Jump to content

How can I be sure malware is being removed?


Recommended Posts

I'm new to the Malwarebytes for business. I deployed policies to about a dozen machines. All have been scanned and it appears at least half are infected. I have it setup to automatically remove threats but each of the infected machine is still highlighted red in the list of machines which I believe means they are still infected. Wouldn't the red highlighting disappear if the threat was removed? How can I be certain that these machines have been properly cleaned?

Link to post
Share on other sites

  • 2 weeks later...

Ok, there's two distinct things happening in the list. No action taken on real PUP infections and some web blocks. There's a lot to cover here so we'll start with the PUP's.

PUP infections, No Action Taken
PUP No action taken means your console isn't fully configured yet. There's two stages to set up. You define what MBAM will be looking for and tagging for removal in Policy -> Scanner. In your scan scheduler or on demand scan you define what action will be taken on the items identified and tagged. Note that I have the auto restart if required for threat removal unchecked. I recommend this approach as the restart will not prompt your user that a restart will be taking place. With the option off the item will still be quarantined and your user will be safe, the delete-on-reboot will just finish off that item on the next restart instead of forcing one. Once your scans start removing items and subsequent scans come back clean, the red highlight will be removed. See my screenshots... 

58e81119add44_PolicyPUPandPUMsettings.jpg.efaf86eca71e4a041d206a9536390fa6.jpg

58e811c7472bc_scanschedulersettings.JPG.baa225d49a70d828ded3ecf99b8a5f86.JPG

 

Link to post
Share on other sites

@AdvantageP are you sending them new scans? The highlight will only go away once a new scan comes back clean. For tips on removal, if the items are the same thing, reoccurring, there's three possibilities as to the root cause;

  1. Your policy \ scanner settings are not set to tag those item types for proper removal. We covered this one.
  2. The items detected are browser pup's and hijacks that come back due to your user having browser sync enabled, common for Chrome. Malwarebytes removes the items, Chrome auto-sync puts it right back. A special tactic is needed for items like this, your user must sign out of their Chrome profile - https://support.google.com/chrome/answer/2390059?hl=en You then run a quick scan to remove the item, followed by resetting all of your users installed browsers. The hijack may jump over to say IE, and reinfect if that browser is opened.
  3. Repeat infections that don't follow scenario 1 and 2 are likely to be caused by rootkits and will require you to run your Malwarebytes Anti-Rootkit scanner utility provided in your download under Unmanaged \ Windows \ mbar-1.09.3.1001.exe. The location will be Standalone \ Windows \ mbar-1.09.3.1001.exe on older download packages. You can also download it any time at this link - https://www.malwarebytes.com/antirootkit/
Link to post
Share on other sites

20 hours ago, vs2015sv said:

I found that running mbam.exe as admin (right click run as admin),  from c:/programs../* allowed me to delete the quarantine. I feel mwb should alert you that you need to run as admin.

This is in regards to actions on infection items, not removing items from quarantine once those actions are performed. I've mentioned to you before, we do not recommend deleting the quarantine folder or its contents. If there is a false positive like we had April 2014, or November 2016, you will not be able to recover without that quarantine.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.