Jump to content
Gt-truth

malwarebytes Rescue Disk

Recommended Posts

By any chance can we get a rescue disk ?  a rescue disk is for UN-bootable system to scan for malware and to repairs thing ?  

this is just my idea ,

Edited by Gt-truth

Share this post


Link to post
Share on other sites
7 hours ago, Gt-truth said:

By any chance can we get a rescue disk ?  a rescue disk is for UN-bootable system to scan for malware and to repairs thing ?  

this is just my idea ,

Hi @Gt-truth. We have discussed this idea a few times in the past but have not yet dedicated resources towards it. Right now it's not something we're going to focus on.

Share this post


Link to post
Share on other sites
6 hours ago, msherwood said:

Hi @Gt-truth. We have discussed this idea a few times in the past but have not yet dedicated resources towards it. Right now it's not something we're going to focus on.

Hi @msherwood

Thank you for your idea thought! hope to see something new!

Share this post


Link to post
Share on other sites

It really does not have to be that difficult.  I created a complete operating folder on CD from my laptop which was not infected and is updated to the latest files and tried to run it on my infected desktop.  The problem is that you then download a conf file that of course cannot be copied to the CD.  Why not just set this conf file to run in memory instead of coping it to disk? 

In the past I have been able to delete the contents of the Malwarebytes folder on the C drive and then copy the updated contents of the CD to that folder and it would run and clean the system.  This worked because the conf file could be copied to the hard drive.  This time that folder is locked by something? that will not allow me to delete the contents, says files opened in another program. 

Any ideas about how to fix this?  I am thinking about taking the C drive out and connecting to my laptop by USB and trying to scan it like that.   

Share this post


Link to post
Share on other sites

As often as after such a demand, there will not come, I think.

MAM

Share this post


Link to post
Share on other sites

@AlexSmith

Well there could be such an option, but apparently that is not thought. Or. Wanted by the malwarebytes anti-malware makers. Or you do not want anything like that at all.

Such a question was too often posed in the past. That is why my critical complaint in this matter.

That is only my opinon.

MAM

Share this post


Link to post
Share on other sites
5 hours ago, MAM said:

@AlexSmith

Well there could be such an option, but apparently that is not thought. Or. Wanted by the malwarebytes anti-malware makers. Or you do not want anything like that at all.

Such a question was too often posed in the past. That is why my critical complaint in this matter.

That is only my opinon.

MAM

@MAM perhaps you misunderstood me. I was asking for your specific thoughts and feedback on what you would like to see on this topic so that we could potentially work on something like this in the future.

Share this post


Link to post
Share on other sites
I had asked in the past after that, others had asked for it. There was the statement that there will be no such thing. And why should there be such a thing? Well, as a last attempt, an infected system to clean up and bring back to running. Maybe I think wrong in this direction ...
 
MAM

Share this post


Link to post
Share on other sites
On 17.7.2017 at 6:32 PM, AlexSmith said:

What would you like to see from Malwarebytes in this arena? Outside of malware removal, what specific repair items or other functionality would you need?

I would also like to have a Malwarebytes tool for disinfecting computers whose operating systems cannot be started due to malware infection. This rescue disk should scan the computer for malware and repair changes from malware, so that the computer can be started again. Such rescue discs are offered by all major AV companies. I think Malwarebytes should also offer this useful tool.

 

Share this post


Link to post
Share on other sites

All major AV companies offer rescue discs. Now that Malwarebytes Premium can be considered an anti-virus replacement, it should also offer a rescue disk/USB device, so that Malwarebytes  customers do not have to go to one of the AV vendors to create such a disk. 

Share this post


Link to post
Share on other sites

Unfortunately, I have neither of Linux, and Wine a notion.

And who knows if that could also work 100%?

MAM

 

Share this post


Link to post
Share on other sites
On 9/17/2017 at 1:52 PM, MAM said:

Unfortunately, I have neither of Linux, and Wine a notion.

And who knows if that could also work 100%?

MAM

 

As a newcomer to this topic, most linux distributions are free nowadays, so you could build a pretty lightweight offline (and bootable) linux distribution on a CD, DVD or flash-drive. Wine is also free, and can be added to most linux distrbutions (and even to macOS). I am not very familiar with different Linux distributions to recommend any specific ones, but if Malwarebytes wished to build an offline Rescue Disc, they could do that without much hassle using a free and reconfigurable Linux distribution alongside Wine. It is worth noting that some Rescue Discs also have Internet Browsers bundled with them, such as Firefox and Google Chrome.

Now, any specific features I'd want to see on a rescue? Yeah, quite a few actually. But it would be a little difficult to narrow them all down...

Share this post


Link to post
Share on other sites

Malwarebytes wouldn't work well at all through Wine in an offline Linux distro.  Most of its engine, signatures and capabilities rely on its ability to read the native data (including the registry and boot files/partitions) from the current active OS/disk, so running it offline in Linux to scan an offline Windows OS would not behave as expected and would not only be very likely to miss threats that would otherwise normally be detected within Windows, but also could actually result in the system partition being damaged because the system file protections and default whitelists for system critical components would not be active when scanning an offline drive.

