Jump to content
SnarkySneaks

Is this a legitimate update notification?

Recommended Posts

Hey guys,

Today, Malwarebytes's main menu showed this update notification, and I wanted to know if this is a legitimate update.

This might sound paranoid, but I have experience with illegitimate Malwarebytes update notifications (nothing to do with websites).

This is the menu, can anyone confirm if this is a legitimate update?

If this is usually legitimate but can be compromised, how do I check if it is/isn't?

https://i.imgur.com/s4AlkU0.png

Edited by SnarkySneaks

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Have you selected to download Beta versions? If so then it might be genuine.
If not the usually there’s notification on this site for new versions also MB download seems to show the newest  version was released in May.
I’d be suspicious until an official confirmation.

Share this post


Link to post
Share on other sites
2 minutes ago, Doctor9fan said:

Have you selected to download Beta versions? If so then it might be genuine.
If not the usually there’s notification on this site for new versions also MB download seems to show the newest  version was released in May.
I’d be suspicious until an official confirmation.

Nope. Beta updates are turned off.

Share this post


Link to post
Share on other sites

The version you have is 3.4.5  and the latest version of Malwarebytes is 3.5.1   so it is probably a correct notification. There is indeed a new version to the one you have.  So I would say it is legitimate. What makes you think it isn't? 

Share this post


Link to post
Share on other sites
3 minutes ago, mightaswell said:

The version you have is 3.4.5  and the latest version of Malwarebytes is 3.5.1   so it is probably a correct notification. There is indeed a new version to the one you have.  So I would say it is legitimate. What makes you think it isn't? 

Like I said, I've dealt with an infected Malwarebytes update notification before, so I wanted to be really careful this time.

Share this post


Link to post
Share on other sites
10 minutes ago, mightaswell said:

No problem at all. You are wise to be careful and if in doubt check. 

I'm replying to say that the update is legitimate. The thing is that I never had an update notification since that incident in April.

Share this post


Link to post
Share on other sites

Just for additional info as it's relevant to the initial question of legitimacy, if a notification like this is displayed within the Malwarebytes UI and/or from a Malwarebytes tray notification then the source is from the data files stored in Malwarebytes ProgramData folder and/or Program Files folder both of which are (by default, assuming it is enabled) protected by the Self-Protection component (the driver once known as Chameleon, itself based on the Malwarebytes Chameleon set of technologies for installing, launching and protecting Malwarebytes in a hostile, infected environment) and is downloaded from Malwarebytes update servers via encrypted connections so the probability of false/malicious info being displayed within the actual Malwarebytes UI, either in the main interface as depicted in the image uploaded by the original poster or in an actual Malwarebytes tray notification (branded as such and displayed via the mbamtray.exe process for the curious) is extremely low.  Malwarebytes has done much over the past several years to safeguard against malicious infiltration and manipulation by malicious actors such as malware and hackers from using the product against the users/customers to deceive or infect them.

Obviously if the bad guys were to replicate the appearance of the Malwarebytes UI and/or tray notifications, that's something different altogether and while possible, not as likely these days with rogue AV/AM products being far less common than they once were years back and as long as you are certain that it is in fact the actual Malwarebytes UI you are looking at then you can rest assured that the information presented is official/legitimate.

I am not saying that there is anything wrong with coming here to check and make sure as that just shows extra caution and good sense with regards to protecting yourself from being scammed, deceived and possibly infected, however I just wanted to set your and anyone else's who might be viewing this thread minds at ease with regards to the measures that are now in place to protect against the product being hijacked for malicious purposes.

Share this post


Link to post
Share on other sites

I got no notifications of a new update but pressed the "Install Application Update" button out of boredom and got a new update which changed Malwarebytes to the version below. I do have the Beta Option Installation turned on but can't, at first glance, see any reference to this version in these forums.

UPDATE: Just seen @exile360 post above, so nothing to worry about, I guess.

MalwarebytesVersion.JPG

Share this post


Link to post
Share on other sites

Yes, that notification won't show up for component updates which is what the new beta is.  The person who created this thread was running an older major version, build 3.4.5 I believe, which is why they got an in-app notification about a new major version (version 3.5.1, which you already had prior to installing the beta).  Generally component updates will automatically and silently be downloaded and installed, at least when possible, so you won't actually see it happen, though like all application updates they are rolled out gradually and semi-randomly so you won't necessarily get it immediately once it becomes available unless you click the Install Application Updates button found under Settings>Application within the main UI which forces it to download them if any are available.

Edited by exile360

Share this post


Link to post
Share on other sites
42 minutes ago, exile360 said:

Yes, that notification won't show up for component updates which is what the new beta is.

I agree, but the 1.0.421 is NOT a beta.... its a release as we don't have Beta Option turned on.... an yet there is no official posts or notes of a new release.... If this .421 was meant to be a BETA then it was incorrectly released.... just saying...

Share this post


Link to post
Share on other sites

It almost seems like it's a beta (or developer) version that was incorrectly released to the public. I don't have the Beta option active but got .421 last night.

In MBAMSERVICE.LOG I found those lines:

08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: AEControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: ArwControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: CleanControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: CloudControllerImpl.dll"
[...]

Those lines usually occur during a CP update, but only name "mbupdatr.cpp" without the jenkins path.

