Jump to content

What does quarantining actually DO?


Recommended Posts

I'm a new MB user.

I read all the blurb about scanning and quarantining, and wonder how it all works - in principle; not trade secrets of course
but I'm a bit sceptical, having done without this product for many years, and, to my knowledge avoided all trouble.

Anyway I have a complimentary subscription to MB for two years, so why not?
It would be good to see if my system is as clean as I think it is after running well for about 5 or 6 years.

So I did a scan, and came up pretty clean 😁... but NOT 100%

MB found a registry PUP and quarantined it.
The report gives me the registry address, so I sniffed with Regedit, and sure enough there it is
cloned in Current User, and visible in the regular users hive

But what has quarantining changed ?  

Anyway, I thought I ought to delete this bit of potential malware, so I used MB to do just that...
... well, MB SAID it had deleted it, so it couldn't do any more damage

Then I restarted ffor safety and peeked in the registry after restart...
...only to find the key still there, ready to be detected next scan.

I've attached both the report and the reg key (renamed as TXT) AFTER MB deletion and sys reboot

 

I'm wondering if this part of your product is just smoke and mirrors to keep your detection stats looking good.

Probably I'm missing the point on how it all works

spilly81.

PS THe PUP Malware was identified as
PUP.Optional.oTweakDriverUpdater   at reg  key
...UserID\SOFTWARE\DRIVERUPDATER|PHSUPPNUM
and was datestamped Nov 2017, so it's been there a while

I couldn't find any references to executables or to other classIDs, so I wonder what all the fuss was about

 

 

 

DriverUpdater_REG.TXT MBReport2.txt

Link to post
Share on other sites

Greetings,

It's possible that something added the key back; Malwarebytes definitely does NOT add any malicious/PUP values or objects of any kind onto any system for any reason (though Malwarebytes has classified some other security products and rogues/fake AVs as PUP/malware in the past for doing that very thing).  It is also possible that Malwarebytes had trouble removing the item for some reason, though that's less likely.  Given the fact that it only detected the 1 registry entry, it may be that there is an installed program associated with it that Malwarebytes missed for some reason.

Just to be sure, I'd recommend getting the system checked by one of our malware removal specialists.  To do so, please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats.

Link to post
Share on other sites

Thanks for your interest.

I should state at the outset I'm quite certain that MB did not add anything nasty.
Nor did it do anything wrong, other than claim a success when in truth it did nothing at all to correct what it claimed as a PUP

I reckon all the Delete Quarantined items did was to empty the Quarantine Box itself.
I'm equally certain that MB DEFINITELY DID *NOT* clean the registry of this PUP
PRIMARY REASON - It's still there in the registry right now
This was what I did at the time - 'cos I was curious to see how things worked (or not!)

  • I had Regedit open at the key, just to watch what happened
  • I switched to the MB Window & deleted the quarantined item
  • Back in Regedit, I Refreshed the view f5 - NO CHANGE
  • I then immediately rebooted and restarted Regedit after reboot
  • NO CHANGE - the keys are still present in my registry right now
  • To verify I searched the entire registry both for "DRIVERUPDATER" and again for the long hex string value "InstallID"
    The only hit was at the suspicious key on either search through the entire registry
    This was the case both before and after the Delete quarantined item operation.
  • If you look at the key as uploaded there is nothing remotely like a reference to any active component
  • I am 100% certain that this key was not re-added during the reboot.

Do you know of any official documentation of the quarantine process and how it gives protection?

I have failed to find any such so far - but I found lots of unauthenticated opinions of course

Link to post
Share on other sites

Deleting an item from quarantine doesn't remove the item from its original location; quarantining the item does that.  The backups in quarantine are encrypted and stored locally under Malwarebytes' data folder where they exist as broken and encrypted, non-executable items (basically data files that Malwarebytes can later restore to their original form and location if restored from quarantine by the user).  You need to watch what happens when Malwarebytes actually performs the quarantine operation at the completion of the scan when you click the button to have it remove the detected threats.

Restarting the system reloads the registry hives into memory, so if something is restoring/recovering the key on startup, you would indeed see the key returned to its original location (Malwarebytes doesn't prevent them from being recreated on boot, so if there is anything it missed such as a process which creates the key on launch, you would see the key returned on system restart).

Link to post
Share on other sites

By the way, I might have discovered which PUP this entry actually belongs to, though given the lack of associated detections, my suspicion is that this may be an FP, otherwise it might be a collision with an entry using the same value name belonging to a different application:

 

Link to post
Share on other sites

If you do want to monitor Malwarebytes removing the item from the registry, first locate the item in the registry via Regedit, then run the scan with Malwarebytes and have it quarantine anything it has detected, then click View in Regedit and select Refresh and the item should no longer be there (you need to do this BEFORE you restart the system, just after you've had Malwarebytes quarantine the detected item).

If the value never gets deleted then it is possible something is preventing it from doing so and it is instead attempting to delete the item and just creating a backup of it in quarantine (though typically it would prompt you to restart the system if this were the case).

