Jump to content

Recommended Posts

I've been a Malwarebytes Premium user for some time now. Mostly, it behaves itself but lately I have had a couple of problems, as follows:-

Infrequent warnings that Web Protection or Malware Protection were off. I've generally been able to repair that by turning the module back on in the program's settings.

Twice, Malwarebytes has been unable to load the Anti-Rootkit DDA Driver (see attachment) and warns that it may be due to rootkit activity. On the recommended reboot, MB runs a scan but finds nothing. This last happened on booting up this morning.

When I've had problems with MB in the past I've generally solved them by reinstalling the latest version or using the Clean tool, but the latter is a nuisance because of the necessity to manually reapply settings like language and scan schedule. From memory, the last time I did this was when I tried the latest BETA but reinstalled the current version because of problems with domain names being blocked.

I've run the FarBar Tool and MB-Check, and files are attached.

I'm as sure as I can be that I don't have any malware on this laptop. I'm the only user on this machine and computer savvy enough generally to stay out of harm's way, although no expert.

Any suggestions apart from another clean and install?

Windows 7 Home Premium SP1 64x
Malwarebytes Premium 3.3.1
Microsoft Security Essentials
CryptoPrevent Premium 9.0.0.0
Casper 10.1 Backup

mb-check-results.zip

RootkitDriver.JPG

ThreatScan20180119.txt

Edited by TempLost
Clarification
Link to post
Share on other sites

Hi @vbarytskyy - thanks for your prompt attention. There's nothing in the Report Queue Folder, but there are loads of sub-folders in the ReportArchive Folder. I've zipped the whole folder and attached it here in case it helps.

I have to go out shortly so may not be able to review your response until tomorrow.

ReportArchive.zip

Link to post
Share on other sites

Hi!  

I looked into it, and nothing on the Malwarebytes exclusion list that was referenced would be affected by CryptoPrevent settings.  The .SYS files (drivers) are never affected in any way, as only executable files are blocked by any setting, and .SYS are non-executable driver files.  While all .EXE files can be blocked with user-customized CryptoPrevent rules (such as those in the \Program Files\Malwarebytes\Anti-Malware\ directory) there are no issues with these as stated in our default path/filename rules that would be affected by any Software Restriction Polices set through CryptoPrevent.  

The only possible issue I can see with built-in CryptoPrevent settings, at maximum or customized protection levels, is the "Prevent File Types > Program Filtering > .EXE/.COM files" protection.  When enabled, the .EXE files in the Malwarebytes directory would not be allowed to launch until examined for additional internal logic and file signature matching with known malicious programs.   I have verified NONE of this would be an issue with the Malwarebytes exclusions, but the issue itself would be an error with launching the .EXE file after it was scanned and determined as non-malicious, but failed to run after being allowed by CryptoPrevent (FYI to our knowledge, this was a bug with CryptoPrevent v7.x and the Microsoft Office "Click to Run" style launcher, for which no program functions quite like it, a Microsoft thing...)  You could disable this setting for your own testing, although it did not cause an issue in our testing.  

 

The confirmation/testing:

I've installed the Malwarebytes v3 trial with real-time protections on top of an already installed copy of CryptoPrevent v9 with maximum protections enabled.  In Malwarebytes > Settings > Protection and noticed the "Scan for Rootkits" option was not enabled, so I enabled that since it looks a bit related to your error message, as well as "Enable self-protection module early start" which was not enabled by default, and it sounded good.  I rebooted a few times, performed a scan with Malwarebytes as recommended by the software, and have not experienced any issues or errors with either product whatsoever.  FYI, the testing is on a pre-creator's update Windows 10 64bit in a virtual machine, which is updating to the creator's update with all protections of both applications enabled as I type this, just for giggles...   (success, installing subsequent updates now...)

I should also mention I enabled "Collect enhanced log data for support (not recommended)" in Malwarebytes > Settings > Application in anticipation of an issue and working to resolve it, so if it helps we will be happy to provide any information collected, or perform any additional testing as may be directed by Malwarebytes support staff on this issue.  If working with Malwarebytes devs for any discovered issues, we could offer some proprietary information regarding the internal logic of CryptoPrevent's .EXE/.COM Program Filtering if necessary, but I wouldn't make the information public for obvious reasons so I cannot offer that here; I would rather the customer simply disable this setting for confirmation that it isn't an issue, although it did not cause issue in our own testing.  

