Unwanted Premium Trial Quarantines Legit Programs

[tdwatson]

I created an account just to register my discontent, and then I'll be gone from the forum and from Malwarebytes.

Windows 7 Pro on a Dell Vostro.

Had Malwarebytes installed for the occasional scan because even careful users like me sometimes get the odd spyware because of unscrupulous vendors including unwanted stuff I didn't ask for. It's an OK free tool for that purpose. Not great, not as good as it once was, but easy to find and install, so it is (was) among the tools I use on the infrequent occasion that I run into an infected machine. (I'm the IT manager for my company, which of course leads to being the IT manager for friends and family too ;)

I've never had any need or desire for Premium or it's ilk being my real-time nanny.

Got a nag pop-up today that there was a new version of Malwarebytes, and I figured I might as well update, because at the time I figured an occasional scan is always a good idea.

I was wrong.

I kicked off the install, and when it finished it told me about the "Free trial of Malwarebytes Premium". I didn't opt for that, nor did I see any obvious method of opting out, because I most certainly would have. Said to myself "Oh well, no harm. It can run in the background and when it nags me to upgrade I'll just say no and that will be the end of it."

I was wrong.

This is Problem #1 - I wanted to simply apply the update to plain old Malwarebytes scan tool, but an update wasn't what was installed. It was a "free trial of Malwarebytes Premium", which was NOT expressed anywhere before installation. So, you installed something that I didn't ask for - the classic delivery system for MALWARE!

The very next thing I did was open a perfectly legitimate piece of software from a perfectly legitimate vendor. I use it in my business every day, as do a lot of people in my business. The only thing that happened was that I got a pop-up that Malwarebytes had blocked it, and said pop-up promptly disappeared. I thought "OK, false positive, no big deal. I'll merely tell Malwarebytes to make an exception for this executable, and continue on my merry way."

I was wrong.

This is Problem #2 - With the default settings I didn't want that are applied to the software I didn't ask for, Malwarebytes takes it upon itself to Quarantine (not "block" as the pop-up stated, but Quarantine) an application without giving the user any option to exclude it.

Which brings us to Problem #3 - Since I know the difference between "block" and "quarantine", it took much longer than necessary to find out where to make an exception, as at first I didn't look at the "Quarantine" tab in the dashboard - because it said it was "blocked". Clicking on the Notifications only showed me that the action was taken, with no indication whatsoever of what I could do about it. Not explanatory text, no button to undo, no links of any kind, just the option to Export the information.

I finally looked at the Quarantine tab and found the entry. Here there was an "Restore" button, so I thought "Aha! Simply click that and I'm back in business!"

I was wrong.

(Actually, I'm not positive it said "Restore" or if it was some similar term - I've already uninstalled Malwarebytes and I'm certainly not going to install it again to get the reference correct! If someone wants to flame me for getting the label wrong, have at it troll)
Anyway, after clicking the button I attempted to open my application, and it was gone from the Start menu! I checked, and the shortcut had also disappeared from my Desktop!
WTF? Who do you think you are? It's one thing to block the executable from running, it's quite another to presume to remove it from MY Start menu and desktop. That's unnecessary and intrusive. Of course, I know how to go find the executable, create a shortcut in Start and on the Desktop, change the icon back to my preference, rename it to a more convenient name than the executable, etc... in other words, MANUALLY RESTORE it... kind of what a reasonable person would have expected the "Restore" button to do.

OK, so you wasted some of my time with that exercise, but I can't help thinking -  what if this happened to my 83 year old mother? How would some casual home user ever regain access to their perfectly legitimate application that was quarantined by Malwarebytes?

The default settings in Malwarebytes Premium are a potential disaster for the user, and the most likely consumer of this type of product is the least likely to be able to extricate themselves from the problems it can cause.

Look, I'm fine with you looking for a way to cash in on Malwarebytes. It's your property and there's nothing wrong with marketing it. However there IS something wrong with marketing it deceptively, which is exactly what you are doing when an "update" installs a completely different product. That's MALWARE.

