Jump to content

Recommended Posts

Hi there,

I'm a fan of Malwarebytes and getting nice help here, so I wanted to give a shot about an issue that is bugging me a bit.

I have a program called UnDeleteplus (eSupport.com) which is a file recovery program like Recuva. For some reason, Malwarebytes always finds its bunch of files and a few registry entries as "PUP.Optional.eSupportUndeletePlus", which is quite false positive. The thing that I couldn't understand is that Malwarebytes detects them at the stage of "Scan Memory" not File System Scan stage. As they're file streams on fixed locations (like C:\ProgramData), why and "how" Malwarebytes can find them during "Scan Memory" stage?

I double-checked that none of these files and any entries are loaded into memory at startup (either on Logon (checked with MsConfig/AutoRuns) or as Windows Service) and invoked manually. So I'm a bit lost here.

Hope to get a satisfactory reply here,

Best regards!

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
     
  7. Click the Gather Logs button
    Advanced_arrows.png
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
     
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

It most likely is actually detecting them during some of the checks at the beginning such as the registry scan stage (which typically goes by so fast you hardly see it).  It's also possible that one or more of the items is loaded into memory in another process like perhaps a driver or a DLL loaded into explorer.exe.  If that's the case then it is certainly possible for it to detect them during the memory scan stage.  I also believe they recently reordered some of the scan phase components, particularly some of the static heuristics checks to move them from the end of the scan to the beginning in order to eliminate some inefficiencies in the scan engine where it was previously scanning some items multiple times to perform different checks so that could also be the reason for this.

Either way, if you wish to exclude the program in question then just perform a scan and once it completes, click the checkbox at the very top left of the list to uncheck all items detected then click Next and when prompted, select the option to always ignore the remaining detections and they will be added to your exclusions list so that they will not be detected by future scans.

Share this post


Link to post
Share on other sites
1 hour ago, exile360 said:

Greetings,

It most likely is actually detecting them during some of the checks at the beginning such as the registry scan stage (which typically goes by so fast you hardly see it).  It's also possible that one or more of the items is loaded into memory in another process like perhaps a driver or a DLL loaded into explorer.exe.  If that's the case then it is certainly possible for it to detect them during the memory scan stage.  I also believe they recently reordered some of the scan phase components, particularly some of the static heuristics checks to move them from the end of the scan to the beginning in order to eliminate some inefficiencies in the scan engine where it was previously scanning some items multiple times to perform different checks so that could also be the reason for this.

Either way, if you wish to exclude the program in question then just perform a scan and once it completes, click the checkbox at the very top left of the list to uncheck all items detected then click Next and when prompted, select the option to always ignore the remaining detections and they will be added to your exclusions list so that they will not be detected by future scans.

Hi @exile360,

You are helpful again here, many thanks. However based on your initial sentence I want to remind that registry scan stage comes way after memory scan. I only have rootkit scan enabled that takes place before memory scan which comes always clean, as I double checked with Malwarebytes Anti Rootkit tool. The only thing I am suspecting is heuristic scan that would cache or remember previous scans or logs and somehow it "might" gather PUM files at memory scan stage instead of File System scan stage. Other than this, I am quite sure no process is loading any mailcious code/file into memory regarding to corresponding PUM object.

I am attaching the picture of a generic threat scan scan stages by ordered.

Thanks!

MalwarebytesFree1-1024x546.png

Share this post


Link to post
Share on other sites

Malwarebytes Anti-Rootkit doesn't detect PUMs and it also uses an older engine version than the latest build of Malwarebytes 3 as it hasn't been updated in quite a while (because there haven't been any new rootkits found in the wild in a long time).

It could also be coming from the startup scan, which, while it does say "files", actually also includes some registry locations such as the RUN keys and other known loading points so this also could be where the detections are coming from.

I also noticed that in the image it isn't showing any detections even though it's past the memory scan stage; did you already exclude them from the scan?

You should also post one of your scan logs showing the detections as I could probably tell you where the detections are coming from based on that as well.

Edited by exile360

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.