Offline Scanning / Pre-Boot Scanning

[Amaroq_Starwind]

Having an option similar to Windows Defender's "Offline Scanning" option would be really helpful, since being able to essentially boot into Malwarebytes and have it run a scan when the rest of the operating system is inactive would make it a lot easier to remove a lot stubborn threats that fire up before Windows does.

Furthermore, if it boots outside of Windows, then you could run 64-bit code regardless of whether or not you were running a 32-bit version of Windows, as long as your CPU could run 64-bit code.

Let me know what you think of this idea, and if it's even possible with the way that the Windows operating system works.

[Amaroq_Starwind]

Why am I not able to edit my own posts...? o.o

Anyways, an addendum: It recently came to my attention that Windows Defender is going to be a Sandboxed program in later versions of Windows, drastically reducing the chances of a user getting screwed over by viruses that target Windows Defender directly. This is technically a different suggestion, but it is still very related to what I am suggesting.

[exile360]

Greetings,

Thanks for the suggestion.  While Malwarebytes does not currently have an offline boot disc/utility, they do use several features that help to thwart malware that attempts to load early in the boot process to protect itself, including several features of the remediation engine such as the DoR (Delete on Reboot) technology built into Malwarebytes for removing persistent threats, as well as the Anti-Rootkit engine which is used for not only detecting and removing hidden/active/embedded rootkits, but also for repairing the fallout/damage caused by many rootkit infections to core Windows components and services like Windows Update, Security Center/Action Center and even Windows Defender itself if damaged by malware.

Malwarebytes also uses self-protection to guard its files, processes and data from being modified, terminated or deleted by unauthorized processes and users to prevent infections from stopping Malwarebytes from being able to remain active.

[Amaroq_Starwind]

Maybe I just have an obsession for over-engineering

[exile360]

No problem at all.  It actually used to be a lot more common that bootable tools were required to remove threats, however over the past several years things have changed a lot in the threat landscape with most infections looking to either silently siphon data, scam the user with false claims (like the frequent tech support scams we see these days), or to exploit the user's browser or other software in order to download and execute some kind of malicious script, most of which don't even try to gain administrator access to the machine (because they want to avoid any User Account Control prompts that could present an opportunity for the user to easily intervene and stop the attack in its tracks), so most threats can now be dealt with inside Windows, either from the infected account, or by logging into another user account, or even by simply booting into Safe Mode and scanning from there, and with the DoR technology I mentioned, as long as Malwarebytes detects a threat and marks it for removal, it doesn't matter how early the malware tries to launch during the boot process to protect itself, it will fail because of other things that Malwarebytes does in preparation for the system restart/removal process (like breaking the files it has detected so that they can't run again and creating a cleanup script and driver that automatically execute as early as possible in the boot process to remove the detected malware from the system).

That said, should the need arise again for an offline scanning environment, I have no doubt that the Malwarebytes team will look into creating a solution for it.  This is actually something that Malwarebytes has investigated and worked on in the past multiple times, however each time they ended up finding an alternate solution that proved much simpler for users (since it didn't require creating a separate bootable tool/disc etc.) and just as effective at eliminating the threats they were targeting that were proving more difficult than usual to deal with from within Windows.  This is also where projects like Malwarebytes Chameleon came from, which has since evolved into the self-protection platform now used by the Premium version of Malwarebytes to guard against threats terminating or altering Malwarebytes' components and processes.  Originally it was a set of utilities that would get Malwarebytes running in hostile/infected environments when threats were attempting to block Malwarebytes from installing or running on the system and would keep Malwarebytes alive long enough to scan for and remove any threats from the system while suspending malicious processes in memory to prevent them from preserving themselves.  If the need arises, I'm sure they will resurrect that technology for Malwarebytes 3, but at the moment the threat landscape seems to be shifting towards cross-platform and mobile threats now that more users than ever are accessing the web via mobile devices using browsers that run on both Windows and their smart phones as well as other platforms like Mac OS and Linux.  Those threats aren't quite as difficult to deal with, but they are sneakier and much easier to make, so they're much more common.  This is also why technology like the new Malwarebytes browser extension beta and the Exploit Protection in Malwarebytes Premium are so important, and I'm anxious for the browser extension to come out of beta so that more users will become aware of it.

[Amaroq_Starwind]

If you guys do make an offline scanning system for MBAM 3, though, then it would give you a chance to experiment with a lot of OS-independent optimizations that could benefit the user later-on (perhaps even rewrite the slowest parts of it in raw Assembly instead of C++, to squeeze out every last ounce of bare-metal horsepower), or to handle viruses detected on other operating systems in a multiple-boot setup.

[exile360]

Actually, since there already are Malwarebytes engines based on Linux as well as Mac OS, and even products on several mobile platforms I doubt they could do much in the way of optimization beyond what they already have, at least nothing they'd learn from building a bootable version, especially if it were based on WinPE, which would probably be necessary for effective/efficient malware removal on Windows platforms (especially for dealing with file-less threats that use the registry).

As for detecting threats from other platforms, they haven't implemented that yet as far as I know, however as long as each device has Malwarebytes running on it then it shouldn't matter because each device will protect itself against cross-contamination from connections and transfers from other devices.

[Amaroq_Starwind]

By multiple-boot, I meant multiple operating systems on a single device, but still allowing Malwarebytes to detect threats to either one as long as it understands the filesystem or other basic structures of the OS. There are drivers on Windows, for example, that let you detect and correctly operate various filesystems used by LInux and other platforms.

I think I'm going to put this issue to rest for the time being, though, because it is getting a bit off-topic now.

[exile360]

Yep, I knew what you meant.  Such setups are more of a specialized scenario though I think and not really a common use case, but I do still see the value in adding detection for other threats to each product/engine as it does simplify things and help to keep from spreading malware to other systems and environments.  I don't know if they will ever implement such functionality, but they may as time goes on as they expand their portfolio of products into more platforms.