Jump to content

Malwarebytes creates multiple ig exe


Recommended Posts

Every time Malwarebytes 4 starts up it creates multiple (49 to be exact) ig-49.exe within Kaspersky Manage Applications section.

I found another thread which says "IG is part of the new scan engine in Malwarebytes version 4" but why does it create so many instead of just a single entry?

2049124288_Malwarebytesigfile.thumb.JPG.f7135391957525fbabe55cc9778e6e5e.JPG

Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab on the left column

    mbst_get_started.jpg
     
  7. Click the Gather Logs button

    mbst_advanced_gather_logs.jpg
     
  8. A progress bar will appear and the program will proceed with getting logs from your computer

    mbst_getting_logs.jpg
     
  9. Upon completion, a file named mbst-grab-results.zip will be found on your Desktop. Click OK

    mbst_log_saved_desktop.jpg
     
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

mb_attach.jpg.220985d559e943927cbe3c078b
 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

 

Link to post
Share on other sites

Greetings,

I believe it is a temporary executable created each time a scan is run which would explain why there are so many (it is likely a new copy is created every time your scheduled scan runs for example).  Also be aware that there is currently a known compatibility issue with Malwarebytes Premium and Kaspersky products as of Kaspersky's patch 'e' for their 2020 line of products as well as patch 'j' for their 2019 line of products and that at this time the only known workaround is to disable Ransomware Protection in Malwarebytes until the issue is resolved.

I hope this helps and if there is anything else we might assist you with please let us know.

Thanks

Link to post
Share on other sites

Hi spinoxin,

Please refer to the following post: https://forums.malwarebytes.com/topic/254241-new-instances-of-igexe-constantly-needs-whitelisting/?do=findComment&comment=1348390

As noted above, the ig-*.exe files are only temporary copies of the base ig.exe; used during scanning and as part of on-execution protection provided by the Malware Protection component. If you use the 'Quit Malwarebytes' option and look inside the installation folder (%programfiles%\Malwarebytes\Anti-Malware by default), you will only see a single ig.exe.

Link to post
Share on other sites

Thanks exile360 and LiquidTension, as pointed out if I remove them from the list they reproduce the temporary files straight away on the next restart of Malwarebytes, no big deal as they don't keep adding to the list.

Ransomware is disabled, and Kaspersky have now released a new "Patch F"

Thanks for the clarification 👍

Link to post
Share on other sites

Hello,

When closing the MalwareBytes service after running a scan with your FREE edition, my (uncommon) firewall setup just caught (and blocked) the executable c:\users\noelc\appdata\locallow\ig.exe trying to resolve names using UDP to the Google DNS server (8.8.8.8 port 53).  When I went to look at the ig.exe file, it was gone!

That’s a very malware-like activity pattern, and it had me a little worried.

Now, maybe you Malwarebytes folks are in such good understanding of the malware you typically find or block that you feel using malware techniques to help protect their own software is okay, I don’t know, but I don’t like it. 

Please stop thinking you can write an executable to some temporary location, run it, then delete it.  That's just not good practice.  And I don't care if Microsoft themselves do it.  It's not good practice for them either.

No doubt you need to evolve your implementation to keep ahead of actual malware that's aware of your implementation, but I try to never lose sight of the fact that the prevention could at some point become worse than the risk.  For now I’m keeping the MalwareBytes software installed, but I’m watching it closely.

-Noel

Link to post
Share on other sites
3 hours ago, NoelC said:

my (uncommon) firewall setup just caught (and blocked) the executable c:\users\noelc\appdata\locallow\ig.exe trying to resolve names using UDP to the Google DNS server (8.8.8.8 port 53).  When I went to look at the ig.exe file, it was gone!

That file is created by Malwarebytes. Please allow it.

Link to post
Share on other sites

Uh, no.  I absolutely don't want Malwarebytes contacting DNS servers on its own.  I have my own DNS servers that block sites I don't want contacted, and here I see Malwarebytes trying to do an end-run and contact 8.8.8.8 port 53 all by itself.  Wrong!

Again I say:  Malwarebytes, stop acting like the very malware you're here to block.

If this cannot be accomplished, then it will be just another package that doesn't get to run here.

-Noel

Link to post
Share on other sites
40 minutes ago, NoelC said:

Again I say:  Malwarebytes, stop acting like the very malware you're here to block.

It is part of the new scanning engine in Version 4. A good portion of protection and scans is cloud based.

