Understanding scanning, exclusions and real time protection

[TheodoreM]

Hi everyone, hope your day is a joyful one.

There are some games and utilities I add to malwarebytes exclusions. What I want in this case is for malwarebytes not to interfere with the real time operation of these apps, especially as some of them (like throttlestop) involve cpu operations like undervolting and changing multipliers of the unlocked CPU. The games are out of having no choice, it's very few games but about 8 of my game collection get stuck at single digit FPS unless I add their install folder to exclusions, then suddenly they are back at 100 or whatever FPS :)

But just as a curiosity right now, I did a MANUAL malwarebytes scan of one of the excluded item install folders. The result scanned 0 files and folders.

So the way malwarebytes obviously operates, is that it also excludes items from manual scans.

I would like to see an option to check "still scan excluded items in windows explorer right click scans" or something to that effect. Cause I would still like to be able to scan them offline to make sure they are safe.

This brings me up to the second part of the topic, real time scanning.

When I have downloaded these products, and unzip or unrar them, does malwarebytes at THAT point scan the files being extracted into the install folder? Obviously these have just been downloaded so I have not added the exclusion yet until the install folder actually exists. Hope I said it right!

On the same note, does Malwarebytes scan Steam games (for example), as they are being installed and files being written to the drive, again before I have added the install folder of said game(s) to the exclusion list?

My point is in a nutshell, does a file have to actually be executed for malwarebytes to scan, or does it do it as files are actually being written to drive in real time.

If so, then my request above is sort of pointless, as Malwarebytes would have already scanned the items before I added them to exclusions anyway.

In that case I am satisfied.

Or maybe in my case I should download a freeware second opinion scanner, one that is completely offline and installation free itself, just for these purposes.

 

Cheers!

 

 

 

 

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

14 minutes ago, TheodoreM said:

When I have downloaded these products, and unzip or unrar them, does malwarebytes at THAT point scan the files being extracted into the install folder?

NO it does not.

15 minutes ago, TheodoreM said:

So the way malwarebytes obviously operates, is that it also excludes items from manual scans.

Excluding a file or folder excludes it from all scans.

17 minutes ago, TheodoreM said:

does Malwarebytes scan Steam games (for example), as they are being installed and files being written to the drive, again before I have added the install folder of said game(s) to the exclusion list?

No it does not.

18 minutes ago, TheodoreM said:

My point is in a nutshell, does a file have to actually be executed for malwarebytes to scan

Yes for the most part.

18 minutes ago, TheodoreM said:

Or maybe in my case I should download a freeware second opinion scanner

That is what Windows Defender is for but to enable it you have to turn off the following setting.

The reason many of us members are pushing Keeping Defender on is the following.

Malwarebytes does not target script files during a scan... That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Malwarebytes will block files like these if malicious on execution-only.

And,

Malwarebytes is not designed to function like normal AV scanners and uses a new kind of scan engine that relies mostly on heuristics detection techniques rather than traditional threat signatures.  Malwarebytes is also designed to look in all the locations where malware is known to install itself/hide, so a full or custom scan shouldn't be necessary, especially on any sort of frequent basis (like daily), especially since the default Threat Scan/Quick Scan checks all loading points/startup locations, the registry, all running processes and threads in memory, along with all system folders, program folders, and data folders as well as any installed browsers, caches, and temp locations.  This also means that if a threat were active from a non-standard location because Malwarebytes checks all threads and processes in memory, it should still be detected.  The only threat it *might* miss would be a dormant/inactive threat that is not actively running/installed on a secondary drive, however, if the threat were executed then Malwarebytes should detect it.  Additionally, whenever a new location is discovered to be used by malware the Malwarebytes Research team adds that location dynamically to the outgoing database updates so the locations that are checked by the default Threat/Quick Scan in Malwarebytes can be changed on the fly by Research without requiring any engine or program version updates/upgrades.

An AV will catch the file just by downloading it or just opening a folder with a detected file in it.

For example, you get an email with an infected attachment, Malwarebytes will not even blink until you run it yet Defender will detect it if it is in their database without even actually clicking on it. Remember the list of files Malwarebytes does not target.

Then I will leave you with this.

As good as Malwarebytes is, it is just a layer of protection.

Using a browser that has Ublock Origin and the Malwarebytes Browser guard enabled is also a layer of protection.

Not opening attachments from an email unless you were expecting it from a specific user during a specific time period.

Do not use Torrents. Do not install every free software you find. Do not click links in an unknown email. Go directly to the site listed in the email.

Having a monthly image of your computer on an external drive that is only connected during the backup is actually better than any protective software ever made. Macrium Reflect free is the program I use and place on every computer I service.

