Anti-Rootkit-Beta v1.10.3.1001 deletes HKLM\DRIVERS Registry values

[rdasheiff]

When ever I want to test a program (beta or not) I install and run it in a virtual machine. I have an old rootkit program (Sophos Anti-Rootkit v1.5.4 year:2010) which seems satisfactory, but rather than download and install their new free version 2.9 (which seemed overly extensive, i.e. doing more than just rootkit), I decided to try out this Malwarebytes beta v2021.05.22.03.

I also monitor what is installed (and deleted) using Regshot 1.9. As it turns out, there is no uninstall for the beta, so if one wanted to remove it completely, such programs as Regshot are indispensable.

After testing the beta and looking at my Regshot output, I was shocked to find it deleted all drivers in the Registry (luckily these are re-created by Windows on re-boot as they are critical)
HKLM\DRIVERS
HKLM\DRIVERS\DriverDatabase
HKLM\DRIVERS\DriverDatabase\DeviceIds
HKLM\DRIVERS\DriverDatabase\DriverFiles
HKLM\DRIVERS\DriverDatabase\DriverInfFiles
HKLM\DRIVERS\DriverDatabase\DriverPackages
 Values deleted: 30275

I then went and checked at what exact stage this happened, and identified it occurs at the start of the program when it asks to update the malware definitions. It might be pecular to my virtual environment and the Win10 edition I used - but even so, this is more than a 'bug'. Obviously I didn't install the beta on my host computer.

The virtual environment was VMware Player 16, running 64-bit Microsoft Windows 10 Enterprise Evaluation, Version    10.0.10240 Build 10240, codenamed "Threshold 1", the first release of Windows 10. 

I have attached the Regshotx64.txt (6.5MB) output for Malwarebytes software engineers to look at if they wish.

Regshotx64.txt

[shadowwar]

Mbar is self contained in one folder. It doesnt install. So if you want to remove it you just delete the folder. 

Mbar uses techiniques to get exclusive access to the registry. This is probably why it appearing in regshot as the keys are deleted because of how we scan them with mbar. They arent actually deleted but regshot cant access them why we scan. If our driver is still active that may not allow access back to the registry till you reboot.

I would need the logs contained in the mbar folder in order to investigate further but i believe this is what is happening. 

 

Edited May 22, 2021 by shadowwar

[shadowwar]

Here is my regshot log. 

I took 1st regshot snapshot.

loaded mbar and scanned with all 3 options enabled. 

completed scan and exited mbar

took 2nd shot. 

No driver keys are deleted. 

~res-x64.txt

[rdasheiff]

Rich
1) Yes, mbar is clean to uninstall just by deleting the folder (no registry traces). However, all programs are not as compact so I monitor.

2) It wasn't just Regshot which didn't see the HKLM\DRIVERS tree, but I also ran Windows regedit which also failed to see that tree (and saw it after reboot). I'm unaware the Registry can have hidden values. This tree is protected and often can't be opened (to protect it from "accidental" deletion from the user, or malicious deletion or changes from malware). 3) "If our driver is still active that may not allow access back to the registry till you reboot."

3) I retested and the Registry entry disappears as soon as the program starts, doesn't need to download updates. So the driver must be doing it. The driver and services must be stealthed as nothing shows up in Taskmanager.

4) Additionally, you tested this in Windows 7 (which I thought of doing as well), but Win7 has a different directory tree than Win10. 
Win7 does not have        HKLM\DRIVERS\DriverDatabase
instead it is located as   HKLM\SYSTEM\DriverDatabase

5) Nevertheless, even if mbar "only" hid them, that sounds a bit too invasive for a program supposed to help protect and mend malware attacks. As with any bug, it is idiosyncratic to a particular OS version and what may be installed. That is why they are so hard to find and fix.

[rdasheiff]

Rich, sorry, forgot to attached log files, here they are

system-log.txt mbar-log-2021-05-22 (08-51-26).txt

[shadowwar]

I tested on windows 10 latest build. That was just the old pc name before i upgraded to windows 10 a while back. 

Well in order to defeat some rootkits these techniques have to be employed. This will cause results in tests like yours with results you would not expect. This program has been out for years and we have never broken any registry with it that i am aware of. 

 

This is a specialized anti rootkit tool which honestly really isn't much supported anymore because the full malwarebytes has it built in if needed. But honestly we rarely see any rootkits anymore. Also this tool does not have the latest tech that mbam4 has and will miss a lot of stuff that mbam4 would catch. 

 

There are two major components to antivirus related programs. The definitions and the engine. An older program has an older engine and does not support some of the latest techniques to removing malware. Your logs are clean and show no removals so this is the driver isolating the registry to scan it for hidden entries and prevent changes while it is scanning.

 

This is normal and expected behaviour with mbar. It doesn't delete them just makes them unreadable from most programs while it is loaded and expecting a scan. 

 

 

 

[rdasheiff]

Thanks, that was a clear and educational explanation of my observations and the product. I conclude and agree there is no bug and mbar is working as predicted and correctly. I will close this thread.  :-)