Massive Data Upload by MBAMService.exe

[Bert18]

I'm running Malwareby 3 on my Win 10 computer. Last week I noticed a massive data upload and was wondering which program (other than the usual suspects Dropbox, Google Drive and Onedrive) would upload so much data from my PC. Turned out that within three hours, Malwarebytes MBAMService.Exe has uploaded no less than 250MB of data (see screenshot). How many anonymous user data can malware collect to upload 250MB of my data? A query to the technical team which data were uploaded: "I cannot provide you a copy of the data that was uploaded because I do not have access to it.". Also, the question if 250MB data upload is within the normal range, remained unanswered.  Checking where the data were uploaded to, it was an Amazon server. It appears Malwarebytes has a massive problem, and tech support is not informed. 

[Bert18]

Actually, it was not only 250MB but more than 500MB as you can see in the screenshot! Half a gigabyte and this is all anonymously collected data? Seriously??

[Max-H]

Just curious, where's the screenshot? 

[pondus]

2 minutes ago, Max-H said:

Just curious, where's the screenshot? 

In the other post   

 

 

[Max-H]

Confusing, two same posts. Anyway, if you turn off Settings, Application, Usage and Thread Statistics (at the bottom), does it change anything?

[exile360]

Greetings,

While I do not have any definitive answers, I can speculate as to the cause of the large data upload.  I suspect it had to do with the cloud aspects of the anomalous threat detection component in Malwarebytes 3 which will attempt to gather data on previously unseen executable files to help determine whether they might be malicious.  It is an automated process so the Support team wouldn't have access to that data.  The only ones who might would be members of the Research and Development teams.  Normally uploads shouldn't be that large, however if there were a large number of unknown files or several fairly large files it was analyzing, that could explain the large upload.  It could also be that it caches data locally and then when it has a chance/when your internet connection isn't under heavy load, it then goes about uploading the data in a single spike, but that's just speculation on my part as I don't know precisely how it manages its function.

I hope that at least helps to illuminate the subject a bit.  If anyone else from the team wants to step in and clarify things further or has contradicting information, then listen to them as my internal knowledge is limited.  I am only providing this information as a possibility based on my knowledge of the inner workings of Malwarebytes 3.

[Max-H]

I did some testing, I don't think it's MWB itself. Maybe MWB is registering another program but DU Meter is showing MWB as source.

[Siro]

Hi

Out of curiosity, I assume the option to opt-in/opt-out the cloud uploading functionality is Usage and Threat Statistics?

I don't mind sharing stats and events (I opt-in for all software), but I would strongly prefer having more fine grained control over files that are uploaded in their entirety.

[Max-H]

Maybe a little clarification https://www.malwarebytes.com/privacy/

[exile360]

15 hours ago, Siro said:

Hi

Out of curiosity, I assume the option to opt-in/opt-out the cloud uploading functionality is Usage and Threat Statistics?

I don't mind sharing stats and events (I opt-in for all software), but I would strongly prefer having more fine grained control over files that are uploaded in their entirety.

No, actually, I don't believe it is.  I believe it's controlled by the "Use signature-less anomaly detection for increased protection" setting.  It isn't part of the standard telemetry gathering capabilities that are controlled by the Usage and Threat Statistics function which is more for monitoring application usage and threat detection for the purposes of tracking known threat stats (like how frequently each known threat in Malwarebytes' database is detected and where geographically each threat is prominent etc. as well as how users interact with the MB3 UI to help the UX Devs improve the layout and appearance of the software).

Correction, see my reply below.

Edited April 8, 2018 by exile360

[exile360]

A correction.  I just got confirmation that file uploads for automated cloud analysis by the other components I mentioned are in fact controlled by the "Usage and Threat Statistics" setting, so if it is disabled, the software will not upload new/unknown files for analysis.  So if you disable that setting, those uploads should not occur.

[Bert18]

Thank you both for responding. My 'Usage and Threat Statistic' option was on. This is not in compliance with European laws, BTW. Irrespective of this, it is not so much that (some) of these data have been shared, but the sheer volume. 500MB (not: KB) were uploaded in the matter of a few hours. How many books can you store on a 500MB harddisk? Quite a few. Would you think that Malwarebytes collected, within hours, 500MB of my user data? Reading the relevant section of their policy, it speaks of website interaction and program use. I find it more than difficult to believe that my website interaction or the regular programs I use (MS Office, Adobe) generated 500 MB of statistical data. What do you think? 

