Jump to content
TeraBytes

Scan iPad and Android from PC

Recommended Posts

Hey guys,

is it possible to scan my ipad and android phone from my pc using malwarebytes ?

thanks

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings :)

No, unfortunately it isn't because the engine in the Windows version isn't designed to detect threats and executables from other operating systems like Android and iOS and possibly wouldn't even be compatible with the format of their filesystems (though I am not positive on that last point as I do not know enough about Android and iOS having never used either myself).

Share this post


Link to post
Share on other sites

I suppose this implies that my Windows PC can host non-Windows malware that can infect the target devices once they connect ?!

Is there software that can check my Windows PC for non-Windows malware ?

Share this post


Link to post
Share on other sites

Infect them?  No, not directly.  In order to infect any device upon connection to the system the malware would have to be active, and any malware active in memory on the host system would need to be able to run on the host operating system (i.e. Windows) so in that case, that would make it Windows malware (even if it were a cross-functional/mulit-platform kind of malware) in which case Malwarebytes would detect it.

The only way you could infect your other devices this way would be if you copied a dormant malware file that is compatible with the device you're copying it to, but even then you'd still need to open/execute the file on the portable device (i.e. actually execute/load/launch/install it; whatever its means of infection is) and in such cases, at least for Android, if you had Malwarebytes installed on the mobile device, it should detect any such threat anyway so you could always load Malwarebytes onto your mobile device and scan any new files you copy to the device from your Windows system.

Share this post


Link to post
Share on other sites
1 hour ago, TeraBytes said:

I suppose this implies that my Windows PC can host non-Windows malware that can infect the target devices once they connect ?!

Is there software that can check my Windows PC for non-Windows malware ?

Any OS can "host" any malware that can infect a different OS.  For example a Windows PC can host an ELF file that infects Linux or a DMG that can infect a MAC.

There are rare Internet worms that may infect a Windows PC and infect other OS'.  They are uncommon.

There are MS Office Macro Viruses that can infect a MS Office Document that can in turn infect MS Office on a different OS.

Specifically Malwarebytes product lines do not cross OS'.  That is MBAM for Windows does not target, detect and/or remove MAC malware.  Conversely MBAM for MAC does not target, detect and/or remove Windows malware.  The exception being those rare infectors which are somewhat OS independent.

Traditional anti virus software targets all malware and will detect and/or remove malware found on one OS but is meant for another OS.

MBAM is NOT a traditional anti virus nor is it "historical".  It does not know what the "NYB" or "Form" virus are and can't even deal with the consequences of file infecting virus such as Virut, Neshta or Sality.  It can't even detect a Wimad trojan because it does bot target data files.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar

Share this post


Link to post
Share on other sites

An ELF file can't execute in Windows, neither can a DMG so they can't "infect" any device from a Windows system, even if the device being connected is compatible with them because no software which is not compatible with the currently loaded operating system would be able to run so unless you literally dragged and dropped the malware file to the device (which again, wouldn't actually infect the device either since it isn't in memory on either device, just stored there), it couldn't get onto the device to infect it.  Even then, as I said, once on the device that it can infect, you'd still have to load/execute the file for it to actually infect the device.  A dormant malware file just sitting on a device can't really do any harm (there have been a few exceptions to that in the past, but only on Windows as far as I know, and the vulnerabilities which allowed that have long since been patched by Microsoft via updates; they were vulnerabilities in the Windows shell and I'm pretty sure such would be detected by the anti-exploit layer in Malwarebytes anyway).

As for file infectors, that's not entirely true.  MB3 is capable of detecting these types of threats, and at one time Malwarebytes did detect Virut, however the signatures were implemented in such a way that it would only flag the files, not remove them (since it is accurate that the anti-malware engine doesn't disinfect infected files, it only removes them).  I doubt that it still does however since Virut is no longer seen in the wild (nor is any other file infector last I checked; such threats aren't very useful from a profiteering or data theft/spying perspective, and those are pretty much the only goals of any malware these days).

