New Potentially Unwanted Modification: DisableMRT

[AbbotPlagueis]

Today's scan flagged two "PUM.Optional.DisableMRT":

Registry Value: 2
PUM.Optional.DisableMRT, HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7117], [676881],1.0.10396
PUM.Optional.DisableMRT, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7117], [676881],1.0.10396

I can't find further details about the PUM; can anyone offer insights?  The only thing I can think of that changed in the past 24 hours was an update to Google Chrome and an update to Steam.  Scan log attached.

DisableMRT.txt

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[David H. Lipman]

A software restriction policy was set to Disable the Microsoft once per month On Demand anti malware scanner known as MRT ( Malicious Software Removal Tool ) .

MBAM is flagging the Potentially Unwanted Modification ( PUM ).  One should allow the once per month release and subsequent scan by the MRT.

 

[jkessler]

I received the same message today as well.

 

Any idea how to change the restriction policy to allow the once per month release and scan by the MRT? I am running Windows 10 Pro.  Shall I just click the "Quarantine Selected" button or do I need to manually edit the registry? Thanks in advance for your help.

[exile360]

If you allow Malwarebytes to quarantine it then that should be all that is necessary to reset it back to default so that it will run when the next version of MRT is released.

[AbbotPlagueis]

Thank you for the replies @David H. Lipman and @exile360; very helpful.

[exile360]

You're welcome, and please let us know if there is anything else we might assist you with  

[tofrus]

Wait I don't understand, so is that a virus or what? and should I quarantine and deleted it?

[exile360]

No, it's not a virus.  It's just a system setting that has been modified from its default and allowing Malwarebytes to quarantine it resets it back to its default setting.

[hepta45]

So what is it that we need to do?

1) Malwarebytes says: those 2 things are bad.

2) how do we go from here? as in: what do we need to do? and what should we not do?

[ITSUP]

Any updates on what we should do? Our email is flooded with notifications, hundreds of them...

[David H. Lipman]

exhile360 and I have provided all there is needed to know.

Disabling the Policy is not a good idea and MRT ( Malicious Software Removal Tool ) should be allowed.

When one quarantines this PUM by MBAM it nullifies the problem and MRT is allowed to perform it duties.

 

[ITSUP]

2 minutes ago, David H. Lipman said:

exhile360 and I have provided all there is needed to know.

Disabling the Policy is not a good idea and MRT ( Malicious Software Removal Tool ) should be allowed.

When one quarantines this PUM by MBAM it nullifies the problem and MRT is allowed to perform it duties.

 

what if i add these two registry paths to ignore list?

[David H. Lipman]

Assuming you can, if you do the Policy will disallow the MRT functionality and leave your computer less-safe.

 

[JamminR]

Hi All.

Since as of this moment, Google search is now placing this topic at the top of it's results page, I felt I must post.
I too have 4 reports of this "optional" PUM regarding MRT.

Registry Value: 4

PUM.Optional.DisableMRT, HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTOFFERTHROUGHWUAU, No Action By User, [7122], [676880],1.0.10470
PUM.Optional.DisableMRT, HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7122], [676881],1.0.10470
PUM.Optional.DisableMRT, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTOFFERTHROUGHWUAU, No Action By User, [7122], [676880],1.0.10470
PUM.Optional.DisableMRT, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7122], [676881],1.0.10470

 

Further research indicate that, at least in my 4 examples, those exact 4 changes do NOT prevent MRT from running/working during Windows updates/other scheduled or forced scans.
They simply try to prevent the MRT results from being sent to Microsoft.

If you've ever run DoNotSpy, Windows Anti-Beacon, or any other number of (legitimate non-infected versions) of Windows "privacy" applications, they often make settings changes like the ones being discussed. (I personally choose to opt out of data sharing whenever possible)

 

[hepta45]

On 5/2/2019 at 4:33 PM, David H. Lipman said:

exhile360 and I have provided all there is needed to know.

Disabling the Policy is not a good idea and MRT ( Malicious Software Removal Tool ) should be allowed.

When one quarantines this PUM by MBAM it nullifies the problem and MRT is allowed to perform it duties. 

 

So agian... What is it that all 100's of people now, need to do.
act like we are dummies. using this program to help us out. right now it (Malwarebytes) says: "those 2 things are bad" (The things OP is posting about) but we know those 2 things are good.

So...what do we need to do?
as in: stap 1: do this, step 2, do this. stap 3, done.
right now i see sooooooo many people online who dont have a clue, and think Malwarebytes is "broken"

So is it broken? need to wait for a patch? or what?

