Jump to content

Recommended Posts

Although it was not currently required, since I had some time, I created the log of the full scan which I attach the link ProcMon MWB 3.5 Log - Complete Scan; the link, as usual, is valid for 7 days

PS: A particular message to dcollins:
- Considering that the rootkit search, if I have not misunderstood, is a more in-depth scan, it would be clearer, in my opinion, if it was only called MORE DEEP SCAN like on Malwarebytes for Android.

Regards

Massimiliano

Share this post


Link to post
Share on other sites

Well, it is a deeper scan in the sense that it searches for rootkits.  It's not the same concept as say, a "Full scan" would be in an antivirus or anything like that.  It performs a literally lower-level scan of the filesystem, including checking for hidden contents, infected boot files and partitions (MBR/VBR etc.) and compares what the standard Windows filesystem APIs say about files and their contents on disk compared to what the raw data read from the disk reports (if they differ, that's a quick giveaway that a rootkit is present).

While it does check a few locations not normally checked by the normal Threat scan (like the boot files/partitions I mentioned), for the most part it is looking at all the same objects and in all the same locations, just at a lower level if that makes sense.  It's worded the way that it is because it literally is a rootkit scan, using the anti-rootkit technology/engine developed by Malwarebytes to scan for, detect and remove rootkits; the very same technology developed in the standalone Malwarebytes Anti-Rootkit application.

Calling it this also eliminates the questions from users and customers as to whether or not Malwarebytes scans for rootkits; something that came up a lot before this technology was developed and integrated into Malwarebytes.  Back then Malwarebytes did have some very basic rootkit checks built into it, but nothing nearly as comprehensive or effective as the modern anti-rootkit technology and engine now integrated into it and controlled by that option under the scan settings.

Share this post


Link to post
Share on other sites

Thanks for the clarification on the name of the rootkit search;

In the meantime I hope that from the analysis of the two logs it is possible to arrive at a solution to the blocking problem; I do not think that only happens to me because I consider it a bit strange that the only two computers interested in the world belong both to my family.

Share this post


Link to post
Share on other sites

Yeah, we've seen similar issues in the past from time to time.  It could be that there's some specific software or driver common to both systems that's causing it; that would explain why it's happening on more than one of your systems if there's something unique you install on each or if they share common hardware components.  Hopefully the Procmon logs will reveal what the problem is, they just take a while to analyze.

Share this post


Link to post
Share on other sites

Both are Windows 10 Home (very customized since the installation ISO: without Edge (I can not stand that Flash is imposed on me), without Flash, with Cortana disabled, without Defender (there is only the firewall) without Hyper-V and without all the unnecessary crap integrated into Windows 10) with Firefox 59.02, Word and Excel 2016 (updated to today's date),  on Dell (that of the logs) there are no apps except the Store and the WindowsBlogItalia app; On Asus    (not the pc of which I posted the logs)     there are some but not many (photos, movies, mail, etc.) and Adobe Reader and the classic MS games recompiled for Windows 10; there is practically nothing else than installed; as peripherals there are in both a wireless mouse (different models) and the drivers of an HP Laserjet P2055d and a Canon Pixma MX925.

I hope you can help

Regard

Massimiliano

Share this post


Link to post
Share on other sites

That could be the reason.  Maybe one of the alterations you made to the OS install is somehow affecting the scanner for some reason, like some obscure dependency or some as of yet undiscovered bug.  Hopefully whatever it is the Devs will be able to track it down and get it fixed.

Share this post


Link to post
Share on other sites

I can also try, if really necessary, to do a clean installation, with the Official ISO MS, despite the fact that Windows 10 contains a lot of unnecessary crap (at least all those I listed) and if it were not that soon will end the support I would continue to use Windows 7 (the only really valid SO of MS); when I did the regular installation (roughly until November 2017) I do not remember if there was this block, but I can say that at the time the scan lasted 50 minutes and now 33 minutes, so times have improved (I only have to understand the nature of the block to understand what it entails in safety, because if one looks only at times then it is better now)

Edited by MAXBAR1

Share this post


Link to post
Share on other sites

No, that's OK.  Whatever may be causing this, it's exposed a bug in the Malwarebytes scan engine that the Developers need to fix, so ultimately it's a good thing to have a system where the issue can be replicated.  I'm just speculating as to the possible cause is all.

Share this post


Link to post
Share on other sites

If you want to recreate the ISO you can do with MS-Toolkit  (that I know is only in Italian) that is on the internet and just delete almost everything (making it practically a Windows 7 disguised as Windows 10)

Edited by MAXBAR1

Share this post


Link to post
Share on other sites

Thanks for the info.  If the QA guys need to replicate it, I'm sure that it will come in handy (and they might ask for more details if needed).