Maybe you should change the name to "Malware!(...bites!)"

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download Malwarebytes Support Tool
• Once the file is downloaded, open your Downloads folder/location of the downloaded file
• Double-click mb-support-X.X.X.XXXX.exe to run the program
  • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
• Place a checkmark next to Accept License Agreement and click Next
• You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
• Click the Advanced Options link
  
  
   
• Click the Gather Logs button
  
  
   
• A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
• Upon completion, click OK
• A file named mbst-grab-results.zip will be saved to your Desktop
• Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
  
     
  
  
  Click "Reveal Hidden Contents" below for details on how to attach a file:
   
  Spoiler

  To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

  
   

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/ to get help

If you need help looking up your license details, please head here: Find my premium license key 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Edited February 19, 2020 by AdvancedSetup
updated links

[dcollins]

Thanks for your feedback, and I'm sorry you had such a rough experience. I'll try to address this as best as I can, and let me know if you have any follow up questions:

Premium Trial Upgrade: This is something we offer to our users occasionally after an upgrade has happened. While I do understand the confusion that can come from having one configuration and getting a new one, many of our customers appreciate this benefit and enjoy it. You can deactivate the premium trial at any time using the process outlined here.

Automatic Quarantine: We do automatically quarantine items that are viruses. PUP's and PUM's however are defaulted to warning you and prompting what to do. We believe the default behavior keeps the majority of our users protected and safe, and this option can be disabled at the bottom of Settings -> Protections. Obviously this doesn't help you with the default settings, I'm simply trying to explain our reasoning.

Un-quarantine Items: When we find a threat on the machine, we don't just remove that single piece of the threat, we remediate all traces of the threat that exist. This includes start menu items, desktop items, etc. These items are all listed under the quarantine section as well. You should've been able to place a check next to multiple items and restore all of them, including the desktop and start menu shortcuts.

All this being said, I'll be sure to send this feedback to our product teams so they can review it and see if there's any way we can improve the user experience here. Again, we do appreciate the feedback even though it meant you had to deal with these issues.

Edited February 19, 2020 by AdvancedSetup
updated links

[tdwatson]

Hello dcollins

Thanks for responding. To address your points:

Premium Trial Upgrade: Offering this to users is fine, but it wasn't an "offer". I didn't have a choice. If I had been given a choice I would have declined. It wasn't "offered", it was unilaterally implemented without my knowledge or permissions, regardless of what your intentions may have been. That's NOT the right way to go about it to my mind. When I book a plane ticket in coach, they always offer me the opportunity to upgrade to business or first class, and that's fine - I can evaluate whether it's worth it to me and choose accordingly. That is an offer. Malwarebytes offered my nothing - it was imposed upon me unwittingly and unwillingly.

Automatic Quarantine: This was NOT A VIRUS! It's a legitimate commercial application. It may be narrowly specific to my industry, but that is hardly uncommon - who doesn't have a piece of software that's industry-specific? Merely originating from an unfamiliar vendor does not make an application a virus. Further, it's simply an industry-specific MySQL based database, which is NOT A VIRUS. How is MySQL and derivatives thereof viruses? It's not even web-aware beyond being able to connect to SMTP!
The upshot of this is that Malwarebytes isn't up to the task of identifying viruses if it determines that MySQL databases qualify as such. Therefore, it should not automatically quarantine by default, because it doesn't possess the heuristic chops to make that decision.

Un-quarantine Items: This is unacceptable presumption that serves no purpose! YOU know better than I DO what I want action to take??? A Start menu link to an executable that is quarantined can do no harm whatsoever, so it has no security purpose. Giving the USER the OPTION to delete these items... "offer" it to them, as it were... would be not only more useful, but more in line with how security software generally operates. Further, telling me what "should" have happened when I restored is infuriating! I know what "should" have happened - I'M HERE BECAUSE WHAT SHOULD HAVE HAPPENED DIDN'T!
It's broken. What "should" have happened is for dcollins to say "OMG, it didn't restore your shortcuts? Something is broken, and we'll fix that!"