[TheodoreM]

Hi what a wonderful answer, thank you Porthos.

First thing I will say is then my idea  of an option to be able to override exclusions in windows explorer based scans is therefore valid, (I think)?

The reason I have always disabled Defender is because it's, for me anyway, the king of false positives. For example, I enabled it after I read your reply and instantly it didn't like my Corsair IQ software and said it contained a trojan (it's happening to many today that uses that software, not just me).

I have always disabled it in MWB but on my previous install with Windows 11, registering MWB in the security center would not take, and Defender was always active (as discussed in another topic). it seems ok this time after a fresh OS install (long story), but I have disabled it to have both running for now.

I have also added the necessary exclusions to both programs to co exist.

I guess that's what I will do for now, although I have seen defender allow real, known trojans, even whilst connected to the net, run and hose an entire machine. Not a single pop up.

Security PC channel pretty much puts the entire program in meme category LOL which made me really sceptical of it as he seems quite knowledgeable and trusted.

That said...

I do have a voodoo shield license and I could always disable defender and install that alongside MWB, but it's a bit of a PITA to use and set up, to say the least.

Maybe I will download emsisoft emergency kit, which is entirely offline, as my second opinion scanner, as it uses Bitdefender signatures and is not real time, so unlike Bitdefender can not destroy my system like that AV did back in January (another long story).

In any case, my sincere thanks.

 

[Porthos]

3 minutes ago, TheodoreM said:

I enabled it after I read your reply and instantly it didn't like my Corsair IQ software and said it contained a trojan (it's happening to many today that uses that software, not just me).

Then tell Defender to ignore it and exclude it.

Some users over protect the systems for no reason. Of course no av is 100%. I always think "play stupid games get stupid prizes" Use your brain and practice safe habits and you will be OK in 99.8% of cases.

Start making image backups to an external drive at least once a month.

[TheodoreM]

Hi, I already backup, I also forgot to say IO already use ublock origin AND noscript in chrome edge or firefox, I have used noscript since the first day and am pretty much a power user of it now.

:)

Also, I did tell defender to allow it. I doubt corsair would distribute a trojan, but in the unlikely event they did, a trojan is when I would expect MWB to react.

 

[Porthos]

@TheodoreM I took a sec and looked at your older posts.

If you get web blocks when playing online games,

It is due to some server(s) the games are trying to connect to. Steam and many others use p2p connections to play online. As long as the games aren't at risk for connecting to malicious content (which they shouldn't be), you should be able to simply exclude the games' executables from Web Protection using the method described under the Allow an application to connect to the Internet section of this support article.

[Porthos]

2 minutes ago, TheodoreM said:

but in the unlikely event they did, a trojan is when I would expect MWB to react.

Not always. If it is known or runs something the exploit protection would notice then yes. You can also scan files at virus total as well to have another opinion. https://www.virustotal.com/gui/home/upload

[TheodoreM]

20 minutes ago, Porthos said:

@TheodoreM I took a sec and looked at your older posts.

If you get web blocks when playing online games,

It is due to some server(s) the games are trying to connect to. Steam and many others use p2p connections to play online. As long as the games aren't at risk for connecting to malicious content (which they shouldn't be), you should be able to simply exclude the games' executables from Web Protection using the method described under the Allow an application to connect to the Internet section of this support article.

 

That hasn't happened for ages - the problem I am having with games now is malwarebytes perpetually scanning them whilst running so the FPS steadily drops from the normal to single digital. The only cure is to add the game install folder to MWB exclusions. It has affected very simple games mostly like capcom arcade stadium which is only a 60 FPS game, and barely uses any resources and could run on an SOC to be honest, and I was getting 5FPS till I added it to exclusions. Same with Sturmfront mutant war which is another simple retro game.

About a month back a I had a multi hour online session playing TMNT shredder's revenge with 5 other random people worldwide, I have never seen such chaos as enemy amounts are created depending on player count, so there must have been 50 of us on screen at the same time at some point, MWB was on, and everything was like butter. No blocks of any kind.

Right now I am having a different issue with my internet where a few sites say "Hmm can't reach this page, then a few seconds later they refresh and work.

This was happening with ESET too though not just MWB. I am clueless to this one.

 

[Porthos]

13 minutes ago, TheodoreM said:

perpetually scanning them whilst running so the FPS steadily drops

That is most likely the ransomware protection. You could remove the exclusions and just disable one protection at a time to narrow it down.

[TheodoreM]

9 minutes ago, Porthos said:

That is most likely the ransomware protection. You could remove the exclusions and just disable one protection at a time to narrow it down.

Clever idea, to see which protection agent is doing it. Good one.

I will definitely test that tonight, thanks mate!

I'll add the result here if it's of any interest.