[exile360]

Which part isn't in compliance with European law?  If the setting is on/enabled, it will report/share the data with Malwarebytes' servers.  To disable it, you must uncheck that setting and it shouldn't upload anything.

As for the volume of data, I'm certain it had to be the feature I was referring to in my previous post regarding cloud analysis of previously unseen executables for early threat detection, not your interaction with the software or websites.  It must have seen some binaries on your system which were suspicious/unknown that it wanted to analyze to make certain they were not malicious.  That's the only explanation I can think of as to why it would ever upload that much data.

[Bert18]

Thanks for the response. The part not in compliance is the default user opt-in of collecting data. Under EU 'General Data Protection Regulation ', companies collecting anonymous data must ask the user to actively opt-in, not have it on by default. 

[Bert18]

Thanks for the swift response. The part not in compliance is the default user opt-in of collecting data. Under EU 'General Data Protection Regulation ', companies collecting anonymous data must ask the user to actively opt-in, not have it on by default. Check Article 7 "Prior to giving consent, the data subject shall be informed thereof.". Acceptance of EULA is under current court ruling deemed insufficient as to provide information to what the law calls the data subject (ie the user). 

So my next steps will be to formally request a copy of the data that have been uploaded from my computer, copying the European consumer complaints and data protection offices. Let's see if the Tech Support will also respond to the European Commission that they do not have access to the data that have been uploaded from my computer. Especially after data breaches reported in the media by the likes of Cambridge Analytica, data protection of its citizens has become a very sensitive subject for the Commission.

[exile360]

1 minute ago, Bert18 said:

Let's see if the Tech Support will also respond to the European Commission that they do not have access to the data that have been uploaded from my computer.

I suspect that they will since the members of Malwarebytes Support team in fact do not have access to this data.  It is fed into servers which use proprietary software to perform automated file analysis and I believe it also may use VT to check for FPs.  It is possible that members of Research may have access to it (at least the files; the data regarding use of the software and websites etc., no humans have any direct access to I don't think).

Anyway, I'll leave it to you, the EC and Malwarebytes to sort out.

[Bert18]

Thanks again for the helpful replies. Very much appreciated. 

[exile360]

You're welcome, and thank you for making me aware of the compliance issue.  I will definitely inform the team about it so that they may get the issue corrected, hopefully in time for the next release .

[Bert18]

On 07/04/2018 at 12:29 PM, Max-H said:

Confusing, two same posts. Anyway, if you turn off Settings, Application, Usage and Thread Statistics (at the bottom), does it change anything?

Hi, yes, when I contacted support, this was the first thing they asked and after turning it off, the issue was remedied. Still, I wonder what happened to the >500MB of data that were uploaded, or more precisely: which data with such a volume was uploaded. But please check exile360's response for some possible explanations.

[dcollins]

Thanks for the follow up @Bert18. The reason we can't access the data that was uploaded by your system is because that information is not personally identifiable. We use that data of unknown files to make sure it's not an infection of some kind and to help other users.

I'll get some clarification on the GDPR issues and follow up when I have more

[lmacri]

10 hours ago, Bert18 said:

....The part not in compliance is the default user opt-in of collecting data. Under EU 'General Data Protection Regulation ', companies collecting anonymous data must ask the user to actively opt-in, not have it on by default. 

Hi Bert18:

I don't know if the EU-U.S. Privacy Shield Framework mentioned below addresses your concerns about the opt-in for data collection, but the International section of the Malwarebytes Privacy Policy at https://www.malwarebytes.com/privacy/ that Max-H referenced in post # 9 states:

Quote

"Malwarebytes participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework.  Malwarebytes is committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework's applicable Principles..."

Malwarebytes' current certification status for the Privacy Shield Framework is posted at https://www.privacyshield.gov/participant?id=a2zt0000000TO84AAG.
--------------------------------------------
I currently have Usage and Threat Statistics disabled, due mainly to the following statement in the Client Data section of the privacy policy Software Collection Addendum:

Quote

"In addition to data you provide that is necessary for the functionality of the Software or in our performance of providing the Software to you, we collect client data from each program that describe the client environment (i.e., our software and the computer system it is running on). For this data we identify each system with a unique identifier that is created at install time, so it is possible to track changes to an individual system over time."