As for Wimad, while the anti-malware engine may not detect such an infected data file, the anti-exploit engine would detect and quarantine the threat if the file were actually loaded into a media player (the only means of Wimad to actually infect a system, as it's actually an exploit, not an infection unto itself; it's used to download/execute other malware, just like most other exploits).

As for historical malware, scan your system once a month with one of the many free online virus scanners or if you're going to connect some old storage device that has tons of old files on it and you aren't sure if it's infected or not, run one of those free online virus scans then to check the drive before executing any files stored on the drive and you'll be fine.  There's no need for a constantly running protection layer to defend against obsolete threats no longer seen in the wild.

Share this post


Link to post
Share on other sites

That's right, an ELF file can't run under Windows.  But as a disk file can be "hosted" by it.  If I have malicious DMG or ELF files on a web site, that web site is not neccessarily infected by the malware represented by the DMG and ELF files but it surely can "host" these files.

But like I said there are infectors that can cross the OS barrier.  An Internet worm can come to windows as a Win32 EXE and infect the Windows PC but it may see another system on the network and infect it.

MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.  This is also true for trojans that trojanize legitimate files.  MBAM is incapable of removing malicious code from them as well ( also known as patched files ).  At best MBAM will try to replace the patched file from a know good copy.

A media file detected as a Wimad file is not infected.  It is a trojan that was designed to be malicious from the onset.  Documents, media files and other data files that are trojans are not "infected'.  To be infected it has to be be a legitimate file that was altered to be malicious..  A MS Word Document that uses a malicious VB macro to download executes a malicious binary is not infected.  Nor is one that that has an an embedded OLE object.  They are designed on the onset to be malicious so that they can not be considered "infected".  However in the case of Macro Viruses they are infected.  That's what sets them apart.  If a legitimate MS Office Documen is loaded into the MS Office environment that is infected, that legitimate file will have the malicious macro virus injected into it.  That legitimate MS Office document is now infected with a macro virus.  If I then took the infected MS Office Document and went to a system that that was clean and I had MS Office open that infected document, that previously clean MS Office environment is now infected and can now further the macro virus dissemination.  MS Office does not just run under Windows.  Thus in the late 90's the Macro Virus was one of the first to cross the OS barrier.  It did this due to the relative OS independence nature of the MS Office VB Macro environment. 

38 minutes ago, exile360 said:

There's no need for a constantly running protection layer to defend against obsolete threats no longer seen in the wild.

That's a vulnerability as malware may come back.  There is no such thing as a malware expiration date.  If one "assumes" a malware family is extinct and no longer protects against it, the system is vulnerable.  However, there are technical hurdles that may make an old malware family resurgence highly unlikely in some cases.

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar

Share this post


Link to post
Share on other sites
17 minutes ago, David H. Lipman said:

That's right, an ELF file can't run under Windows.  But as a disk file can be "hosted" by it.  If I have malicious DMG or ELF files on a web site, that web site is not neccessarily infected by the malware represented by the DMG and ELF files but it surely can "host" these files.

But like I said there are infectors that can cross the OS barrier.  An Internet worm can come to windows as a Win32 EXE and infect the Windows PC but it may see another system on the network and infect it.

MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.  This is also true for trojans that trojanize legitimate files.  MBAM is incapable of removing malicious code from them as well ( also known as patched files ).  At best MBAM will try to replace the patched file from a know good copy.

A media file detected as a Wimad file is not infected.  It is a trojan that was designed to be malicious from the onset.  Documents, media files and other data files that are trojans are not "infected'.  To be infected it has to be be a legitimate file that was altered to be malicious..  A MS Word Document that uses a malicious VB macro to download executes a malicious binary is not infected.  Nor is one that that has an an embedded OLE object.  They are designed on the onset to be malicious so that they can not be considered "infected".  However in the case of Macro Viruses they are infected.  That's what sets them apart.  If a legitimate MS Office Documen is loaded into the MS Office environment that is infected, that legitimate file will have the malicious macro virus injected into it.  That legitimate MS Office document is now infected with a macro virus.  If I then took the infected MS Office Document and went to a system that that was clean and I had MS Office open that infected document, that previously clean MS Office environment is now infected and can now further the macro virus dissemination.  MS Office does not just run under Windows.  Thus in the late 90's the Macro Virus was one of the first to cross the OS barrier.  It did this due to the relative OS independence nature of the MS Office VB Macro environment. 