Link to post
Share on other sites
17 hours ago, NoelC said:

Uh, no.  I absolutely don't want Malwarebytes contacting DNS servers on its own.  I have my own DNS servers that block sites I don't want contacted, and here I see Malwarebytes trying to do an end-run and contact 8.8.8.8 port 53 all by itself.  Wrong!

Again I say:  Malwarebytes, stop acting like the very malware you're here to block.

If this cannot be accomplished, then it will be just another package that doesn't get to run here.

-Noel

Noel,

Interesting post. I too use my own DNS... will stay with MalwareBytesPremium 3.8.3 for now to see how this shakes out over time.

Thanks for the info.

Nick

Link to post
Share on other sites

> A good portion of protection and scans is cloud based.

I appreciate your trying to be helpful, but please understand that I already know that.  We're kind of working at two different levels here. 

There is a difference between Malwarebytes contacting the Internet through known pathways to known servers and what I observed.  I have rules set up to allow some names to be resolved normally (e.g., keystone.mwbsys.com, sirius.mwbsys.com, cdn.mwbsys.com) specifically to support Malwarebytes.

It's this business of "I didn't get the DNS resolution I liked so let me try to sneak a name resolution in a different way by writing a temporary executable" that doesn't fly.  Unfortunately, that's a signature pattern of malware, and I'm not willing to try to figure out where Malwarebytes might write the magic executable next.  That's just not a valid way to do "cloud based" operations.

Perhaps this is designed-in fallback behavior to try to allow Malwarebytes to work even when fully blocked by a firewall.  Perhaps it lowers support costs.  I don't know.  But it does represent an observed change in behavior.

> ill stay with MalwareBytesPremium 3.8.3 for now to see how this shakes out over time.

I haven't seen it try this ig.exe trick again over the past day.  The problem may have been coincident with a temporary network outage here, and specifically happened when I Quit the Malwarebytes Service from the system tray.  When I get more time I'll experiment with it.

-Noel

Link to post
Share on other sites

I'm not sure why it is using an alternate DNS or why it is using UDP, however I do know that the IG.exe is created as part of the new/enhanced Shuriken heuristics engine every time a scan is launched and is also created/executed when protection starts up.  It isn't created as a response to anything (such as a firewall etc.), it is just a temporary executable generated by the application for the purpose of the heuristics/cloud scanning component and it always creates a new copy each time it is launched or a scan is initiated.

I can only speculate as to why it is using Google DNS, but if I had to guess I would hypothesize that it has something to do with it attempting to connect to the servers hosting the cloud components for the Machine Learning aspects of the program, and they may be using Google DNS as a means to attempt to optimize speed/performance (since Google has many servers worldwide, most or all of which are on hard line fiber).

Link to post
Share on other sites
Quote

I do know that the IG.exe is created as part of the new/enhanced Shuriken heuristics engine every time a scan is launched

For what it's worth, whatever ig.exe may be being created during a scan, it's not normally reaching out to the net.  I just detected the activity the one time only so far, and I did not enable it to do so again.

This is a time when cloud-integration also brings a responsibility to be aware of what your software is doing, AND that you're doing so only with the customer's blessing.  I'm just here to make sure the Malwarebytes authors continue to understand that.

-Noel

 

Link to post
Share on other sites

Just as Malwarebytes (and all other security apps that use signatures and cloud capabilities) reaches out for new database updates, it also periodically reaches out to the cloud servers to update its cloud definitions/information.  I do not know what the precise frequency is, but I know that it does it fairly regularly (otherwise it wouldn't be useful because it would quickly be rendered out of date and obsolete).

Link to post
Share on other sites

And of course there are several different kinds of update checks (definitions, program updates).

None of which should require a temporary disappearing executable that attempts its own DNS resolution.

ig_detection.thumb.png.544121d127f7975f60b1d099ccfe4493.png

Something I hadn't recalled before...  The protocol was TCP, not UDP.

-Noel

Link to post
Share on other sites

I believe it has its own temporary executable specifically because it is created by the heuristics engine and needs to load/unload dynamically as the parameters of the engine are changed based on the cloud/signatures, however I'm not a Developer so that is just my hypothesis, however I've seen other security apps in the past do similar things and this was usually the reason for it.

I get that you don't like it; you've made your perspective pretty clear at this point, and your feedback has been provided to the Product team.  It is up to them to decide whether or not to make any changes (assuming it is possible; it might actually be required for it to function as it does in order to work as intended, and I personally suspect this to be the case, otherwise I see no reason why they would have implemented it so).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.