Also in the folder "Program Files\Malwarebytes\Anti-Malware\sdk" I found additional files named "mbam.tmf", "mbamchameleon.tmf", "mbamswissarmy.tmf" and "mwac.tmf" were installed. Those are ASCII files "trace message format" and seem to contain information for a debugger / windows function call trace utility. They are clearly from a development environment. The first few lines of "mbamswissarmy.tmf" e.g. read:

// PDB:  d:\Jenkins\workspace\N_Swissarmy_Kernel\src\..\bin\x64\Win7_Release\mbamswissarmy.pdb
// PDB:  Last Updated :2018-07-24:01:34:08:964 (UTC) [tracepdb]

The MBAMSERVICE.LOG also refers to the TMF files in one line:

08/14/18	" 23:26:00.300"	11058015	0ef8	08c4	INFO	SPSDK	SetGpIfeoProtection	"selfprotectionuser.cpp"	929	"Starting Wpp logging - path = C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\MbamChameleon.tmf"

Also the INF files for the drivers contain "incorrect" (old) version information. Except for the version line, they're identical to version .391. The version info in the driver SYS files themselves is okay. Catalog files and driver files are correctly signed.

Maybe someone can provide some clarification why a regular update version contains such development related data? :)

Edited by Loc2262

Share this post


Link to post
Share on other sites
1 hour ago, Firefox said:

I agree, but the 1.0.421 is NOT a beta.... its a release as we don't have Beta Option turned on.... an yet there is no official posts or notes of a new release.... If this .421 was meant to be a BETA then it was incorrectly released.... just saying...

Ah, my apologies I forgot that it went RTM recently and thought it was still in beta.  I'm sure they'll create a post about it soon, most likely today but just in case I'll make a note of it for my weekly report.

Share this post


Link to post
Share on other sites
5 minutes ago, exile360 said:

Ah, my apologies I forgot that it went RTM recently and thought it was still in beta.

Even if that is the case... it needs to be announced as soon as they release to avoid confusion, folks want to know what was fixed... Also with new releases they need to update the download link in the main site.

Share this post


Link to post
Share on other sites

Ladies and gentlemen, thank you so very much for for your comments, indications and excellent kind help. You are absolutely correct 1.0.421 is our latest components package update and it derives from the feedback we gathered during our 1.0.418 Beta, my apologies it took me a bit longer than usual to get to the announcement post, have done so a few minutes ago.

Regards,

Share this post


Link to post
Share on other sites
1 hour ago, Loc2262 said:

It almost seems like it's a beta (or developer) version that was incorrectly released to the public. I don't have the Beta option active but got .421 last night.

In MBAMSERVICE.LOG I found those lines:


08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: AEControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: ArwControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: CleanControllerImpl.dll"
08/14/18	" 23:25:57.986"	11055703	0000	1ea4	INFO	mbupdatr.exe	e:\jenkins\workspace\a_mbam3_updaterexe\src\mbupdatr\mbupdatr.cpp	"wmain"	476	"Updated module: CloudControllerImpl.dll"
[...]

Those lines usually occur during a CP update, but only name "mbupdatr.cpp" without the jenkins path.

Also in the folder "Program Files\Malwarebytes\Anti-Malware\sdk" I found additional files named "mbam.tmf", "mbamchameleon.tmf", "mbamswissarmy.tmf" and "mwac.tmf" were installed. Those are ASCII files "trace message format" and seem to contain information for a debugger / windows function call trace utility. They are clearly from a development environment. The first few lines of "mbamswissarmy.tmf" e.g. read:


// PDB:  d:\Jenkins\workspace\N_Swissarmy_Kernel\src\..\bin\x64\Win7_Release\mbamswissarmy.pdb
// PDB:  Last Updated :2018-07-24:01:34:08:964 (UTC) [tracepdb]

The MBAMSERVICE.LOG also refers to the TMF files in one line:


08/14/18	" 23:26:00.300"	11058015	0ef8	08c4	INFO	SPSDK	SetGpIfeoProtection	"selfprotectionuser.cpp"	929	"Starting Wpp logging - path = C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\sdk\MbamChameleon.tmf"

Also the INF files for the drivers contain "incorrect" (old) version information. Except for the version line, they're identical to version .391. The version info in the driver SYS files themselves is okay. Catalog files and driver files are correctly signed.

Maybe someone can provide some clarification why a regular update version contains such development related data? :)

Please allow me to take a stab at it. The .tmf files are part of new enhanced logging functionality.  Some of the file name changes are likely coming from updates to our development tools, it is not debug information. Hopefully this will make sense to you. Thank you so much.

Share this post


Link to post
Share on other sites
54 minutes ago, Erix said:

You are absolutely correct 1.0.421 is our latest components package update and it derives from the feedback we gathered during our 1.0.418 Beta, my apologies it took me a bit longer than usual to get to the announcement post, have done so a few minutes ago.

Thanks for posting the announcement.... I assume the main site download will be updated soon as well?

Share this post


Link to post
Share on other sites
6 minutes ago, Firefox said:

Thanks for posting the announcement.... I assume the main site download will be updated soon as well?

Yes sir, you are correct again. Our websites are scheduled to be updated today. Thank you.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.