ESET and Malwarebyte going crazy

[961Host]

i discovered a confusing bug, when Malwarebytes catch a virus ESET block that file and block Malwarebytes, in the same time Malwarebytes do the same thing...

Edited October 25, 2017 by 961Host

[Telos]

It is dangerous to run overlapping programs. It is quite possible that neither will be able to properly handle malware with the other interfering. MBAM works with AV programs, but should not be paired with other antimalware solutions. Obviously, you have a conflict with no assurance that either ESET or MBAM will be effectively managing the threat.

[exile360]

Actually this shouldn't be too much of an issue.  While Malwarebytes was scanning it accessed a threat that ESET was also capable of detecting, and since ESET is an on-access scanner, it detected the file.  Allow ESET to remove the object and cancel the scan/removal for the Malwarebytes scan OR have ESET ignore the detection and allow Malwarebytes to remove what it found during the scan.  The choice is up to you, however, be sure to check the Malwarebytes scan results.  If there was more than one item detected, especially any loading points in the registry or associated files/folders with whatever object was detected by both, then I'd highly recommend having ESET ignore the detection and allowing Malwarebytes to remove it.  This is because of the Linking heuristics capability built into Malwarebytes' scanner which makes it capable of more thoroughly removing an infection than most other antimalware solutions (including ESET).

If you need to, temporarily disable ESET's protection in order to proceed with having Malwarebytes remove what it found during the scan.  Then reboot and everything should be fine.

edit: Never mind, it looks like ESET already removed the threat so it should be fine.  Cancel the scan/results in Malwarebytes (but first check to see if there were any additional detections as I mentioned) and reboot as ESET recommends for cleanup.  If there were other detections by the Malwarebytes scan then have Malwarebytes remove them then reboot when prompted.

Edited October 26, 2017 by exile360

[961Host]

9 hours ago, exile360 said:

Actually this shouldn't be too much of an issue.  While Malwarebytes was scanning it accessed a threat that ESET was also capable of detecting, and since ESET is an on-access scanner, it detected the file.  Allow ESET to remove the object and cancel the scan/removal for the Malwarebytes scan OR have ESET ignore the detection and allow Malwarebytes to remove what it found during the scan.  The choice is up to you, however, be sure to check the Malwarebytes scan results.  If there was more than one item detected, especially any loading points in the registry or associated files/folders with whatever object was detected by both, then I'd highly recommend having ESET ignore the detection and allowing Malwarebytes to remove it.  This is because of the Linking heuristics capability built into Malwarebytes' scanner which makes it capable of more thoroughly removing an infection than most other antimalware solutions (including ESET).

If you need to, temporarily disable ESET's protection in order to proceed with having Malwarebytes remove what it found during the scan.  Then reboot and everything should be fine.

edit: Never mind, it looks like ESET already removed the threat so it should be fine.  Cancel the scan/results in Malwarebytes (but first check to see if there were any additional detections as I mentioned) and reboot as ESET recommends for cleanup.  If there were other detections by the Malwarebytes scan then have Malwarebytes remove them then reboot when prompted.

2

thank you for your reply, well i don't have problems, i have already did what you've suggested, but for my clients or in general i don't think this is a normal action to do each time, when you gonna remove a virus right? that's not a logical solution for business or personal.

[exile360]

Yes, unfortunately it's unavoidable.  Since ESET, like most antiviruses, is an on-access scanner, whenever anything touches a file ESET scans each file it touches.  In other words, this would happen if you'd been running a scan with the free version of Malwarebytes.  Also, since most AVs are automatically configured to remove any threat they detect in realtime, there really won't be any decision to be made.  Just as in your case, the order of events will take care of itself.  The AV removes the detected object, the scan with Malwarebytes completes showing that it detected something.  Even at that point, if the user decides to allow Malwarebytes to remove everything it has detected all that will happen is that Malwarebytes will attempt to remove a file that is no longer there, but it won't do any harm at all.

I just wanted to make certain that no matter what, if any additional objects had been detected by the scan, that you did not leave them present on the system.

One final note here as well: typically, this won't happen anyway.  Because the AV scans every file that gets created, it will usually detect a new threat long before it is scanned by Malwarebytes.  It just so happened that in this case, ESET couldn't detect the file until sometime later because it needed a database update which added detection for the file.  This isn't something which occurs everyday, and in fact is quite a rare occurrence, so much so that we don't even have any sort of FAQ or knowledge base entry for any situations like this even though we've been recommending our customers use even our paid product alongside an active, up-to-date antivirus for years (since the beginning, really).  As for our paid customers, it becomes even less likely because if the AV misses something, our layers of protection still have a very high probability of detecting the threat as 0-day/0-hour detection of new/unknown threats is an area we specialize in, especially in our paid product due to the many layers of protection it includes, many of which have a high probability of preventing any malicious file from ever even reaching the system like our Web Protection and Exploit Protection.  Even in a scenario where our Malware Protection (the realtime analog to our scan engine) is the only one that would detect something as a threat comes across something also detected by the user's AV, the AV would have detected and removed it long before our Malware Protection would even have a chance to see it because in realtime our Malware Protection doesn't detect objects on-access, it detects them on execution, meaning when they attempt to enter memory, not when they're initially written to disk, so again, the AV (since it checks objects on-access, including as they are written to disk) would detect and remove such an object long before our Malware Protection even sees it.  Our other earlier layers, if any of them is triggered by the event, would stop the attack chain so early that the malicious file itself would not have had a chance to even reach the system and therefore would block it before the AV even had a chance to see the file.

This all goes back to how we have designed Malwarebytes to work alongside other layers of protection without conflicts.  Again, I just wanted to make certain that if Malwarebytes had detected any additional traces that you still allowed it to remove them that way you wouldn't end up with a threat only partially removed.  Either way the worst thing that could have happened was precisely what you saw which was two alerts, one from each product, about detecting something.  No real harm would have been done no matter what choice you made as long as you allowed at least one of them to remove the threat (again, which by default your AV already did anyway and always would in such a scenario).