... but again, what should have happened, didn't.

of·fer

ˈôfər,ˈäfər/  

verb

verb: offer; 3rd person present: offers; past tense: offered; past participle: offered; gerund or present participle: offering

1. 1.

   present or proffer (something) for (someone) to accept or reject as so desired.

[dcollins]

Thanks for the responses. When it comes to the trial upgrade, I have passed your feedback along to our product teams to review, so they will be able to review your comments and see if action needs to be taken.

For the program that was quarantined, we would need more information to be able to understand why it was classified incorrectly. Since you already uninstalled Malwarebytes, your scan report will be gone unfortunately, but if you have the executable in question that was triggered, you could zip it up and send it to me and I can try to find out why it was detected. It may not even have to run, you could just try zipping up the main .exe that was detected and private messaging it to me. I understand if you don't want to do this though.

And lastly, for the desktop/shortcut stuff being removed, we classify what action to take based on what's best for the majority of our users. While you may be a power user and want full control over that information, if we look at your original of your 83 year old mother, she most likely just wants her computer to work. This means if she has an infection, and we only removed the infection, but not the desktop shortcut, she may click on that desktop shortcut. You're right that it's not harmful, but at that point, it's going to throw up a scary message about not being able to find a file and now your mother is probably going to call you wondering what to do (at least that's how it goes in my family when the computer breaks). We want to make sure the action we take by default is best for the majority of our users, and let our power users have more control.

So again, I understand your frustration, and unfortunately I don't have any concrete answers to say "Here's how I'm going to fix this for you", but I have made sure to relay this info to the people who can read this over and see what action can be done in the future to make this process smoother and less of a hassle.

[winactive]

Yeah, put the Premium Trial checkbox back in, maybe even unchecked by default or that Unchecky might pick it up.

I'm glad it still picked up the forgotten default Open Candy installer for CDBurnerXP when the clean one wasn't available. Keep up the good work, less on the march of progress to take over a user's control ?

[exile360]

Just to provide some additional info for anyone who might come across this thread, below is the dialog displayed when Malwarebytes detects and quarantines an item via its Malware Protection component where I've highlighted key components that should prove helpful to anyone having similar issues with the current implementation:

While it does indeed use the term blocked in the large, bold green text at the top, just below that it does explain that the item was automatically quarantined (this is standard practice for the vast majority of anti-malware and antivirus applications, including Windows Defender which ships with all modern versions of Windows by default).

Below that is a button called View Quarantine which, when clicked will open the main Malwarebytes UI to the Quarantine tab where you may see what was removed and also restore the item if you choose, however it is accurate that you must navigate to Settings>Exclusions to exclude an item from detection if you wish to do so as there is no way to do so from the Quarantine tab and there is no Restore and Exclude or "Restore and Ignore" functionality built into Malwarebytes as some (though not all, as I've only seen it a couple of times across many AVs) other products have.

As for the program's START menu shortcut, I'm not certain why it was removed as I just tested with a shortcut for a detected EXE placed in the all programs START menu for all users as well as the one for the current user (my user account) and neither was deleted by Malwarebytes.  I also tested with an item pinned to the START menu and it was not removed either, though Windows did display a prompt asking me if I wanted to delete each of the shortcuts when I tried to open them after Malwarebytes had removed the executable they were pointing to which is standard behavior for Windows in general for any such item.  I believe there is a setting in Windows that will automatically check for and remove any obsolete/missing items from the START menu, however unless you deliberately configured your system that way I don't think Windows would remove it by default.  That said, there is another possibility.  If Malwarebytes has a threat signature specifically targeting that shortcut, it would be removed when you tried to open it.  This is standard practice for things like PUPs and some malicious threats when they are known to create shortcuts on the user's system for the sake of thorough cleanup/leaving no traces of the detected software behind.  It is also normal if a scan was run for Malwarebytes to remove the detected executable as well as any shortcuts and startup entries (such as an entry in any of the RUN keys in the registry pointing to the detected item) pointing to it, however the real-time protection in Malwarebytes that detects an item when you attempt to execute it does not work this way (again, unless there was a signature specifically targeting that shortcut directly, which is not very common, especially if it was a heuristics detection; the most likely source of a false positive).