Should we need to install a paid edition of Malwarebytes for testing (if the current 14-day trial capabilities are not sufficient for this issue) I have a few of the older "lifetime" licenses and (yes) Malwarebytes (as well as CryptoPrevent) should be on my mom's PC ;) as well, assuming these licenses are still valid in Malwarebytes v3.  

 

Final thoughts on CryptoPrevent settings:  

Any potential conflict with CryptoPrevent would come from user-customized program blocking rules that you yourself would have created with CryptoPrevent's "Policy Editor" which allows customized blacklist rules and user hash definitions to be created.  If you have created any customized block rules, you should remember this instantly ;) but you can visit user areas in the "Policy Editor" to verify.  

You can also see ALL blocked events by CryptoPrevent (including Windows Software Restriction Policies set by CryptoPrevent rules) through CryptoPrevent's "History - Detections and Events" area, where you have the option to view blocked events since the "Previous Startup" or "The Beginning of Time" ... The only thing not appearing here would be the afore mentioned bug from CryptoPrevent v7's .EXE/.COM protection (then dubbed "BETA") although this was resolved in v8; again simply disable that setting (or any/all CryptoPrevent settings) to confirm it isn't an issue..  

 

Let us know if we can be of any further assistance regarding this issue.  

Link to post
Share on other sites

@FoolishIT

@Porthos

Thanks to both of you for your help. Just to confirm, I am using default setting in CryptoPrevent with no additional rules. I've recently carried out a clean uninstall /reinstall of MB as I still have occasional problems of the System Tray icon not launching or Protection Modules not loading, but the issues have generally been resolved by relaunching MB. 

Edited by TempLost
Finger failure
Link to post
Share on other sites

OK, since the last clean install I still have the occasional instances of the Anti-Rootkit DDA Driver being unable to load. I understand from @vbarytskyy post that it's something you're actively investigating but I attach current MB-Chk results including FarBar scans and the latest clean install log in case they help. Windows shows no other obvious anomalies since then and runs as well as can be expected considering the age and spec of the laptop. Though can't say I'm looking forward to the inevitable move to Windows 10 which will probably mean buying a new one.........

 

mb-check-results.zip

Link to post
Share on other sites

On 1/25/2018 at 11:31 AM, Porthos said:

Hi @FoolishIT The user is using Win 7. Can you test with that and Microsoft security essentials installed.

@vbarytskyy

Hi,

In my testing, performing the exact same steps on Win7 x64 exhibits the same result as described on Win10 x64, in that Malwarebytes has no issues.  To be clear, I have enabled all features/maximum settings in CryptoPrevent, and in Malwarebytes I enabled (in addition to the default installation settings) the "Scan for Rootkits"  "Enable self-protection module early start" features as well as "Collect enhanced log data for support (not recommended)" so I can provide any additional details as necessary. 

Hope this helps,

Link to post
Share on other sites

5 minutes ago, FoolishIT said:

Hi,

In my testing, performing the exact same steps on Win7 x64 exhibits the same result as described on Win10 x64, in that Malwarebytes has no issues.  To be clear, I have enabled all features/maximum settings in CryptoPrevent, and in Malwarebytes I enabled (in addition to the default installation settings) the "Scan for Rootkits"  "Enable self-protection module early start" features as well as "Collect enhanced log data for support (not recommended)" so I can provide any additional details as necessary. 

Hope this helps,

@FoolishITThanks for the additional information - it's reassuring for me to know that I can carry on using CryptoPrevent with confidence alongside Malwarebytes,  my other favourite  piece of security software ?

Link to post
Share on other sites

SAme problem one time on my laptop today (windows 8 x64). Restarting windows solve the problem but this is curious. i dont have cryptoprevent.

On 25/01/2018 at 5:33 PM, TempLost said:

@FoolishIT

@Porthos

Thanks to both of you for your help. Just to confirm, I am using default setting in CryptoPrevent with no additional rules. I've recently carried out a clean uninstall /reinstall of MB as I still have occasional problems of the System Tray icon not launching or Protection Modules not loading, but the issues have generally been resolved by relaunching MB. 

And sometimes, this problems too.

Link to post
Share on other sites

8 hours ago, Fatcap said:

SAme problem one time on my laptop today (windows 8 x64). Restarting windows solve the problem but this is curious. i dont have cryptoprevent.

