Jump to content

Failed to detect signifigant ammount of items

Recommended Posts

We use Kaseya with the malwarebytes module (reffered to as Kaseya Anti Malware or KAM) along with the kaspersky module (reffered to as Kaseya Anti virus or KAV) and adwcleaner. i recently had an infected machine that already had KAM deployed to it from kaseya. My regular procedure is to run KAM and if anything is detected i also run a scan with KAV and adwcleaner. however this time i ran KAM and it detected nothing. i knew that there was a problem with this machine so i also ran adwcleaner which found 50+registry entries, scheduled tasks, browser plugins etc.


im wondering if someone can explain why KAM was unable to detect these items. is this because KAM isnt able to detect these type of infections, or because it is unable to detect them? I am concerned because we use KAM as our 'first responder' for this type of situation and this is a pretty massive failure seeing as how some of this stuff is really common. ie pastaquotes, trivoli, secure fast pc.



Here are the technical details. the machine in question froze and is offline. it will not accessable until monday but i do have partial screenshots of what adwcleaner detected. i have attached those to this post and will update with the full logs when i can.

adwcleaner v5.024-----------------------MalwareBytes Anti-Malware Version: Version: Version: 2015120904Database Date: 15:56:06 PM 09-Dec-15-----------------------Kaspersky Antivirus Version: Version: log:Malwarebytes Anti-Malware (Kaseya) version: v2015.12.09.04Windows 7 Service Pack 1 x64 NTFSInternet Explorer 11.0.9600.18124Protection: Enabled12/9/2015 11:25:27 AMmbam-log-2015-12-09 (11-25-27).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 456041Time elapsed: 1 hour(s), 4 minute(s), 46 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)








Link to post
Share on other sites

They aren't "technical details".  They are graphics showing profile folders and Registry entries.


Both are not malware but artifacts of malware.


If I have 1 Potentially Unwanted Program ( PUP ) installed it may make 50 modifications.  However you still only have 1 PUP.  Those 50 modifications are artifacts.


Those modifications are dependent on the actual executables.  For the most part, if you remove the executable what ever it is, is basically dealt with.  Some artifacts may have side effects and they have to be removed or altered but whatever it was that was active, is no longer active.


One can not compare two anti malware applications merely on the basis of artifacts.

Link to post
Share on other sites

Ok, so then malwarebytes does not detect and remove artifacts for these specific instances of malware or in general? like i said, the screenshots are incomplete and there were files and services that were not detected. those iems that were not detected were directly associated with the scheduled tasks and folders in the screenshots and were removed by adwcleaner.


I would also like to point out that i am not trying to attack malwarebytes, im trying to understand if this is a limitation of the program. if leaving behind artifacts is a characteristic of malwarebytes then that means i need to update our procedure to include manually removing artifacts.

Link to post
Share on other sites

It is a numbers game.


Let's say I have the folder..



Under that folder I have..

3 files ( a.dat, b.dat and c.dat )

2 folders




Under c:\users\appdata\mywarze\dl I have...

3 files ( d.dat, e.dat and f.dat )

1 folder



Product A says  mywarze is bad.  It removes it and says it removed 10 items.


Product B says mywarze is bad.  It removes it and says it removed 1 item.


Product A is counting all files and folders.


Product B deleted the folder c:\users\appdata\mywarze and all files and folders below it.


Neither is wrong and both effected the same result.  However one is playing a numbers game.


The above may be an exaggeration but I think it exemplifies the subject matter.

Link to post
Share on other sites

but they didnt produce the same result. malwarebytes didnt detect things that were there. i understand what you are saying about how things are counted, but that doesnt apply here. there were active items that were not detected by malwarebytes. it is not a matter of counting the items in the folder, the folder and its contents were not detected. nor were the exes, or the services, or the scheduled tasks, or the registry entries, or the browser plugins.


if malwarebytes detected folder A and removed it and all of its contents and adwcleaner also detected folder A and removed all of its contents then you are correct it does not matter if it just counts the folder, or if it counts the folder and its contents because we got the same results.


but that was not the case here.


maybe i should clarify the timeline. malwarebytes was run FIRST. after detecting nothing, and removing nothing, adwcleaner was run. it DID detect infected items and DID remove them.


My question is WHY didnt malwarebytes find the items. i updated the database before i ran it, i have a paid version and i ran a full scan. so i do not understand why malwarebytes was unable to detect these items.

Link to post
Share on other sites

No two programs will produce the same results.

Not all programs target the same items

Not all programs provide similar defaults for detection

No two programs log the same type or kind of detections



You have not provided qualitative and quantitative data the can compared and contrasted.  Screen captures don't cut-it ( so to speak ).


You ask... "My question is WHY didnt malwarebytes find the items"


You have not provided the raw data on what "the items" are.

Link to post
Share on other sites

  • Root Admin



As you're using Kaseya that too has its own considerations. Due to business contracts with Kaseya they are supposed to be your first point of support contact per their request. If you're unable to obtain assistance from Kaseya then I'd suggest you contact our Business Help Desk and they can assist you further.




Though there is some business forums here the vast majority of the site is dedicated to home user support.


That said, though you may not like the answer provided by David he really is correct. There are dozens of antivirus products out there and I can pretty much guarantee you that on any given day from test to test rarely will one find the same things the other finds. All programs and products have their own way of naming infections, detecting infection, etc. Trying to compare one against another is nearly impossible as there are so many different factors.




The complexity of finding, preventing, and cleanup from malware


Thank you


Ron Lewis

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.