Also, for anyone who wishes to decide what Malwarebytes should do with detected items in its real-time protection layer, they can change the setting highlighted below to Off (it is on by default, again because this is standard practice throughout the industry and generally speaking, most users seem to want Malwarebytes to take action automatically when an item is detected rather than having to make the determination themselves whether or not to remove an item that has been detected, however the option is there to disable this behavior for power users who prefer to decide what to do with detected items):

If an item is detected and you believe it to be a false positive you may submit it to the Malwarebytes Research team directly for review by following the guidelines explained in this pinned topic and creating a new thread here for files detected as threats both by the scanner as well as the Malware Protection component in Malwarebytes.  Other areas are provided for false positives within the other components of Malwarebytes here, each section including pinned topics on how and what information to provide for the Research team to be able to act on your false positive reports.

I hope that this information is helpful and for the record, I too agree that an option to disable the free trial during installation would be beneficial being a power user myself.

[Firefox]

2 hours ago, exile360 said:

As for the program's START menu shortcut, I'm not certain why it was removed as I just tested with a shortcut for a detected EXE placed in the all programs START menu for all users as well as the one for the current user (my user account) and neither was deleted by Malwarebytes.  I also tested with an item pinned to the START menu and it was not removed either, though Windows did display a prompt asking me if I wanted to delete each of the shortcuts when I tried to open them after Malwarebytes had removed the executable they were pointing to which is standard behavior for Windows in general for any such item.

In your test, it is possible that the START menu shortcut was not removed because it was not in the Malwarebytes database. From a tech perspective I believe its better to remove them.  If a user reboots the computer then they may get other popups stating I can't find "xyz" program to run, etc.  The start menu shortcut is only a pointer to the executable and although its not really malicious, I rather have it remove it for a clean sweep and not have to go remove it manually.

[tdwatson]

4 hours ago, exile360 said:

Just to provide some additional info for anyone who might come across this thread, below is the dialog displayed when Malwarebytes detects and quarantines an item via its Malware Protection component where I've highlighted key components that should prove helpful to anyone having similar issues with the current implementation:

While it does indeed use the term blocked in the large, bold green text at the top, just below that it does explain that the item was automatically quarantined (this is standard practice for the vast majority of anti-malware and antivirus applications, including Windows Defender which ships with all modern versions of Windows by default).

Below that is a button called View Quarantine which, when clicked will open the main Malwarebytes UI to the Quarantine tab where you may see what was removed and also restore the item if you choose, however it is accurate that you must navigate to Settings>Exclusions to exclude an item from detection if you wish to do so as there is no way to do so from the Quarantine tab and there is no Restore and Exclude or "Restore and Ignore" functionality built into Malwarebytes as some (though not all, as I've only seen it a couple of times across many AVs) other products have.

Thanks for posting a snip of the popup - my description was from memory and might have confused someone new to the thread.

One thing that you didn't mention is how long this popup is visible before disappearing. It's a few seconds. As it is obviously most likely to appear when the user's attention is on opening their application (and Windows and other apps are constantly popping up garbage notifications in the corner), it takes a few seconds to notice, read, and comprehend. I know in my case it was just as I was saying "Oh crap!" that it disappeared. Going to Malwarebytes in the system tray DOES NOT allow you to pop it back up - you can only look at information about the quarantined program, and does NOT contain a link to View Quarantine. None of this is tragic, but neither is it helpful or intuitive. Does including explanatory text cost money? If Malwarebytes programmers have the technical ability to include a "View Quarantine" button, couldn't they apply that same skill to add a "Remove from Quarantine" button? The clueless granny that this is obviously aimed at could always NOT click on it....and the not-clueless user could...