And sometimes, this problems too.

@Fatcap

Thanks for your input, but you would be best starting your own thread as the cause of your problems is probably not the same as mine - your operating system is different for a start.

Follow the guidelines in this post, and I'm sure you'll get the help you need. 

 

Link to post
Share on other sites

19 hours ago, Fatcap said:

SAme problem one time on my laptop today (windows 8 x64). Restarting windows solve the problem but this is curious. i dont have cryptoprevent.

And sometimes, this problems too.

Agree on the a new thread, regardless I'm glad you posted here, if not just for our involvement because we wouldn't have seen a new thread otherwise.  If anyone has any other information relating to CryptoPrevent we'd be glad to hear it, and if not applicable to this thread please PM us a link after you start a new thread, if we should be aware of it.  ;)

 

On 1/30/2018 at 6:01 AM, TempLost said:

@FoolishITThanks for the additional information - it's reassuring for me to know that I can carry on using CryptoPrevent with confidence alongside Malwarebytes,  my other favourite  piece of security software ?

Thank you!  :)  

 

Before we close the books on this one ourselves, I wanted to offer one other bit of info, which is NOT advice and may or may not even be applicable.  I didn't see the mention of mbam_clean in this thread.  I may have missed it, but a quick google search turns up a lot of results from 2013/2014 on a very similar error condition with the same wording.  These did involve MBAM v2, and I think I saw a v3 BETA thread somewhere; depending on your search methods at least one front page result should be on these own forums.  The issue was resolved here and in one other 3rd party forum I looked at after the simple process of uninstall MBAM, run the mbam_clean utility, then reinstall MBAM. 

Understand I CANNOT actually offer this as any direct advice.  For one, I am not familiar with it.  Also, while the download link from the thread here still works, I have no clue if this is current and fitting for usage with MBAM v3.  Since the downloaded file has a modified date/time stamp as if generated at the point of download, I cannot even tell how recent it is without further research and/or actual usage to examine the executables inside, and it would be pointless since the staff/forum mods here would know far better than I.  This is why I didn't repost the download or thread link here; quite possibly this is not at all relevant to this case, and I would advise you NOT to take this as advice until reviewed by one involved with Malwarebytes and these forums!  Just throwing the mention out there since I didn't see it mentioned earlier, so perhaps a forum admin or support staff could advise further.  

I plan to wrap this one up in our own ticket queue, but I wanted to wish you the best of luck with a quick resolution.  Let us know if we can be of any further service.  

 

Link to post
Share on other sites

@FoolishIT mbam-clean is a legacy tool and doesn't support the latest product. We do have a new cleaning tool, mb-clean, which can be downloaded from xxx

Post updated [02/12/2021]

The following MBST tool should be used to perform a clean removal and reinstall

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

I submitted a separate inquiry (as suggested for another member above) but have not as yet seen any response.  I'll mention here that I did NOT get the same notice from MB about the program being unable to load the Anti-Rootkit DDA driver. (??)   My concern is that when I viewed a recent Scan Report, it said there were no known threats but then when I checked farther down, I saw that the Rootkit was DISABLED.  When I then rechecked Settings, I confirmed it was properly set to ON.  Which one is correct?  I had a scare over the weekend when my Computer started acting weirdly and was afraid it had been hacked.  When I tried to close down and reboot, the computer froze.  I finally turned it off at the computer.  Then when I tried to reboot, I got the initial "DELL" banner but then the screen went BLACK!  I had to turn it off again at the computer.  I waited about 10 minutes and then was finally able to reboot albeit SLOWLY. My MS Defender and MB had both indicated they had caught a "malicious threat" (not sure of the exact wording.  I deleted and reran both programs which came out clean.  I am a Sr. and not highly computer literate.  I read all the foregoing discussions with Computer Speak that was way over my head.  I got my first computer(a Zenith operating at a blazing 2.6-MB) in 1975.  No HD and just working off a 5.25 floppy; obviously DOS, and only choice was green or gold print on black background!  

I can't possibly go thru all that TemoLost has, since in comparison to the jargon that flew back and forth, is so far ahead in his/her computer abilities.  I just want to know that I'm doing the best I can to keep my computer safe.  I use it for both personal use and for my rep business.  What can someone with my neophyte computer abilities do?!

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.