That's a vulnerability as malware may come back.  There is no such thing as a malware expiration date.  If one "assumes" a malware family is extinct and no longer protects against it, the system is vulnerable.  However, there are technical hurdles that may make an old malware family resurgence highly unlikely in some cases.

Yes, that's what I said regarding ELF and DMG files etc.  They can certainly be on disk on an incompatible OS, but they are dormant there and can do no harm unless copied to a compatible device and then activated/executed.  As for threats that cross the OS layer, those would technically be Windows threats just as much as they would be for any other OS and therefore should be covered (like the Flash and Java exploits that are capable of executing malicious code on both Windows and Mac OS etc.).  The same goes for network worms capable of infecting Windows as well as other operating systems.

Regarding Wimad, that's just semantics, my point was that our anti-exploit protection would stop it (I've verified this multiple times with the team, so this is not just speculation), so regardless of what you may call it, the anti-exploit layer would stop it.

Regarding malware "coming back", absolutely not, at least not unless it is altered so much that existing signatures (including those used by antivirus) would no longer detect it (i.e. a significant morph/variant), otherwise there would be no point.  They aren't going to start using an old Trojan or file infector (or any other malware) that virtually every AV protects against.

As for antivirus disinfecting infected files, most of them actually don't any more.  Usually they end up having to create a specific tool for this purpose because their engines aren't capable of removing malicious code from infected files (this is why virtually every AV vendor had to create a specific disinfection tool even for their own customers when Virut was prominent).  Each injector/infector is different, and especially nowadays sufficiently so that in order to disinfect an infected file, a new disinfection routine is required which goes beyond the scope of what most if not all standard AV remediation engines are capable.  And if you think about it, it makes sense.  If the bad guys have a way of making their infected files more difficult to remediate then they certainly will do so because they want their targets to remain infected as long as possible (except for special cases where they have a specific goal such as the exfiltration of specific data, in which case they might remove themselves as soon as the job is done in order to evade detection/capture by malware researchers as well as their targets).

Edited by exile360

Share this post


Link to post
Share on other sites

By the way, I'm not saying that adding the ability to detect non-Windows malware to Malwarebytes would be a bad idea.  Actually I think it would be a good feature to have and it's already been passed on to the Product team sometime ago when another customer requested it.  I'm just trying to explain why it is not a very big risk because any threat capable of actually being active and therefore capable of truly infecting a non-Windows device should be detected as that capability would not be required for Malwarebytes to detect it and any non-Windows threat could not be running/active and therefore wouldn't be able to covertly infect any device connected to the Windows system (as I said, you'd literally have to copy the threat to the device and then install/execute it on the device, and as long as you have some kind of malware protection on the device itself that checks the files and programs you run on the device then you should be just fine).  Besides, you should always have some kind of malware protection on any device that connects to the web, be it a smart phone, tablet or a PC because the highest risk of infection comes from the web, not from threats transferred from a Windows PC to a mobile device.

Share this post


Link to post
Share on other sites

It isn't "semantics" just like gb does not equate to GB.

It is the looseness of facts that brought us to this point in time where everyone is calling all malware a "virus".  Understanding the concepts and being educated to the facts leads to be better understanding of the malware environment allowing us to better protect ourselves.  Those that understand the facts are infected the least and those with least understanding are infected the most.  Thus being exact in our words as professional and SMEs and our statements can lead to less people getting infected.

Facts matter.

I did not approach the preventative nature of MBAM and its "on Action" capabilities.  The subject matter was scanning non-native OS' which is an "On Demand" process where "On Action" is a moot point other than the fact that an Internet worm, whose ability is to infect multiple operating systems, may be inhibited by MBAM's "On Action" capability.

Traditional AV applications still attack the results of a file infecting virus.  What separates them is their ability to do that in situ as well as their ability to bring back altered files to their preinfected state without corrupting them which may or may not also bring them back to their pre-infected checksum value.