4 hours ago, exile360 said:

That said, there is another possibility.  If Malwarebytes has a threat signature specifically targeting that shortcut, it would be removed when you tried to open it.  This is standard practice for things like PUPs and some malicious threats when they are known to create shortcuts on the user's system for the sake of thorough cleanup/leaving no traces of the detected software behind.

Again, this is a legitimate commercial application. Yes, it's not well known outside of the charter motorcoach industry (but very popular within), but in the end it's a MySQL based-DBMS. So where would Malwarebytes ever get a threat signature specifically targeting that shortcut? And if that's not it, how does any DBMS exhibit any malware-like heuristic qualities to trip a scanner? As for this being standard practice, I'm sure you know more about it than I do, but I've never before had something like this happen with any other piece of software in this vein. (My experience has been the opposite, with Malwarebytes and others failing to get rid of all traces of KNOWN malware).

Not sure why shortcuts weren't removed in your test... but I find that more discouraging than encouraging. That tells me that what Malwarebytes is doing is even more opaque to the user - me AND you apparently - so who knows what it's going to do next? NOT the way I like to operate! Why not have a "welcome" screen on first use, explaining what the options are and allowing the user to CHOOSE? Granny could skip reading it and click on the green button, and other users could at least be AWARE and make an INFORMED choice.

I do realize that the setting to automatically quarantine can be changed, but I (or any user who hasn't used it recently) obviously could not possibly know beforehand that I might want to change it!

4 hours ago, exile360 said:

If an item is detected and you believe it to be a false positive you may submit it to the Malwarebytes Research team directly for review

I'm not comfortable submitting an executable that I didn't personally write. It's someone else's intellectual property, and I don't think it's a user's place to give it to a third party. I realize that makes it pretty difficult for the authors of scanning software to compensate for false positives, but I also don't want to violate a vendor's T&C. An option might be to allow the user to submit the executable NAME and the vendor contact info, so Malwarebytes can get it straight from them, but that's not without problems either. Another would be to alert the vendor, but Malwarebytes isn't what it once was, and I doubt most vendors would care if it falsely detects their stuff.

Myself, I'll just pass on Malwarebytes from now on. ADWCleaner replaced Malwarebytes quite a while back as my first-line scanner anyway, but I see that Malwarebytes bought ADWCleaner, so who knows what will happen with that.

[Firefox]

4 minutes ago, tdwatson said:

One thing that you didn't mention is how long this popup is visible before disappearing. It's a few seconds.

Just for reference, the time for the notification can be changed in Settings -> Application -> Notifications (up to 15 seconds)

 

[dcollins]

13 minutes ago, tdwatson said:

I'm not comfortable submitting an executable that I didn't personally write. It's someone else's intellectual property, and I don't think it's a user's place to give it to a third party. I realize that makes it pretty difficult for the authors of scanning software to compensate for false positives, but I also don't want to violate a vendor's T&C. An option might be to allow the user to submit the executable NAME and the vendor contact info, so Malwarebytes can get it straight from them, but that's not without problems either. Another would be to alert the vendor, but Malwarebytes isn't what it once was, and I doubt most vendors would care if it falsely detects their stuff.

While the name and vendor doesn't really help us at all, the hash of the file in question does as this should allow us to look up the file in our records to try and see why it was detected. There's lots of tools to get the MD5 or SHA256 of the file, but if you have at least Windows 7, the following should work:

1. Press Windows Key + R to open the run dialog
2. Type cmd and click Ok
3. In the black box that comes up, type the following command. Be sure to replace FILEPATH with the path to the file in question (make sure to leave the quotation marks in place)
   certutil -hashfile "FILEPATH" MD5
4. Take a screenshot of the window and paste the contents

Note that submitting the Malwarebytes logs from the detection would also allow us to look up all this information, but since you've already uninstalled it we have to use these other methods.

