Jump to content

New Potentially Unwanted Modification: DisableMRT


Recommended Posts

  • Staff

You're very welcome :)

That's good to hear.  I hope that none of you seeing these detections are actually infected by anything and so far it sounds like most of you have an idea of how these settings were modified so that's good news.

FYI, I also just read in a recent topic related to these detections that they were in fact added to the database recently and it was indeed due to the fact that some malware infections do change these settings so for anyone that is positive that they did not change these settings themselves and you didn't run any kind of anti-telemetry or tweaking tool known to change these settings please follow my advice above and post in the malware removal area, especially if your system is behaving strangely in any way.

Link to post
Share on other sites

In case I'm not the only one who didn't know this, @exile360's advice in comment #18 above is correct and excellent, and helps you exclude those specific Registry Values, not the overall threat.

I, too, wanted to exclude those two items from scans, for privacy protection, but I saw no way to do so.

Although you can use the Settings to exclude files, folders, websites, applications, and exploit processes (?), the only way to exclude a registry value is after detection, if you de-select those items, then click Next.

This is not at all obvious.  I submitted a bug report just now, in this comment, which I surely posted to the wrong thread, in the wrong forum, but I'm new here.

Dan

Link to post
Share on other sites

  • 2 weeks later...

I would like to add that the two Malwarebytes PUM warnings do NOT mean that MRT scans are disabled.  In fact, I can confirm that the MRT scans do still run each month.  Only the telemetry reporting of the scan results to Microsoft are disabled.  Hence Malwarebytes reporting "DONTREPORTINFECTIONINFORMATION" which in itself infers that it is only the reporting that is disabled.

Registry Value: 2
PUM.Optional.DisableMRT, HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7117], [676881],1.0.10396
PUM.Optional.DisableMRT, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTREPORTINFECTIONINFORMATION, No Action By User, [7117], [676881],1.0.10396

I am able to confirm this as I use O&O Shutup10 and turned on the option "Reporting of malware infection information disabled" last year.  Running a Malwarebytes scan today gave me the two new PUM messages above which confirms the O&O Shutup10 setting is definitely active.  However, if I look in the MRT log (C:\Windows\debug\mrt.log), I can see that scans did in fact still take place both in April and May.  So, the scans most certainly still take place.

Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 10 08:21:07 2019

Microsoft Windows Malicious Software Removal Tool Finished On Wed May 15 08:34:39 2019
 

Link to post
Share on other sites

  • 2 weeks later...
On 5/5/2019 at 3:05 PM, JamminR said:

If you've ever run DoNotSpy, Windows Anti-Beacon, or any other number of (legitimate non-infected versions) of Windows "privacy" applications, they often make settings changes like the ones being discussed. (I personally choose to opt out of data sharing whenever possible)

 

This was my case.  I just ran "ShutUp10" and chose this setting:

image.png.64132ff90d4f2b2039bba8c24dd3b3f3.png

 

When my Malwarebytes daily scan ran, I got:

image.thumb.png.a3beebcc62a95ec7d2a79524c7d9ceb3.png

 

Since I deliberately want this off, I'm ignoring the Malwarebytes warnings.

Link to post
Share on other sites

On 4/30/2019 at 8:50 AM, AbbotPlagueis said:

 

I can't find further details about the PUM; can anyone offer insights?  The only thing I can think of that changed in the past 24 hours was an update to Google Chrome and an update to Steam.  Scan log attached.

DisableMRT.txtUnavailable

I ran into this a couple of times over the last six months, and this is what I found; I'm sure it could be different for others, I thought I would share my experiences in case it helps anyone. 

 

A malicious email was opened, and a link is clicked which prompts the user to enter O365 credentials to retrieve a document.

After the credentials are provided, the document us unable to be downloaded/opened (not sure which, and I dont have access to my sandbox right now to check); At that point either a script is run or a person manually creates a rule on the O365 portal to deliver replies to the RSS Feeds folder (the more recent version of this was much more sloppy and had ALL incoming mail delivering to RSS). The rule doesnt appear in the local copy of Outlook... portal only. The script also seems to prevent Sent copies from being created.

 

In both cases, we never found any sort of payload other than the possibility of the script being run, so this appears to be an effort to harvest email addresses. I'd imagine there are other iterations out there, but the two times Ive seen this over the past six months both, were basically this.

 

I hope that helps someone!

Link to post
Share on other sites

  • 4 months later...

There's a chance this software misidentifies that "threat". I "quarantined" it (reset it) and ooshutup10 detected that its setting to "not send detection info back to Microsoft" was reverted.

So either ooshutup10 or malwarebytes is wrong. That setting either doesn't send info to Microsoft or it doesn't scan.

I suspect ooshutup10 is right because today's windows update scanned normally before the setting was reverted. 

On 4/30/2019 at 4:02 PM, David H. Lipman said:

A software restriction policy was set to Disable the Microsoft once per month On Demand anti malware scanner known as MRT ( Malicious Software Removal Tool ) .

MBAM is flagging the Potentially Unwanted Modification ( PUM ).  One should allow the once per month release and subsequent scan by the MRT.

 

 

Link to post
Share on other sites

On 6/2/2019 at 11:37 PM, x1a1x said:

This was my case.  I just ran "ShutUp10" and chose this setting:

image.png.64132ff90d4f2b2039bba8c24dd3b3f3.png

I think this software should not even warn. I had that ooshutup setting enabled too and Microsoft scanned normally.

I think it's explicitly what ooshutup10 says there, to just send info back to mothership, not to stop scanning.

Link to post
Share on other sites

If I may add a how-to on how to set an exclusion in Malwarebytes for Windows so that those who want to have the pup.optional.disableMRT permanently ignored.

See below.

First, I need to re-emphasize what my colleagues have mentioned before.  The PUP tag is there for good reason, as some malwares are the root source of disabling the MS Malicious Software Removal Tool.

 

This is a general method for making exclusion.

Do one new manual on-demand scan run with Malwarebytes, then you will have a good chance to pick the choice to IGNORE always   for that item.
Start a new manual scan.
Then be sure to do a REVIEW when the prompt is displayed.
Look real close at the list of listed items.

Then un-tick all lines that are for the items you wish to keep. Click Quarantine Selected.      Then Click on button marked " Ignore always "  button
It takes the one run with this method to be done one time.


pum_optional.jpg.d792cc006b94cf8c886b4d9974474810.jpg

image.png.693a97c9c1237d555ed019419bc48036.png


click IGNORE Always

NOTE: the line items shown in these screens are just samples.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.