I also noted that your scan log shows that the value is actually under the HKCU key for a different user/account on the system; have you tried running the Malwarebytes scan from that account to see if it has better luck?  It may be that a permissions restriction is preventing the item from being properly removed.

Link to post
Share on other sites

That's a really helpful and informative set of replies. Thanks.
It turned out that my system is indeed as clean as I had hoped, as MB detected only just this one item

I didn't know beforehand what it might find, so I wasn't ready, looking in Regedit, ahead of the scan.
- circular problem that!

I've always been very sceptical about marketing hype in the software industry,
but accept that MB actually has a good reputation, and may well have cleaned out a real PUP I didn't know about.
I should have tried RESTORE, not Delete, shouldn't I?

I shall now remove this key from my registry on principle
The system is fully imaged, so that's pretty low risk.
With MB + Macrium Reflect, I can surf with impunity😁😁
- but in fact I shall continue as before, only I shall feel better about the current status of my PC

Once again, Thanks

PS the digits in my handle are in fact my age - I've been around a while!

Link to post
Share on other sites

No problem at all, I'm glad I was able to help :)

I'd suggest letting us know if the registry key does return though, just in case either some app is bringing it back, or in case it turns out to be a false positive.  If you run into any further issues or have any questions, please don't  hesitate to let us know.

Thanks

Link to post
Share on other sites

I v. much doubt it will return, as I keep a close eye on my startups and on running background processes
- tho I certainly don't know ALL of the places where executables can be triggered at startup

I've a pretty good idea how I caught this one...

I often help others out with troublesome PCs, usually ancient ones of obscure cheapo brands
Finding drivers for such devices can be a real pain.

I really don't like handing it back with Dev Mgr warnings, so I can go anywhere I think might help, 
including those driver websites where it's so difficult to choose which Download button to click!
I then use 7zip to explore the download, to determine which Setup.exe in the budle I am prepared to risk.

A case in point was a child's Win 10 notebook, and its x64 bit mobile phone type CPU...
supplied when new with 64bit Win 10  to squeeze into its vast 2GB of RAM 😱.
I re-installed 32 bit Win10, only to discover that the official video driver was 64 bit ONLY! 🤬😫
That was a driver hunt and a half,  that ended up with success at Lenovo ISTR.  

A lot of work for a couple of quid in the charity box - but a happy customer in the end as well

 

spilly81

Link to post
Share on other sites

Ah, that makes sense.  I bet you're right, as those ads can be quite deceptive and those driver updating programs are advertised on sites like that which host drivers for multiple vendors all the time, likely as their primary source of income.  Unfortunately, such programs all too often download the wrong drivers and/or come bundled with a bunch of junk of their own.

Link to post
Share on other sites

re-reading your posts, what is an FP?

10 hours ago, exile360 said:

By the way, I might have discovered which PUP this entry actually belongs to, though given the lack of associated detections, my suspicion is that this may be an FP, 

 

 

Link to post
Share on other sites

A False Positive, though having heard your explanation about visiting those driver sites etc., it's probably just a leftover trace from one of those programs.  When I thought it might be an FP it was due to the fact that I didn't think you'd ever had any such apps installed on the system before, but it makes perfect sense if you have, and they are quite common on such driver hosting sites as mentioned.

Link to post
Share on other sites

Yes, agreed, and if you do need any further assistance just let us know.

Oh, and by the way, if you don't have it already, I'd highly recommend installing Malwarebytes Browser Guard.  It's available for Chromium based browsers like Google Chrome, the new MS Edge Chromium, SRWare Iron and Vivaldi as well as Mozilla Firefox.  It blocks a lot of stuff not blocked by the Web Protection in Malwarebytes Premium, including ads, trackers and includes behavior based protection against tech support scam sites and a lot of the other unwanted junk on the web.  It's free and works with or without Malwarebytes installed.

Thanks

Link to post
Share on other sites

Thanks indeed - that sounds really useful
Something to add to my recommended software list for those I've dug out of a mess

- and I hadn't obviously kept up with things, 'cos I wasn't aware that the current Edge is based on Open SOurce code
 

Right now I'm playing around with another Open Source product - Scribus, a DTP product.
There is some evidence of inconsistencies and poor practices in the UI
but it seems very capable for our little village magazine, which couldn't possibly justify a paid-for Adobe or CorelDraw
In the longer term one can't even guarantee that everyone who might work on the project is licensed for an identical set of software

With Open Source software nobody can opt out on grounds of cost, can they?

 

Link to post
Share on other sites

Hehe, yeah, obviously things are different in the world of open source.  It certainly has its advantages and disadvantages.  Yes, Microsoft finally gave in and went the way of Google/Chromium and it looks like Mozilla is headed in that direction as well with them adopting Chromium based compatibility/standards for their own plugins now.  I'd much prefer to keep a more diverse range of browser options available beyond just various flavors of Chrome/Chromium, but it does make it easier for web developers and creators of browser plugins when they only have a single base browser/code and standards to deal with.

Here's some more info on the subject if you're curious:

https://www.zdnet.com/pictures/all-the-chromium-based-browsers/
https://www.howtogeek.com/333230/why-firefox-had-to-kill-your-favorite-extension/

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.