------------
32-bit Vista Home Premium SP2 * Firefox v52.7.3 * Norton Security Premium v22.14.0.54 * MB Premium v3.3.1.2183 (CP v1.0.262)

Edited April 8, 2018 by lmacri

[exile360]

"In addition to data you provide that is necessary for the functionality of the Software or in our performance of providing the Software to you, we collect client data from each program that describe the client environment (i.e., our software and the computer system it is running on). For this data we identify each system with a unique identifier that is created at install time, so it is possible to track changes to an individual system over time."

While this is accurate, it is my understanding that data collected for cloud analysis such as previously unseen files to determine if they are malicious etc. are decoupled from any identifiable info, thus further anonymizing this data so that they (Malwarebytes' threat Researchers etc.) cannot know where an uploaded file came from, which makes sense since such data wouldn't be relevant in determining whether a file might be malicious or not.

Unfortunately it also means that they may never be able to track down exactly what was uploaded during that 500MB upload reported by the user, as I assume based on its size that this must have been what it was doing (I've seen similar behavior on my own system in the past with a few uncommon EXEs and other somewhat obscure files that were executables of some kind (DLLs, MSIs etc. etc.).

[Bert18]

14 hours ago, lmacri said:

 

Thanks Imacri. I did not actually pick up on the second section about being able to identify users uniquely. Thanks for highlighting this. It would also mean that data are associated with users and therefore traceabel / trackable.

As for the US-EU data shield agreement, this has been watered-down quite a bit with numerous exeptions and loopholes. This is why the GDPR was introduced. Intergov't agreements (e.g. free trade, free data flow) are sometimes tricky as it is not clear if local (here: EU) law prevails or if the trade deal (which often has been the case) is essentially the higher instance. Let's see. 

 

 

Hi Bert18:

I don't know if the EU-U.S. Privacy Shield Framework mentioned below addresses your concerns about the opt-in for data collection, but the International section of the Malwarebytes Privacy Policy at https://www.malwarebytes.com/privacy/ that Max-H referenced in post # 9 states:

Malwarebytes' current certification status for the Privacy Shield Framework is posted at https://www.privacyshield.gov/participant?id=a2zt0000000TO84AAG.
--------------------------------------------
I currently have Usage and Threat Statistics disabled, due mainly to the following statement in the Client Data section of the privacy policy Software Collection Addendum:

------------
32-bit Vista Home Premium SP2 * Firefox v52.7.3 * Norton Security Premium v22.14.0.54 * MB Premium v3.3.1.2183 (CP v1.0.262)

2

Thanks for the response. The part not in compliance is the default user opt-in of collecting data. Under EU 'General Data Protection Regulation ', companies collecting anonymous data must ask the user to actively opt-in, not have it on by default. 

[exile360]

It looks like that law/regulation doesn't go into full effect until May 25th of this year according to the document you linked there (and I heard the same from a Malwarebytes employee when I asked about it) so I'm guessing that as long as Malwarebytes has it corrected by then, there should be no issues with failure to comply with EU regulations.  That gives them just over 2 weeks from today to get it done and get a new build out which includes the change(s) necessary for compliance.

[lmacri]

On 4/9/2018 at 6:23 AM, exile360 said:

It looks like that law/regulation doesn't go into full effect until May 25th of this year according to the document you linked there (and I heard the same from a Malwarebytes employee when I asked about it) so I'm guessing that as long as Malwarebytes has it corrected by then, there should be no issues with failure to comply with EU regulations.  That gives them just over 2 weeks from today to get it done and get a new build out which includes the change(s) necessary for compliance.

...or they could just do like Facebook and move user data to US servers to avoid compliance with the EU's General Data Protection Regulation (GDPR).

     Facebook Moves Millions Of Users Data To US To Avoid European Privacy Laws
     Facebook to Exclude Billions from European Privacy Laws

When I do a clean re-install of my Norton Security software the installation wizard always asks if I want to participate in Norton Community Watch, which is similar to Malwarebytes' Usage and Threat Statistics data collection.  I wonder if that meets the GDPR's requirement for user consent as long as the option to allow data collection from the user's hard drive is disabled by default in the installation wizard?
------------
32-bit Vista Home Premium SP2 * Firefox v52.7.3 * Norton Security Premium v22.14.0.54 * MB Free v3.4.5 (CP v1.0.342)

Edited April 27, 2018 by lmacri