Jump to content

how to find name of quarantined malware?


Recommended Posts

I have Malwarebytes Premium for Mac (version 3.8.17). Sometimes it discovers malware and automatically quarantines it. But when I go to the Quarantine tab and click on "Show Quarantine" (as the user manual instructs), nowhere does it tell you what the quarantined threat actually was. All you get is a list of folders and files, all with impenetrable computer-code names, and it doesn't say anywhere what the actual name of the quarantined item is. But when an anti-malware program takes something out of my system and puts it into quarantine, I want to know what that threat was. Why can't Malwarebytes provide this simple information, in an easily accessible way?

Or is there some vital step I'm missing out here?

 

(PS: I originally posted this query to the Windows forum by mistake)

Link to post
Share on other sites

You have not missed any steps here. What you are seeing in the Quarantine folder are the exact names of the files / folders that were quarantined as malware by Real-Time Protection. The name of the threat is not recorded anywhere.

You may be the first Mac user who has ever expressed an interest in knowing such information. Most are simply satisfied with the knowledge that whatever they downloaded is no longer a threat. I'm sure the developer would entertain attempting to add such information to a future release, if there is sufficient demand and can be reasonably added or displayed as logged information.

And one more comment on the wording you used. Malwarebytes should never intentionally move anything out of your "System" to quarantine and is prohibited from doing so in all versions of macOS since El Capitan was released with System Integrity Protection. The majority of all downloaded and/or installed malware can be found in the User and Applications areas of your computer.

 

 

Link to post
Share on other sites

Thanks for your informative reply. It's good to know I wasn't missing any steps in trying to identify the threats that were quarantined.

I may be the first Mac user who has ever expressed an interest -- on this Forum -- in knowing the name of the threats that MWB quarantines. But I seriously doubt if I'm the first Mac user who has ever wanted an answer to the question itself. (Most people don't write to technical forums.) I've used numerous other antivirus and anti-malware products in the past, and if memory serves correctly, all of them have identified the threats that they remove or quarantine. So I'm not asking for anything that isn't already pretty much an industry-standard feature of such products.

Moreover, the Windows version of MWB *does* provide this (and other relevant ) information: if you click on Quarantine in the dashboard, this info is grouped under the headings "Name", "Date", "Type", and "Location". The Mac version, on the other hand, simply gives a button that allows you to view the raw folders and files containing the quarantined items, without any identification of what the threat was (i.e. no name, date, type or location). So why the difference between the Windows and Mac versions of the same software?

This was not a casual query on my part (-- not that any justification should be necessary.) I'm a human rights activist who has been working for several decades on one of the most repressive and technologically sophisticated countries on earth. Lately I've received numerous security alerts from Google saying "we believe we detected government-backed attackers trying to steal your password. This happens to less than 0.1% of all Gmail users." Google wants me to join their Advanced Protection program, which involves buying two separate security dongles and using them each time I log in to my accounts. (Google says the less than 0.1% of users who get targeted in this way are typically "journalists, activists, business leaders, and political campaign teams".)

In short, I need to know what specific malware is being directed at my computers and phones. This, surely, is the first step towards being able to find out who and where it is coming from, and whether or not I should be adding any additional layers of anti-malware protection, on top of what MWB provides.

In my view, Mac users should have the same entitlements as Windows users, and it shouldn't be necessary to plead a special case -- or to mobilize other Mac users into requesting the same treatment as Windows users -- before MWB takes action on this apparently missing feature of the Mac version.

By the way, I'm aware that MWB doesn't remove anything from my system, and that the user has to actively clear the quarantined item in order to do so. Sorry if I used the technically wrong word in my previous posting. I'm not a computer expert.

Again, many thanks for responding to my query.

 

Link to post
Share on other sites

1 hour ago, Kamchatka7 said:

 In my view, Mac users should have the same entitlements as Windows users, and it shouldn't be necessary to plead a special case -- or to mobilize other Mac users into requesting the same treatment as Windows users -- before MWB takes action on this apparently missing feature of the Mac version.

For the most part I would agree with you on that. There are some differences between Windows and macOS that do make a difference in this respect, but not this particular one.