 

Share this post


Link to post
Share on other sites
1 minute ago, David H. Lipman said:

It isn't "semantics" just like gb does not equate to GB.

It is the looseness of facts that brought us to this point in time where everyone is calling all malware a "virus".  Understanding the concepts and being educated to the facts leads to be better understanding of the malware environment allowing us to better protect ourselves.  Those that understand the facts are infected the least and those with least understanding are infected the most.  Thus being exact in our words as professional and SMEs and our statements can lead to less people getting infected.

Facts matter.

I did not approach the preventative nature of MBAM and its "on Action" capabilities.  The subject matter was scanning non-native OS' which is an "On Demand" process where "On Action" is a moot point other than the fact that an Internet worm, whose ability is to infect multiple operating systems, may be inhibited by MBAM's "On Action" capability.

Traditional AV applications still attack the results of a file infecting virus.  What separates them is their ability to do that in situ as well as their ability to bring back altered files to their preinfected state without corrupting them which may or may not also bring them back to their pre-infected checksum value.

 

Yes, facts do matter but my point is that a dormant file, incapable of executing under the currently running operating system cannot in any way actively infect a device attached to it, even if that device is the native environment for that file.  Then you brought up the points about Wimad and file infectors, neither of which matters if all we're talking about is the scan engine because you need realtime protection to stop those threats from infecting the system, especially in the case of a file infector since it will continue to spread until stopped, either by a security tool or by shutting down the system.

We're talking about whether there is a risk of infection when connecting a non-Windows mobile device to a Windows PC, so if we're talking about a cross-OS threat, then realtime protection is the only thing that matters because a scanner would be too late to stop it in all likelihood (because if the host is actively infected, which means the threat hasn't been detected by any realtime protection, then the mobile device will be infected as soon as it is attached to the system if that's a capability of the malware unless the mobile device itself has active protection to stop the threat from infecting it).

As for speculating on what an AV could or couldn't do against some hypothetical threat, I'd still argue that most of them do the same as Malwarebytes did during the most recent one which was Virut.  I know because I saw it happen to countless users.  Their AV would keep telling them they were infected (as Malwarebytes would, in both the scanner and realtime protection) but would refuse to remediate the threats because they weren't capable of it so support forums were filled with infected users who ended up having to run the specialized Virut remediation tools from the various security vendors.

If you really want to get down to it, we must consider how a file infector (or virtually any other threat) tends to infiltrate a system in the first place, and that is through the web and generally via a chain of events beginning with either a web based exploit or specially crafted email attachment, both of which I'd argue are well covered by Malwarebytes currently, but again, if we're just talking about scanning here and not realtime protection of any kind, then all bets are off because there's no way of knowing what a threat might do if it is able to activate and infect the host system and often times scanners won't even work by then because so many threats these days are deliberately coded to stop such tools from running or working properly.  This is why I keep harping on exploit protection because it tends to be the first and most effective layer of defense, regardless of what the eventual payload might be.

Share this post


Link to post
Share on other sites
7 hours ago, TeraBytes said:

Hey guys,

is it possible to scan my ipad and android phone from my pc using malwarebytes ?

thanks

That's the focal point "On Demand" and not "On Action".

Share this post


Link to post
Share on other sites
54 minutes ago, David H. Lipman said:

That's the focal point "On Demand" and not "On Action".

Correct, which means any speculations about active file infectors, worms or even cross-OS malware is moot.  The mobile device just requires its own protection to avoid infection.

Share this post


Link to post
Share on other sites

By the way, just one more thing I wanted to add here as it's relevant to the whole "AV vs MB3" topic.  Back when Virut was prominent, I had many discussions with the Devs and Researchers around the possibility of either implementing file disinfection in the remediation engine for Malwarebytes or building our own remediation tool for it to disinfect Virut infected files (I was Product Manager for Malwarebytes at the time), however it turned out that the then prominent strain of Virut (the final one before the infection died off) had a major bug and was actually breaking infected files so that they couldn't actually be safely disinfected (they could be cleared of viral code, but the resulting file would be broken/would not function due to an issue with the virus' code) and so it was decided that implementing such a feature or building such a tool would be pointless, particularly since the accepted best practice at the time was to advise users to reformat their systems (since safe disinfection was not possible).

