and I'm not sure that it can.
 
Please tell us a bit more about the behavior you observe that you attribute to MBAM.

And it would greatly help if you would please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: FRST.txt, Addition.txt and CheckResults.txt)

 

Thanks,

[exile360]

The only modifications MBAM might make would be as a result of a scan. The only way that could occur without your knowledge would be if you have a scheduled scan configured to automatically remove any detected threats in your scheduler. You can verify what MBAM has done by checking the scan and protection logs located within the History tab.

Also, if you run Fixdamage.exe included in the Plugins folder in your MBAM installation folder, it might modify some of these items as it is designed to undo some of the fallout caused by known rootkits when executed. If you did not run Fixdamage.exe manually it may have still run if one of the rootkits known to cause the damage repaired by Fixdamage.exe (such as ZAccess/ZeroAccess) was detected during a scan of your system.

[daledoc1]

Excellent info, @exile360.

 

Thank you!

 

@Cartel:

 

If you need more help, for starters, I suggest posting the 3 diagnostic logs already requested, and a scan log (let us know if you need help with doing that).

 

The logs may point to what's going on and how best to address it.

 

Thanks,

[Cartel]

I installed 2.2.0.1024 because is said "Enhanced safeguards to prevent false positives on legitimate files".

I had some false positives before so I removed them from quarantine and exceptions to see if they were no longer detected.

It detected them all again so I re-applied my exceptions and decided to "fix" the other 2 items.

 

I chose not to reboot and while running another program I was greeted with a UAC prompt accompanied by the "secure desktop" which I have disabled.

I ran autoruns and noticed the windows defender service and iphelper service were both running also.

I have no reason to have these so I disable them.

 

After I disabled these items again, after a reboot they were "fixed" back to automatic start-up again, so was the UAC setting.

I used the "recommended" threat  scan and I don't see anything that mentions these actions so it's kinda annoying that these settings were altered against my wishes.

 

I only use mbam once in a while and then delete it, as I did earlier, I'm sorry I cant give you the logs but I'm 100% sure that these changes are made by the software.

[daledoc1]

Hi:

 

Well, it's hard to say, but @exile360 is the former Product Manager for MBAM and knows the application inside and out.

I would trust his explanation and advice.

 

 

I only use mbam once in a while and then delete it, as I did earlier, I'm sorry I cant give you the logs but I'm 100% sure that these changes are made by the software.

 

It's up to you, but that's not a typical way that MBAM is intended to be used.

I'm not sure why one would uninstall it and reinstall it each time -- all one needs to do is install the Free version, which is a manual, on-demand scanner.

 

BTW, if this is the same computer as the one HERE, then it seems that there are definitely some odd things happening on this system.

 

Without logs, however, it's impossible to say and there's really not much more we can do to help here in the forum.

 

If you would like more assistance, then we suggest EITHER posting the requested diagnostic logs and a scan log, OR posting over in the malware removal section for a free, expert, deeper look at the system, OR logging a ticket at the help desk for one-on-one assistance via email.

 

Thank you,

[exile360]

I took a look at the other topic. You stated that you have run MBAR and those detection names (Poweliks and Siredef) are indeed the names of rootkits/rootkit families that would trigger MBAM/MBAR to use Fixdamage.exe as well as (likely) some of the automated repair routines contained in our remediation database included with MBAM and MBAR designed to target issues/fallout caused by those rootkits/rootkit families (for example, at least one is known to disable UAC as well as Windows Defender so as part of the removal/remediation process we would 'fix' those system components by resetting them back to their defaults/repairing any missing/broken keys in the registry etc.).

Unlike most of the other anti-malware software available today, we go above and beyond just removing threats. We also repair the fallout/damage they cause where we can, particularly when that damage/fallout leads to a malfunctioning and/or less secure system. The side-effect is of course that if you've configured system settings/components this way deliberately, we have no way of knowing that it was by choice and not a result of one of the threats we detected so we go ahead and run these repair routines anyway just to be on the safe side because in all honesty, we wouldn't want to risk leaving a user who was infected and did not change these settings on their own with a system that we said was all clean but remains broken and insecure.

There are other fix routines we run under certain conditions as well, which include for example repairing broken services which, if we left them alone would leave the user's system completely unable to connect to the internet among other things. While I understand your frustration being one of those tech-savvy PC users myself who often modifies system default settings, I'd much rather my security software be capable of taking additional measures like this to perform complete remediation of malware and its effects rather than just removing the actual malicious files and calling it a day, leaving me to find and deal with any fallout which remains on my own.