Jump to content

Malwarebytes Anti-Ransomware Service & WMI

malfor

By malfor
in Anti-Ransomware Beta

 Share

Recommended Posts

malfor

malfor

Posted
Posted

Hello

I am on Win 7 and just downloaded and upgraded to version mbarw-setup-consumer-0.9.18.807, I have also installed the latest version of Anti-Exploit.

My first question is will the two co-exist with each other without any problems?

My concern with AntiRansomware is that the  Malwarebytes Anti-Ransomware Service relies on the  Windows Management Instrumentation Service.

It has happened to me several times that the program has failed to activate and clicking on the  Fix button does nothing to get it going again.

It was not until I realised just recently that mbarw is dependent upon WMI that a possible cause for this was revealed -  which is that if the WMI service is not started its dependencies will also fail.  This has happened to me several times until I sorted out the problem with the WMI service.

But it also raises a serious security issue - what if a malicious program /script/hacker was able to gain access to the  registry and deliberately turn off'/ lock the WMI service (winmgmt)  from running?

That would render mbarw totally useless and ineffective, as it does with the WSCSVC (Windows Security Center) service, would it not?

So the question is what sort of protection or measures are in place to prevent this from happening? What measures can I take to protect myself from this potential unwelcome threat?

I look forward to your opinion and advice and thank you in advance for them.

 

 

 

Link to post
Share on other sites
  • Staff
jprism

jprism

Posted
  • Staff
Posted

Hi @malfor,

Welcome to Malwarebtytes!

Malwarebytes Anti-Ransomware and Malwarebytes Anti-Exploit should have no problems co-existing.  Our Malwarebytes 3 Premium product is a great example on how these 2 interoperate not only with each other, but also with the Anti-Malware and Web Protection technologies making up the layered defense in our offering.

As for potential WMI locks (and i apologize because i didnt want to make this a shameless product pitch), this is why in our Malwarebytes 3 Premium product, we have incorporated technologies that analyzes and intercepts malicious activities based on threat lifecycles where it is usually coming from a web resource (either thru drive by or from a link in an email) and blocks via our Web Protection.  If the site was not blocked and contains an exploit, our Anti-Exploit prevents its execution.  Our Anti-Malware + Anomaly Detection then takes over before the file gets executed.  

In any case, if we do end up not preventing the threat, our world class customer support team can work with you to address the modification.

I apologize if i wasnt able to answer your questions regarding possible WMI modifications.  If WMI is stopped, our products can actually restart it.  However, if it has been completely disabled, unfortunately we cant offer much advise and would suggest contacting us to help you fix it, if you do need help re-enabling WMI.

Hope this helps

-jong

Link to post
Share on other sites
  • 1 month later...
malfor

malfor

Posted
  • Author
Posted

Hi jong

Thanks for the reply.

I have a new query regarding Malwarebytes Anti-Ransomware and it concerns farflt.sys.

Again when it starts up the program (logged in as restricted user) says that real Time protection is disabled ( and nothing works when clicking the Fix It Now button or the Start Protection link). This behaviour is random and only a reboot will get it working again.

By chance using Systernals Autoruns for some other enquiry, it reports that:

farflt File not found: C:\Windows\System32\Drivers\farflt.sys

which is probably another reason why the program reports protection as disabled.

Can you please check and advise as to what could be causing the deletion of farflt.sys from the system drivers folder? Does it get deleted by the program on shut down and not reinstated on startup? Is there a rogue program at work here which deletes it?

Will saving a copy of it when the program is working and copying back into the drivers folder when not working and not there enable protection again immediately?

Or does only a system restart work?

Thanks for you help and assistance.

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
jprism

jprism

Posted
  • Staff
Posted

Hi @malfor

my apologies for the late reply.  i though i already did.  

Farflt.sys gets removed from the drivers folder when protection is disabled and re-instated when activated.  so no need to manage it from there.

This is, from my experience, a very rare case.  System re-start typically helps, but i hate to make you do that every time.

if you can execute the instructions on this page, ill let the team take a look.

and post the resulting information here.

 

thanks

-jong

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.