That said, should file infectors make a return, I have no doubt that if it makes sense, the Product team will consider and likely implement some file disinfection capability in the Malwarebytes engine, however it is likely that even if they were to do so now, it would do little or no good against whatever file infector may be next (assuming there is such a threat forthcoming at any point in the future; something I personally doubt, though I am no oracle) as, due to the nature of such threats and how they vary in how they modify files, a unique cleansing routine developed specifically for that threat/strain/family would likely need to be developed, so coding such capabilities now would probably be pointless.

This is not unlike when Sinowal/Mebroot became prominent.  At the time, Malwarebytes had no MBR/VBR disinfection capabilities and so Malwarebytes Anti-Rootkit BETA was developed and its technologies eventually integrated into Malwarebytes and now it has no trouble with detecting and remediating these rootkits.  I'm certain that should the need arise due to changes in the threat landscape and the tactics used by the bad guys, that if it became necessary to implement a file disinfection engine, the Product team would not hesitate to do so in order to arm the Researchers and our users/customers with the tools they need in order to stay clean and remediate any threats.

When exploits became prominent, Malwarebytes acquired and developed and eventually integrated their cutting edge anti-exploit technology into Malwarebytes and likewise, when ransomware became a common vector, they developed and integrated the new anti-ransomware technology.  Also, the existence of anti-exploit is also why script file detection has not been implemented, even though the current Malwarebytes scan engine is fully capable of reading and even detecting and remediating (and even editing/cleaning, not just quarantining) text files, which is essentially what scripts are (this is how remediation of Chrome plugins is implemented as are several detection/remediation components in rootkit scanning as certain rootkits require this in order to detect and properly remediate/remove them).  Anti-exploit is a far more effective means of stopping such threats, particularly since, in order to evade traditional detection methods such as those used for targeting non-executable files (scripts etc. and everything else based on text), all the bad guys must do is obfuscate their scripts, change the order of the text or even just encode it in a different language/format (encryption), none of which would allow them to bypass the anti-exploit layer, but all of which can and have frequently been used in order to evade detection by antivirus engines that target script files (I read about this very thing not long ago on Metasploit when doing independent research on the subject).

So should the bad guys start using older tactics such as file infectors and the like, I have no doubt that the team will respond accordingly with technologies that effectively stop and remediate the threats which utilize them, but to do so now wouldn't bear much fruit in the way of providing any meaningful additional protection so their time and efforts are better spent elsewhere.  At least that's what I believe based on my many years of experience with this company and with those who make the decisions around the technologies included in Malwarebytes.

Share this post


Link to post
Share on other sites

Thanx guys, that was very comprehensive.

Is Windows Defender a "traditional AV application" or is it more like Malwarebytes ?

Defender does describe itself as a "protection against spyware and potentially unwanted software".

Share this post


Link to post
Share on other sites

It is a traditional AV application.  It is not the best but it is better than nothing.  Microsoft tried to have an AV Application but they did not do well and Windows Live Anti Virus was pulled as a paid-for application and became the free Windows Defender and variants we see Today.  The best application of an anti virus functionality is that Microsoft has implemented is the Once-per-Month On Demand scanner that is included in Patch Tuesday's updates.

Unfortunately, Samuel doesn't quite get it.  Malwarebytes would not code the functionality to remove malicious code for just one virus like Virut so its lifespan and its bugs are a moot point.  The functionality of removing malicious code from legitimate files would be applied to all file infecting viruses and files that have been trojanized.  The difference being a file that is infected with a file infecting virus can in turn infect other files.  A file that has been trojanized is an end point.  It will not infect other files.  The concept of trojanization ( patching ) has been an ongoing threat.  Therefore once created, the module of the application that would disinfect legitimate files that have been injected with malicious code would transcend all file infecting viruses and malware that trojanizes legitimate files, thus that functionality would never be pointless. 

Edited by David H. Lipman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.