Why can't I remove (wanted) files from quarantine without rebooting.

[byteback]

As I said, it's a damn nuisance to have to reboot before I can recover files from quarantine.

Is there no setting in Malbam (3.6.1) so that it can be programmed to ask me first before deciding which files are dodgy?

Also, it's a damn nuisance to have to enter the path for excluded files manually, when the path has been logged in a report, and it should be possible to paste that path into the program.

[exile360]

Greetings,

Unfortunately you cannot restore an item from quarantine before reboot due to the Delete on Reboot (DOR) technology that Malwarebytes uses for ensuring that threats are removed from the system completely.  This takes place on the first system restart following the quarantine of a threat to ensure that it is actually removed from the system, so if the file were restored before then, the DOR execution on the next reboot would delete the file you restored resulting in it being permanently removed from the system without even having a backup copy in quarantine.

As for entering items into exclusions, yes, unfortunately it isn't as simple as it could be.  Having dealt with many programs over the years and entering exclusions, this sadly is actually a pretty common implementation, however it is possible for it to be better and easier to use and I will suggest to the team that they consider improving it to make it more flexible in the future.  A copy/paste function for the path should be feasible.

Thanks for the feedback, and if you have any additional ideas and/or feedback please don't hesitate to post.

Thanks

[byteback]

exile360: Thanks for your response. Shame about the DOR. However, this nuisance could be ameliorated if MB could be programmed to ask before it acted. NOD32 had this ability. OK, it mightn't be a good idea for inexperienced users to have to decide if a certain file was dodgy or harmless, but there could be an 'expert' setting in the app.

I think this should be looked at. As a computer builder\serviceman for 30 years, I know exactly which of my files could be seen as dodgy by an app, but are actually harmless. It's a PIA to have MB keep making arbitrary decisions without consulting me. 

Oh, and re the copy\paste function. If that's to be implemented, it should be noted that the file in question may not actually be in the location, because MB has already moved it into quarantine. Therefore, you can't enter the path manually because the file isn't there any longer. However, this shouldn't be a problem for a clever programmer...

[byteback]

Can't find an edit button so I'll post anew:

Re my comments above, I'd be quite happy to use command lines to do any of those actions.

[Firefox]

Hello @byteback

Check your settings under Settings -> Protection -> Automatic Quarantine

If you have that set to ON then that's why its happening.

[exile360]

1 hour ago, Firefox said:

Hello @byteback

Check your settings under Settings -> Protection -> Automatic Quarantine

If you have that set to ON then that's why its happening.

Thanks Firefox, yes, with regards to real-time protection you can configure Malwarebytes to ask rather than to auto-quarantine.  For scans, if something was removed (like by a scheduled scan, if configured to remove anything it detects (though that too can be changed) or by a manual scan where you have it remove something, you'll still need to reboot first before restoring an item from quarantine).

Regarding exclusions, it doesn't matter if the file exists or not.  The Exclusions interface in Malwarebytes doesn't need for a path to actually exist for an item to be created (I know this because this is how the managed business version works, with centrally managed policies to control exclusions for all managed clients).  In fact, the path/folder exclusions are recursive, so if it's a particular program you're trying to exclude that maybe updates and you want to ensure that it never gets blocked, just exclude its folder paths under Program Files/ProgramData etc. and that should prevent it from being detected (just make sure the installer isn't detected either, of course; though that can be dealt with by reconfiguring Malwarebytes to ask what to do as Firefox mentioned above).

Edited January 31, 2019 by exile360

[byteback]

Firefox, thanks, I'll check out that setting.

exile360: I'm not sure what you mean. When I manually enter the path of a file (that isn't there because it's been banished) I can't complete the exercise because the target file can't be 'pointed to'.

Hard to explain, hope you get my drift 🙂

[exile360]

Yep, I know what you mean.  I'm just saying that from a Developer perspective they shouldn't need to make any changes to make Malwarebytes accept such custom exclusions since the business/enterprise version can already process exclusions for objects/paths that don't necessarily exist.  It's just a matter of opening up that capability to the users in the consumer version so that you may manually write custom exclusions rather than having to browse directly to the path/target in the browse dialog.