[exile360]

You can also grab the character string following the detection which should be listed in the log entry for the item.  You should be able to locate it if you open Malwarebytes and navigate to Reports and then locate the item showing Malware blocked and double-clicking on it then making a note of the text directly beneath the Threat field at the beginning of the entry (you may expand the column header if there is insufficient room to display the entire entry) and the text displayed beneath the ID field located at the end on the right side of the line.  That will tell the Research team precisely which signature in the database hit the file so that they will know why it was detected.  If they have no copy of the file and cannot locate it based on its hash (quite possible for a custom executable not widely available to the public), then the hash will not help them to determine why the file was detected.

As for your comments regarding functionality, while I do understand what you're saying, I also know for a fact (because I used to work on it personally with the Developers and Researchers so I know quite a lot about the inner workings of its engine/detection/removal capabilities and policies) that it would not remove the shortcut without creating a copy of it in Quarantine, so if Malwarebytes removed it that is where you will find it along with the actual file itself that it removed.  If the shortcut isn't there, then Malwarebytes didn't remove it and I know that there is a setting in Windows to have it remove any shortcuts that are no longer used/no longer point to a path/file that actually exists on disk so if that is the default for your version of Windows (I don't know as I'm on Windows 7 myself) or that setting has been modified to do so, then it was the OS that deleted it, not Malwarebytes.

With regards to the notifications and the tray as well as the Quarantine tab, I actually do agree with you.  There should be more ways to find out what happened more easily and address it if it is a false positive and you wish to restore and exclude the item.  I have suggested some similar changes in the past and will do so again and point them to this thread with your comments and experience.  I cannot promise that things will be changed as it is ultimately up to the Malwarebytes team, however I can assure you that they do not ignore user feedback and if they feel it is what most users would want and that it is beneficial, they will implement it once they have the bandwidth available to do so (i.e. probably when they are making other changes to the UI and flow of the program; likely in some major release as that's typically where they reserve such changes for as do most software vendors).

As Firefox noted above, you can change the display duration for notifications, but out of the box it is on a rather short timer so I may also recommend that they change the default for that, or perhaps provide an option to display certain notifications for a longer duration (still controllable by the user of course as some may still want it to be up for a shorter period of time) and to show ones like this where something has been quarantined automatically for a longer period of time.

Edited October 12, 2018 by exile360

[tdwatson]

3 hours ago, dcollins said:

While the name and vendor doesn't really help us at all, the hash of the file in question does as this should allow us to look up the file in our records to try and see why it was detected.

Thanks for the info. I've sent the MD5 hash to you.

[thisisu]

14 minutes ago, tdwatson said:

Thanks for the info. I've sent the MD5 hash to you.

Hi,

Can you please upload the file to VirusTotal.com so we can review it and prevent this from happening again? Usually the MD5 is enough but it's also unknown to VirusTotal so we have no way of retrieving it

Thanks

[dcollins]

@tdwatson unfortunately that MD5 didn't show up in our logs (or on other common AV searches) so it won't be as helpful as I thought. @thisisu is one of our researchers who is looking into this to see what we can do with the limited log information we have available.

[tdwatson]

Well it's certainly heartening to see quick and literate response to an issue. I goes a long way to restoring some faith in the technical end of Malwarebytes, if not the business end.

I do like to try to be part of the solution if I'm going to bitch about a problem, but as stated previously, I'm not in love with the idea of sending a vendor's exe file to a third party, even with the best of intentions. I'm not in the software development biz, so I don't claim to know the in's and out's or how things are "done". I don't really have a feel for what the impact might be of having your proprietary meal-ticket shared without your knowledge. I think I'll give the vendor a call on Monday and see how they feel about it. If they're OK with it I'll submit the file.

BTW, I was mistaken - it's based on SQLAnywhere, not MySQL. However, either way it's pretty common technology so I'd be curious to know why it would trigger a false positive.

Regardless of the technical "why" of the false positive, I still remain aghast and indignant at the "how" that got me into this minor mess. I think it's a huge mistake on the part of Malwarebytes to dumb-down what was once a premier anti-malware tool.