Jump to content

can't run rootkit scan on external drive and other things


Recommended Posts

for some reason I've notice I can't run a rootkit scan on my exernal harddrive but I keep getting this message

a rootkit scan requires an entire drive to be selected for scanning, please update the areas of the system you want to scan to include an entire driver or disable rootkit scanning for this scan

is this intentional 

also due to problems with the mbae64.sys driver (which I then renamed and lost sight of then managed to track down, I think it was the right one, it's digital signature under properties was labeled Malwarebytes corporation) I reinstalled MB3 because I couldn't check the boxes in the custom scan, it's working now at least 

sorry if the last bit doesn't make any sense 

Edited by draph91
Link to post
Share on other sites
  • 4 months later...
On 12/31/2016 at 7:32 PM, siliconman01 said:

Do you have a touch screen monitor?  Please see the forum post:

also you didn't answer my first problem

I've noticed I can't run a rootkit scan on my external hard drive for some reason, I keep getting this message

Quote

a rootkit scan requires an entire drive to be selected for scanning, please update the areas of the system you want to scan to include an entire driver or disable rootkit scanning for this scan

 

 

Link to post
Share on other sites

Yes, if C: (of whatever the current drive is where the active/running Windows installation is installed) is not selected, then rootkit scanning cannot function.  This is due to the way that rootkit detection works.  When a system is offline, for example on a secondary/slaved drive from another system, any rootkits which might be on the drive are not active/running and therefor are not hiding themselves.  Our rootkit scan works by detecting rootkit activity where we see what the raw data on the disk should be and compare it to what is being reported (by the rootkit, if one is active/installed).

That said, a dormant rootkit infection should still be detected, at least in most cases, by our standard malware scan engine, though I would still advise booting the other drive and running a Malwarebytes scan from there with rootkit scanning enabled just to be sure because certain rootkits, such as MBR infections/bootkits would still require our rootkit detection/remediation engine to be detected and removed/repaired properly.

Edited by exile360
Link to post
Share on other sites
  • 1 year later...
On 5/18/2017 at 10:11 PM, exile360 said:

Yes, if C: (of whatever the current drive is where the active/running Windows installation is installed) is not selected, then rootkit scanning cannot function.  This is due to the way that rootkit detection works.  When a system is offline, for example on a secondary/slaved drive from another system, any rootkits which might be on the drive are not active/running and therefor are not hiding themselves.  Our rootkit scan works by detecting rootkit activity where we see what the raw data on the disk should be and compare it to what is being reported (by the rootkit, if one is active/installed).

That said, a dormant rootkit infection should still be detected, at least in most cases, by our standard malware scan engine, though I would still advise booting the other drive and running a Malwarebytes scan from there with rootkit scanning enabled just to be sure because certain rootkits, such as MBR infections/bootkits would still require our rootkit detection/remediation engine to be detected and removed/repaired properly.

Hello @exile360,

Sorry for bumping this but i have the same question. I remember very well that previous versions of Malwarebytes (those times it was Malwarebytes Anti-Malware) would allow us to also scan for rootkits even while performing predefined threat scan, hyper scan or custom scan which scans partial locations other than entire system drive (C:).

 Wasn't it working in that way? Now with 3.x versions, the whole (hundreds of GB) drive has to be selected to perform rootkit scan based on the error dialog shown above. There are many other rootkit scanners doing only rootkit scan within short time and that makes Malwarebytes disappointing.

Aren't i correct?

Best regards.

Link to post
Share on other sites

It worked back then the same way it does currently.  It will scan the other locations you select, however the specialized checks in the rootkit scan look primarily at the current boot drive and hidden system partition as well as the other areas on the system where rootkits are known to install themselves.  The other locations you select are still scanned, however they are checked with the standard malware detection engine (just like performing a normal non-rootkit scan), so this is why it still checks all those other locations and takes longer than the rootkit scan alone.

Link to post
Share on other sites
On 11/22/2018 at 4:24 AM, exile360 said:

It worked back then the same way it does currently.  It will scan the other locations you select, however the specialized checks in the rootkit scan look primarily at the current boot drive and hidden system partition as well as the other areas on the system where rootkits are known to install themselves.  The other locations you select are still scanned, however they are checked with the standard malware detection engine (just like performing a normal non-rootkit scan), so this is why it still checks all those other locations and takes longer than the rootkit scan alone.

Thanks a lot for your reply @exile360. However i found out a trick or a behavior which must be expected. As Malwarebytes wants user to select entire drive even just to scan for rootkits with Custom Scan option, when you just launch "Threat Scan" (which is actually a partial scan decided by Malwarebytes's pre-determined locations) we can get rootkit scan performed just before the beginning of File System Objects scan. So as there is no quick "only-rootkit scan" option, Threat Scan appears to come to the rescue quickly without initiating a Custom Scan or Full Scan that requires all drive to be checked.

Is this correct operation and behavior?

Best regards.

Link to post
Share on other sites

Yes, the Threat scan includes all locations that the rootkit scan checks.  This is by design as both were built for the same purpose to check all known locations where malware is known to install/hide.  If you look at the standalone Malwarebytes Anti-Rootkit Beta tool it works in the same way, checking all the same locations as the Threat scan in Malwarebytes 3.  The only difference is that there are a few additional items checked such as the boot files/system partitions etc. which apply only to the rootkit scan and those are what are added to the analysis at the beginning along with its check of the default locations for drivers etc. (since drivers are stored in a particular location in Windows) and rootkits often use drivers for their functionality.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.