[byteback]

exile360, thanks, I get it. Let's hope 'they' fix it.

Firefox: Good call, I made the changes, cheers 🙂

[Firefox]

10 hours ago, byteback said:

exile360, thanks, I get it. Let's hope 'they' fix it.

Firefox: Good call, I made the changes, cheers 🙂

Great, let us know how it goes from now on...

[exile360]

A "Restore and Ignore" function could also work, where you have Malwarebytes restore an item from quarantine and immediately add it to the Exclusions.  I've seen some AV/AM products with this functionality and it would certainly be handy in situations like this, but I don't know if that's what users would want or not.

[byteback]

I think 'expert' users would be glad of the opportunity to do that.

But the that irritates me the most is the requirement to reboot before I can restore the quarantined item. I usually have 20 - 30 Firefox tabs open, together with several Word docs and a possibly a game or two and it's a real nuisance to have the app bleating at me to restart the machine.

[exile360]

Ah, I see, so it's the notifications that are bothering you.  Yes, that's understandable.  That said, it's really not typical for there to be a false positive detection like this, and if a detection isn't a false positive then rebooting as soon as possible is generally a good idea to ensure that the system is properly cleaned before the threats might try to resurrect themselves as some do; of course as I mentioned earlier, it's also a safety measure to ensure that items aren't removed permanently without a backup also.

As far as the notifications themselves go, you can disable them if you need to by using the setting under Settings>Application below where it says Notifications.  Just toggle that setting off until you're ready to restart the system and you should be fine.  You'll still get notifications about more critical issues like protection components being disabled (there's a separate setting that controls those notifications).

[byteback]

21 hours ago, exile360 said:

1) Ah, I see, so it's the notifications that are bothering you.  Yes, that's understandable.

.....As far as the notifications themselves go, you can disable them if you need to by using the setting under Settings>Application below where it says Notifications. 

1) Sorry, I dashed that off in a hurry. The notification isn't that big a deal - it's more that the file in question is not only out of reach, but it was put there without my intent or permission, and now I have to interrupt everything I'm doing to reboot, possibly jeopardizing data, before I can retrieve the file. But after that, I have to tell MB to exclude that file from future scans, and that, in itself, is time consuming. Unless I can find the report, and save it as a text or excel file, I can't cut and paste the file's path. I've used a screen grab app to record the path, but even then, it's necessary to read the jpg or png and type the path manually.

It really is a PIA.

[exile360]

Malwarebytes' exclusions are recursive, so you don't have to exclude the target EXE if it's in its own program folder.  Instead you can exclude the entire installation folder for the app being detected which will prevent Malwarebytes from detecting any of the application's files, including new ones which might be created when the program is updated to a newer version.  That said, obviously with the reconfigured detection setting for it to prompt you on whether or not to quarantine detected items as Firefox indicated it becomes moot anyway.

I guess the crux of the issue is that it all operates under the assumption that Malwarebytes is going to detect false positives, and while that certainly is possible, it shouldn't happen so frequently that it becomes a major issue.

Also, if the detection in question is being classified as a PUP (Potentially Unwanted Program) then you can also control how Malwarebytes handles those types of objects by using the drop-down menu under Settings>Protection in the Potential Threat Protection section.  You can set it to treat the detections as malware (default; i.e. quarantine), warn (i.e. detect but do not remove/prompt the user on what to do with the detections), or ignore so that no PUPs are detected.

So yes, under the default settings this type of scenario can be disruptive if you need the file(s) back immediately and don't want to reboot, but it's only that way to prevent Malwarebytes from permanently removing those items via DOR without retaining a backup in quarantine which would be far worse.

Also, if the issue is with a scheduled scan you can modify the default settings for those as well by navigating to Settings>Scan Schedule and double-clicking on the scheduled scan or highlighting it and clicking on Edit, clicking Advanced in the scan editor and unchecking the Quarantine all threats automatically checkbox.  That will change the behavior so that whenever that scheduled scan detects something, it will only log it and not remove it.  That allows you to assess the situation at your leisure and decide what to do with the detections, whether you decide to scan and have Malwarebytes remove them, or to exclude them if you don't want Malwarebytes to detect them any longer.