Malwarebytes for Mac is a relatively new addition to family here, accomplished by bringing AdwareMedic onboard, with additional features being added over time, most of which bring it closer to the Windows offering.

Link to post
Share on other sites

  • 3 weeks later...

I've been a MWB for Windows user for years. When I discovered the Mac version of MWB was available, I didn't hesitate to download and install it since I've been so happy with MWB for Windows. So, thank you very much for bringing MWB to the Mac! And good news that the information available will at least be approaching that available in the Windows version (@alvarnell, the Windows version provides much more information). Even relatively novice users I know on Mac and Windows like to know why something's happening, especially if a program they obtained from a trusted source gets quarantined. I'd echo @Kamchatka7's assertion that most users (of either Mac/Win bent) simply don't post to forums like this, adding that it's probably because they don't have time or value the information enough to make the time to post, not to mention learning how to sign up/use the forum and potential public shaming likely added to the mix. 

But as to wanting information:  While I trust MWB a good deal, antimalware engines make mistakes or at least mischaracterizations, especially with things they designate as PUP, so more information is often needed to decide whether that quarantined PUP that I've been using is harmless or is/has morphed into a real threat. That information is still available in MWB for Windows, but not in MWB for Mac, and it should be, so thank you @treed for letting us know that its addition is planned. I hope that the "Restore" feature of the Windows version will also be coming to the Mac version.

Example: MWB popped a notification of quarantine and that a restart was required; clicking the notification didn't open MWB, so I opened MWB from the menu bar to find out what was quarantined and why. Opening the quarantine folder to learn the identity of the offender was a little weird, but easy enough. The offender (ChargeBerry) is a program I downloaded from the App Store and have been using for months, so I wanted to know why it was quarantined. Going to Reports, I was dismayed at the dearth of information and the lack of an "Undo Quarantine" or "Restore" option for false positives or PUP that I actually do want. Because MWB quarantined the program, I'm somewhat hesitant to restore it without more information about why it was quarantined, but want to because it's been a nice tool. So it's off to web search land to try to determine why the program was flagged as malware (or PUP - don't know).

So, all of that complaining said, I still value and appreciate having the Mac version at all and look forward to its continued development.

Regards,

Hnk 

P.S. For reference for those not familiar with the Windows version, here are the Mac Reports tab vs. the Windows Reports tab:

Mac:

image.png.f88e4a79e1331e21c0e9f39dd783d567.png

 

Windows (its Win10 Home - I use WindowBlinds with a Mac-like skin):

image.png.922145a0bbd2f3301aaa13e9783012ec.png

Link to post
Share on other sites

I've been a MWB for Windows user for years. When I discovered the Mac version of MWB was available, I didn't hesitate to download and install it since I've been so happy with MWB for Windows. So, thank you very much for bringing MWB to the Mac! And good news that the information available will at least be approaching that available in the Windows version (@alvarnell, I see that you're Mac Guru, and you probably know this, but the Windows version provides much more information). Even relatively novice users I know on Mac and Windows like to know why something's happening, especially if a program they obtained from a trusted source gets quarantined. I'd echo @Kamchatka7's assertion that most users (of either Mac/Win bent) simply don't post to forums like this, adding that it's probably because they don't have time or value the information enough to make the time to post, not to mention learning how to sign up/use the forum and potential public shaming likely added to the mix. 

But as to wanting information:  While I trust MWB a good deal, antimalware engines make mistakes or at least mischaracterizations, especially with things they designate as PUP, so more information is often needed to decide whether that quarantined PUP that I've been using is harmless or is/has morphed into a real threat. That information is still available in MWB for Windows, but not in MWB for Mac, and it should be, so thank you @treed for letting us know that its addition is planned. I hope that the "Restore" feature of the Windows version will also be coming to the Mac version. Also, thank you @alvarnell and @treedfor the reminders in this related thread that we shouldn't inherently trust things from the App/Mac Store.