The only way to build a proper offline rescue disc for Malwarebytes would be through a native tool like WinPE, which MS no longer provides licenses for (we tried; they wouldn't even let us pay them to use it) that can properly load offline operating systems and registry hives so that Malwarebytes can read/scan them as though they were the native running OS.

Share this post


Link to post
Share on other sites

WinPE? Crap! I am guessing that's something that can't easily be reverse-engineered? I might be able to find a workaround, hold on while I get back to you on that.

Share this post


Link to post
Share on other sites

Okay, update: According to Wikipedia, the Windows Preinstallation Environment actually Freeware now.
https://en.wikipedia.org/wiki/Windows_Preinstallation_Environment
You can probably try to obtain it via the Windows Assessment and Deployment Kit (which I used to get Windows Configuration Designer, as the MS Store continually failed to correctly install it), and/or the Shared Source Initiative (allowing you to get some access to the source code).
https://en.wikipedia.org/wiki/Windows_Assessment_and_Deployment_Kit
https://en.wikipedia.org/wiki/Shared_Source_Initiative

There are derivatives too, such as the WinRE  and Microsoft DaRT.

Share this post


Link to post
Share on other sites

Yes, it's free for home users, but if you look into the legality of hosting and distributing a custom build of it legally, it's a nightmare full of Microsoft IP roadblocks.  We know, we tried.

Share this post


Link to post
Share on other sites

Ah... Well, godspeed then. I hope you guys figure something out.
In the meantime though, here's another tool that would probably be helpful to include on a hypothetical Rescue Disc, in the event that one eventually can get made... it could also probably be bundled with future versions of the Malwarebytes TechBench, @AlexSmith:
Windows Update Manager (open-source) by David Xanatos. 

https://github.com/DavidXanatos/wumgr/
https://www.thewindowsclub.com/wumgr-free-and-open-source-update-manager-for-windows-10/
https://piunikaweb.com/2018/09/20/windows-update-manager-wumgr-windows-10/

Very handy because  it not only allows you to block unwanted updates (and automatic updates) on Windows 10, but it also helps you install those stubborn updates that just don't want to install correctly, even on earlier versions of Windows. Not to mention, it can even access the Windows Update servers if they're  blocked by a firewall, by way of built-in proxies and the like (or at least, I think that's how i t works). If you were to use the open-source .NET Core stuff, instead of the traditional .NET framework, then you could even work around corrupted or out-of-date .NET framework installations, again, especially on older versions of Windows. (Plus, for Wine users, you could potentially even get around Windows Update blocks.)

Share this post


Link to post
Share on other sites
3 hours ago, Amaroq_Starwind said:

Ah... Well, godspeed then. I hope you guys figure something out.

Thanks!! We are working on something, but can't share any details yet.

As @exile360 mentioned, there are several challenges to overcome to make something happen in this space. Linux and WINE just can't suffice in fully remediating and repairing an Offline Windows OS, especially more recent versions of Windows. It would require putting together something custom that just doesn't make a lot of development sense since you can get a lot of this with using Windows PE. But as @exile360 mentioned, Windows PE is a bear to work with from a legal standpoint.

No matter what, you'll likely see something from this front within the next year.

3 hours ago, Amaroq_Starwind said:

In the meantime though, here's another tool that would probably be helpful to include on a hypothetical Rescue Disc, in the event that one eventually can get made... it could also probably be bundled with future versions of the Malwarebytes TechBench, @AlexSmith:
Windows Update Manager (open-source) by David Xanatos. 


https://github.com/DavidXanatos/wumgr/
https://www.thewindowsclub.com/wumgr-free-and-open-source-update-manager-for-windows-10/
https://piunikaweb.com/2018/09/20/windows-update-manager-wumgr-windows-10/

Very handy because  it not only allows you to block unwanted updates (and automatic updates) on Windows 10, but it also helps you install those stubborn updates that just don't want to install correctly, even on earlier versions of Windows. Not to mention, it can even access the Windows Update servers if they're  blocked by a firewall, by way of built-in proxies and the like (or at least, I think that's how i t works). If you were to use the open-source .NET Core stuff, instead of the traditional .NET framework, then you could even work around corrupted or out-of-date .NET framework installations, again, especially on older versions of Windows. (Plus, for Wine users, you could potentially even get around Windows Update blocks.)

Interesting find and thanks for sharing!! A couple of us on the Malwarebytes Toolset team have in-depth knowledge on Windows Update and development experience with using the Windows Update API specifically for obtaining, caching, and installing Windows Updates. Looks like this is simply redoing the work of the Windows Update Mini-Tool but open source and in .NET. So it does have some positives and could be useful in developing something.

From a Rescue Disc or Offline standpoint though, this application or anything similar built off the default Windows Update API would not work. From a high level, It doesn't understand how to interact with an offline install of Windows which means you can not use it to identify or apply the updates to a Windows installation that isn't currently running.

With that being said, managing of Windows Updates on an offline install of Windows is a capability of the greater Windows Component Based Servicing (CBS) architecture and the Deployment and Image Servicing Management (DISM) API. You can install, uninstall, and get a list of installed packages (updates and drivers) using the DISM API, but it cannot do a detect for missing or new updates to download and install. Plus, Microsoft provides DISM.exe (Command Prompt - included in Windows PE by default) and DISM cmdlets (PowerShell - optional Windows PE component) with Windows itself.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.