[exile360]

It's up to you, but Malwarebytes is not 'broken'; MRT has been broken by these applications by configuring Windows/MRT to a non-default setting which prevents MRT from being downloaded or run.  MRT is nothing more than a monthly updated malware detection and removal tool updated and distributed by Microsoft to deal with common threats that infect Windows users.  It is not part of the massive telemetry collecting initiative initiated by Microsoft with the launch of Windows 10 so if these 'anti-spying'/'anti-telemetry' utilities are messing with MRT then they are overstepping their boundaries in my opinion, because MRT is simply doing the same things it has done since it was first offered all the way back to the days of Windows XP.  It checks for common threats on the system and if found, it removes them and informs the user.  It does indeed report its findings back to Microsoft's threat research team as it has always done, but that's not the same thing at all as Cortana, CEIP or any of the other massive telemetry collecting efforts employed by Microsoft in Windows 10 to allow them to become more like Google, Facebook and other corporations that use telemetry collection as a business model.  In fact, assuming those 'anti-telemetry'/'anti-spying' tools are blocking the telemetry collection servers/hosts as they should, then there should be no need to disable MRT from running anyway, even if you don't want it 'phoning home' because the servers it reports back to should be blocked anyway.  Running MRT is no different than using Windows Defender as your antivirus or even simply running Windows Update; while these tools do collect some level of telemetry data, it is nowhere near the level of data Microsoft attempts to collect in tools like the new search and voice utilities in Windows 10 and they are nowhere near the level of privacy compromise as say using Google Chrome as your browser (that's not to say that you do use Chrome; I have no idea, but if you do then your browser is a far greater risk to your privacy than running MRT will ever be).

[exile360]

By the way, for anyone that does wish to have these items excluded by Malwarebytes all you need to do is perform a Threat scan and once the scan completes, uncheck the boxes next to any detections you do not wish to have quarantined by Malwarebytes and click Next.  When asked what to do with the remaining detections select the option to always ignore them and they will be added to your exclusions so that Malwarebytes does not detect them in future scans.

[klauwkikker]

I have also these two pum's. but my question is how are the register values changed? I did not run a privacy program or changed anything. My concern is that a virus did this.

Is this possible?

[exile360]

Yes, it's certainly possible.  In fact the entire reason this is a detection in Malwarebytes is because a threat may disable MRT to prevent malware scanning by the tool in case MS adds detection for the threat in the future.  If you are concerned that you may be infected then please follow the instructions in this topic and then create a new topic in the malware removal area including the requested logs and information by clicking here and one of our malware removal specialists will assist you in checking and cleaning the system of any threats as soon as one is available.  Even if you don't believe the system is infected it could be a good idea just for peace of mind to make sure.

[tofrus]

On 5/1/2019 at 1:59 PM, exile360 said:

No, it's not a virus.  It's just a system setting that has been modified from its default and allowing Malwarebytes to quarantine it resets it back to its default setting.

I see, thank you for the info.

[exile360]

You're welcome, and for further info, anything detected as PUM (which stands for Potentially Unwanted Modification) isn't an actual threat, it's just a setting/configuration option that has been modified from its default which may render the system less secure or less usable in some way.  These are special signatures that target things like policy restrictions and security functions in the operating system, particularly in group policy and the registry, that look for such settings changes that are often made by malware to render a system less secure and/or less usable by the user to possibly prevent detection and/or removal of the actual threat (for example, disabling access to Task Manager so that the user cannot try to terminate the infection's processes running in memory or disabling access to regedit to prevent access to the registry to try and eliminate a loading point for the infection that allows the threat to run on boot).  You'll find some common examples of PUM detections in this support article.

The presence of a PUM can be a sign that the system may be infected, however it isn't a guarantee as a user may have modified these settings deliberately or if in a business environment your systems administrator may have changed these policies to limit access to certain critical system functions for security reasons and to prevent their users from accessing certain OS functions and settings.

[klauwkikker]

9 hours ago, exile360 said:

Yes, it's certainly possible.  In fact the entire reason this is a detection in Malwarebytes is because a threat may disable MRT to prevent malware scanning by the tool in case MS adds detection for the threat in the future.  If you are concerned that you may be infected then please follow the instructions in this topic and then create a new topic in the malware removal area including the requested logs and information by clicking here and one of our malware removal specialists will assist you in checking and cleaning the system of any threats as soon as one is available.  Even if you don't believe the system is infected it could be a good idea just for peace of mind to make sure.

I just look at mrt.exe on my pc and it was from Januari 2018. So i've had these pums since that time. Is it so that Mbam just recently dedect those pums?

I have scane done by Hitman pro, Defender , Mbam and online scan from Trendmicro and have no treaths.

[exile360]

Yes, I do believe this detection was added recently to Malwarebytes (this would explain why we're only now seeing these reports from users such as yourself about the detections) but I don't know that for certain; that's just my speculation and no one from the Malwarebytes Research team has confirmed that yet to my knowledge.  What's odd is, if it isn't an infection or 'privacy'/'anti-telemetry' type application changing these settings, I wonder what it could be?  It's very odd, and I'm certain it isn't Microsoft doing it because they're the ones who publish a new build of MRT every month for the express reason of trying to clean up users' PCs from common threats that their research team is targeting.  If they didn't want it to be downloaded each month and run they would just pull it from the monthly updates/patches because they're the ones who update and publish it through Windows Update each month.

[klauwkikker]

@exile360  I think that i changed some settings begin 2018. Thank you very much for youre help.