Example: MWB popped a notification of quarantine and that a restart was required; clicking the notification didn't open MWB, so I opened MWB from the menu bar to find out what was quarantined and why. Opening the quarantine folder to learn the identity of the offender was a little weird, but easy enough. The offender (ChargeBerry) is a program I downloaded from the App Store and have been using for months, so I wanted to know why it was quarantined. Going to Reports, I was dismayed at the dearth of information and the lack of an "Undo Quarantine" or "Restore" option for false positives or PUP that I actually do want. Because MWB quarantined the program, I'm somewhat hesitant to restore it without more information about why it was quarantined, but want to because it's been a nice tool. So it's off to web search land to try to determine why the program was flagged as malware (or PUP - don't know). In the mean time, I'll stick with MWB's assessment and delete the program.

So, all of that complaining said, I still value and appreciate having the Mac version at all and look forward to its continued development.

Regards,

Hnk 

P.S. For reference for those not familiar with the Windows version, here are the Mac Reports tab vs. the Windows Reports tab:

Mac:

image.png.f88e4a79e1331e21c0e9f39dd783d567.png

 

Windows (its Win10 Home - I use WindowBlinds with a Mac-like skin):

image.png.922145a0bbd2f3301aaa13e9783012ec.png

Link to post
Share on other sites

Well, there goes some cred, but it also illustrates the point I was making about why users might not post to forums. I'm experienced in using forums of many kinds back to dial-up BBSs, yet I've managed to double post when I thought I was editing my first one, and I haven't yet figured out how to delete the first one (if possible). I can imagine my mother-in-law who just wants to know why her puzzle program was quarantined looking at the forums and saying, "Well, I guess I'll find another program" rather than post. And that's probably the best result for her security-wise, but she'd be an uncatalogued user who wanted information.

Link to post
Share on other sites

  • Staff

Chargeberry is made by Kromtech, which is a company that makes unwanted software (including the infamous MacKeeper, which was once the subject of two separate class-action lawsuits) and runs a "tech support" service that engages in questionable behaviors. We recommend that you not use any of their products/services.

Link to post
Share on other sites

Just now, treed said:

Chargeberry is made by Kromtech, which is a company that makes unwanted software (including the infamous MacKeeper, which was once the subject of two separate class-action lawsuits) and runs a "tech support" service that engages in questionable behaviors. We recommend that you not use any of their products/services.

Thank you very much, @treed. I did the restart after my last post and Chargeberry is disabled on its way to the Trash. I'm glad to have MWB and will be more critical of App Store offerings in the future.

 

Link to post
Share on other sites

"While I trust MWB a good deal, antimalware engines make mistakes or at least mischaracterizations, especially with things they designate as PUP, so more information is often needed to decide whether that quarantined PUP that I've been using is harmless or is/has morphed into a real threat. That information is still available in MWB for Windows, but not in MWB for Mac, and it should be, so thank you @treed for letting us know that its addition is planned. I hope that the "Restore" feature of the Windows version will also be coming to the Mac version."

Quite. Knowledge is power, and the first thing one needs to know about a given malware threat in order to respond effectively is its name and identity. Also, to my knowledge, MWB for Windows and MWB for Mac sell for the same price. The Mac version should therefore provide customers with the same core features and functionality as the Windows version. I hope the company will make it a priority to rectify this shortcoming of the Mac version.

Link to post
Share on other sites

  • Staff
2 hours ago, Kamchatka7 said:

The Mac version should therefore provide customers with the same core features and functionality as the Windows version.

Frankly, that's not likely to ever happen... and it shouldn't happen. One of the biggest mistakes anti-virus vendors make is releasing a Mac product that's basically just a port of the Windows product. Mac users don't like that.

We treat each platform as appropriate based on its threat landscape, and the threat landscapes for Mac and Windows are very different. Thus, there are features of the Windows app that may never come to the Mac, and similarly there are features of the Mac app that may never come to Windows (such as the App Block feature). If you're looking for exact 1:1 feature parity, you're not likely to ever find that here.

That said, a real quarantine is a must-have, and I'm sorry it's taken as long as it has to implement it on the Mac.

Link to post
Share on other sites

Good point: the threat realities and response needs of Macs are indeed very different from those of Windows. Actually, I wasn't calling for identical features and functionality, but rather for core features to be the same -- and I think that naming and identifying the quarantined threats falls under the latter heading. But we're obviously on the same page here, and I do appreciate your commitment to providing a real quarantine interface in a future Mac release.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.