[byteback]

27 minutes ago, exile360 said:

...Also, if the issue is with a scheduled scan you can modify the default settings for those as well by navigating to Settings>Scan Schedule and double-clicking on the scheduled scan or highlighting it and clicking on Edit, clicking Advanced in the scan editor and unchecking the Quarantine all threats automatically checkbox.  That will change the behavior so that whenever that scheduled scan detects something, it will only log it and not remove it.  That allows you to assess the situation at your leisure and decide what to do with the detections, whether you decide to scan and have Malwarebytes remove them, or to exclude them if you don't want Malwarebytes to detect them any longer.

 

[byteback]

Thanks, you had me quite excited for a moment, but then I found that ' Quarantine all threats automatically ' was already unchecked. 😞

[Porthos]

38 minutes ago, byteback said:

I found that ' Quarantine all threats automatically ' was already unchecked.

There are 2 places to turn off.

 

And On the scheduled scan you choose that option on each type of scan you have scheduled.

 

Edited February 2, 2019 by Porthos

[byteback]

10 minutes ago, Porthos said:

There are 2 places to turn off.

And On the scheduled scan you choose that option on each type of scan you have scheduled.

 

Thanks Porthos, but both ares show the items unchecked 😞

[exile360]

Yes, by default for both the default scheduled scan that runs daily with Premium as well as for real-time protection each is configured to quarantine threats automatically, but as long as you've changed them now it will prevent this from happening going forward so that you will get to decide how detections are handled rather than Malwarebytes removing anything automatically.

[Porthos]

22 minutes ago, byteback said:

Thanks Porthos, but both ares show the items unchecked 😞

Are these "PUP'S" that are being quarantined?

[byteback]

exile360: I could have said that better. What I meant was that both boxes were already unchecked. I didn't have to uncheck them. So files are being quarantined without being directed to do so.

Porthos: No, not PUPs, executables. But, harmless exe's from an outfit called Nirsoft. The guy writes lots of small apps that are very useful for techs.

The more I think about this issue, the more I respect my old NOD32 AV. It could be instructed to just warn about threats, then wait to be told what to do about them. Obviously, AV programmers mostly need to protect the bunnies-people who neither know of, or care about the files that flow in and out of their computer, as long as they're protected from harm.

But there's also a sizeable chunk of AV consumers who know what they're doing, know not to click on every exe they find, know to hit the reset button at the slightest hint that the computer has suddenly begun to behave oddly, know to do regular and proper backups, etc, etc. But these guys still need protection, albeit on a level that they can ultimately control. It's like owning a guard dog - you want it bark when it thinks it sees a burglar, but you also want it to learn that it's not to bark at your mates and relatives.

 

 

[Porthos]

15 minutes ago, byteback said:

But, harmless exe's from an outfit called Nirsoft. The guy writes lots of small apps that are very useful for techs.

I agree they are useful for tech's. I am one my self. I just exclude the folder my tools are in which includes Nirsoft. When I work on a clients computer, I turn off all AV (habit) when I know I will be using my USB with those tools.  Most AV programs will flag/delete those tools.

[exile360]

34 minutes ago, byteback said:

exile360: I could have said that better. What I meant was that both boxes were already unchecked. I didn't have to uncheck them. So files are being quarantined without being directed to do so.

That's not good, it is supposed to honor those settings, they shouldn't have been removed if the settings were configured that way.  To be clear, was it the real-time protection that detected/quarantined them, or was it a scheduled scan?  I ask because each has its own settings to control the behavior on detection of threats.

By the way, I too use many of Nir Sofer's tools.  They can be quite handy.

[byteback]

Know what you mean, been building and servicing computers for 25+ years. Like a lot of techs I have a love-hate relationship with AV apps.

Can't live with 'em and can't live without 'em

Maybe I should just set MB to concern itself solely with my SSD C:\ drive. Pretty much all it holds are the OS and a few apps.