Share this post


Link to post
Share on other sites

Have you already discovered something about the reasons of the block?
Thank you

Regards

Share this post


Link to post
Share on other sites

Nope. The procmon log shows exactly what I expected, which is that the files are scanning properly we're just not informing the UI of the change. We're still researching other troubleshooting steps on this.

Share this post


Link to post
Share on other sites

@MAXBAR1 can you please try the following:

  1. Download and extract the files from procdump.zip
  2. Open Malwarebytes and navigate to Settings -> Application
  3. Turn on the option for Event Log Data
  4. Start a scan
  5. Once the UI hangs up on the file, wait 1-2 minutes and then please run 5 - mbamservice_memory.bat from the zip file in step 1 (you will need to right click -> Run as administrator)
  6. Let the scan finish

Once the scan is done, please grab a new set of mb-check-results and upload both the new zip file, and the dump file created in step 5 (you can zip up the dump file to make it smaller)

Share this post


Link to post
Share on other sites

With the option referred to in point 3 activated, the block has occurred from minute 27 to minute 37 instead of from minute 24 to minute 34; then it is finished as usual in a few seconds.
I enclose the two required logs;

As soon as you know something new ... I would be interested to know it
thank you

Regards

Massimiliano

MBAMService.exe_180427_174636.zip

mb-check-results.zip

Share this post


Link to post
Share on other sites

Thanks, we found out what's going on. The good news is that it's just as I thought, nothing is going wrong, we're just scanning some deep links that take awhile and don't really give us anything to put on the UI. That being said, we're looking at adjusting this behavior in the future so it's less confusing and doesn't make someone think the program has locked up.

Share this post


Link to post
Share on other sites

I hope you can implement the fix in time for the final release of version 3.5 of MWB.

In the meantime, I ask you: every day, even a couple of times a day, I scan harmful elements (the recommended one): every time do I need a custom scan and every time do I need to add the rootkit scan (which still creates that problem only in the personalized scan and not in that harmful elements scan)?

Thanks for the advice and thanks also for the excellent assistance you have given me.

Always keep it up: you are the best in your field.

A greeting

Massimiliano

Edited by MAXBAR1

Share this post


Link to post
Share on other sites
1 hour ago, MAXBAR1 said:

In the meantime, I ask you: every day, even a couple of times a day, I scan harmful elements (the recommended one): every time do I need a custom scan and every time do I need to add the rootkit scan (which still creates that problem only in the personalized scan and not in that harmful elements scan)?

If you have the paid for Premium version, you only need to do a simple threat scan daily, no need for full custom scans.  Also rootkit scanning is not needed with every scan (assuming you have and AV and Premium version of MB3). The Premium version is protecting you actively so it would detect the infections and stop them in their tracks.

I have layered protection on my computer so I only run Hyper Scans daily, then a weekly Threat scan with rootkits enable.  That works for me.

Share this post


Link to post
Share on other sites

@Firefox has answered most of your questions regarding scan types hopefully, but I can say that this fix most likely won't make it into the final release of 3.5. As mentioned, it's not really a bug, just a weird experience from scanning large files. It's in our list of things to fix, but at this point it's probably too late to make any changes for things like this in 3.5

Share this post


Link to post
Share on other sites

The first part of Firefox's answer is also valid for those who, like me, only have Malwarebytes on the PC and no other product (I do not even have Windows Defender as I wrote above)?

Thanks

 

Edited by MAXBAR1

Share this post


Link to post
Share on other sites
Just now, MAXBAR1 said:

The first part of Firefox's answer is also valid for those who, like me, only have Malwarebytes on the PC and no other product (I do not even have Windows Defender as I wrote above)?

Yes, that's correct.  Honestly, the Custom scan pretty much only exists because some users would complain if the product didn't provide some kind of "custom" or "full" scanning capability to check other locations for threats, but the truth is, if a system is infected, the threat is most likely active, and if the threat is active, it will be detected by the Threat scan regardless of where it's hiding.  Conversely, the Research team is constantly testing and detonating malware samples and analyzing infected systems to monitor the behavior of threats, including where malware installs itself and hides and whenever a new location is discovered that a threat is found to be installing, this location gets added to the Threat scan by the Research team and these changes happen in database updates so they don't even require waiting for the Developers to build a new version of the product.  I personally never use the Custom scan option.  To me it's pretty much useless.

Share this post


Link to post
Share on other sites

Thanks for everything: I will follow all your suggestions.

Greetings.

Massimiliano

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.