Jump to content

Recommended Posts

Pup, PUP, PUP. Malwarebytes is trying to educate the industry by rating as PUP more strictly. At the core, I think this is great, right direction, and to be very much valued. I really, really mean that.

But I dislike the way Malwarebytes is doing it and I believe Malwarebytes will not be successful with its strategy. 

I received my very first Malwarebytes (4.5.16.217) report now and were warned about two PUPs, Bit Driver Updater and Auslogics Duplicate File Finder, and a PUM.Optional.DisableMRT which comes from a registry key setting around Microsoft's Malicious Software Removal Tool. For the two PUPs, I deliberately installed the software. For DisableMRT, I had no clue what that was. 

Here my Malwarebytes dislikes:

Dislike #1: The report does not help the user with understanding the situation. It should be very easy to include a clickable link in each row of the report that points into a big malware table on the Web which outlines the specific issue with that particular software or software version, known infection paths, recommendations for the user and, if necessary, links to further detail information. Why? Because in the case of the two softwares which I deliberately installed, I need such functionality and want to understand the specific issue at my PC to be able to balance the issue against the value of the functionality it creates for me or the effort to search, acquire and install replacement software. And for the unknown, in my case PUM.Optional.DisableMRT, which I did not put in place deliberately I want to learn how I received it on my computer. Because security cannot just be delegated to a tool. The first line of defense are risk-aware, educated users. Malwarebytes probably knows this. In lack of such links, users are enforced to go to their browser search engine and type in the hieroglyphics coding that malware and try to find something. That's what I did.

Dislike #2: I couldn't find concise information by Malwarebytes including this forum that clarified my question. And I really spent some time searching. Partially, what I could find are some more general terms which however do not really explain the issue or what to do next. For instance, I found the Removal instructions for Bit Driver Updater where Metallica from Malwarebytes states

Quote

Bit Driver Updater is a "driver updater". These so-called "system optimizers" use intentional false positives to convince users that their systems have problems. Then they try to sell you their software, claiming it will remove these problems. More information can be found on our Malwarebytes Labs blog.

This is a hefty accusation. So, I was happy to follow the link to the blog entry to learn about the details. But that blog article is just arguing about "Registry Cleaners: Digital Snake Oil". It doesn't even generally touch driver updating software not to mention specifically Bit Driver Updater. If Malwarebyte has proof that Bit Guardian, the company behind Bit Driver Updater, intentionally presents drivers as issues knowing that this is not the truth Malwarebytes must really share the proof. Not doing so raises the suspicion in me that Malwarebytes has no evidence, maybe not even a real clue. What I guess - I don't know, but now I guess - is the following: Bit Driver Updater just compares driver version numbers as they appear on vendor sites and if there is a newer version of a driver they recommend updating the outdated version. Is that bad? In some cases it may fix a vulnerability - in many cases not, in some cases it may fix some instability, a performance issue whatsoever - in some case not, in some cases the new version may just support newer hardware components or devices in addition to the old ones. Without checking details one cannot know, and even if spending time checking details it is hard to weigh a topic for the specific existing installation. So, in some cases a driver update might not be necessary for my use case. But this is how security is being managed more and more today. Just automatically update to the most recent version to be on the safe side. This is the case with Microsoft's Windows Update, with all browsers on PCs, more often also with the Android OS, and with many other platforms and applications. For my part I am using PatchMyPC for that reason. It is updating some 20 of my applications/tools silently, automatically and free of charge for home users. I am sure I don't need all these patches. But this way I am on the safe side without the need to dig into details. For the same reason I installed a driver updater.

Similar situation with Malwarebytes' info on Auslogics Duplicate File Finder. I could just find general complaints that Auslogics puts software into bundles and if one does not carefully observe all the small check boxes at the installation dialog something unwanted could be installed. It can well have been the case that Auslogics tried to sneak in more of their software. But now I have this software installed and - as far as I am aware - I have nothing Auslogics or 3rd party installed that I did not want to have installed. As Malwarebytes tries to educate the software vendors, it punishes the users by creating an alleged issue with the current existing installation on the PC although the installation which could have led to installing unwanted additional software has already happened. But Malwarebytes is not even telling users that this is the intention of the current flag at the specific installed software. We users need to search around, combine clues, and make our conclusion to understand these Malwarebytes politics.

It's just the same with the mentioned blog entry on registry cleaners being like snake oil, i.e. a placebo with no perceivable effect on performance. I can imagine that this is the truth for the registry cleaners which check for keys left over from incomplete uninstallations, pointing to the nirvana, and in a real world scenario on the first run maybe identify and delete 200 to 500 keys of say gross 50 bytes on average. But I can also imagine that the effect of this is perceivable. Is not being perceivable just an assertion of Malwarebytes or does Malwarebytes have evidence? Any test scenario and measured results? Without any indication and seeing Malwarebytes' tendency to - politely put - judge differently from many vendors in the industry - why should I just blindly trust Malwarebytes and not the other vendors? Malwarebytes' not substantiated claim also includes registry defragmenters. For those I cannot imagine that there is no substantial performance impact on PCs with regular uninstallations and installations which includes regular version upgrades. The registry files are both large and very frequently accessed, maybe the most frequently accessed files on Windows except for some logs appended at their end only. I was responsible for management of various relational database products. I know about the effect on performance of large files, which are most often and randomly accessed and constantly updated, like large key indexes of tables used all the time. They strikingly benefited from regular recreation. So, unless Windows does not defragment the registry files automatically which was not the case in the past and I am not aware of that being the case now, I assume a registry defragmenter run say once per quarter or once per year will help a constantly updated PC that is tight on memory. But that is my assumption only, derived from DB management experience. I would need to create a realistic test scenario and provide some measurement before I could present my assumption as a fact like Malwarebytes does with the snake oil accusation.

Only partially comparable is the situation about PUM.Optional.DisableMRT. I found the reason for the flag in a user chat False positive: 2 registry values where miekiemoes from Malwarebytes explains

Quote

This means, potentially unwanted modification (PUM) where Microsoft Malicious Software Removal Tool is disabled.
We detect this because a lot of malware sets this policy, hence why we want to warn the user about this (for obvious reasons)
If you have set this policy yourself, then you can add an exclusion for this detection.

Another user corrects - and I find the same confirmed in other threads - that the locally running RMT itself is not affected, only the propagation of the finding to Microsoft is suppressed. If I would already be running the Malwarebytes' scan every night and suddenly that flag would be raised, I probably would know which single or few software installations or configurations from the day before caused the change. But in my case running the Malwarebytes' scan the very first time, what can I do with the information that there might be malware on my PC which Malwarebytes is not yet able to detect, but the registry key could indicate that there would be some? With no idea, I would need to scratch my PC and reinstall it including all apps and their configurations and after each step run the Malwarebytes scan to see what set the registry key. I have no DevOps automation pipeline that would allow me to do so. Again, if I were already running Malwarebytes every night the situation would be different. The point is that there is no link from the Malwarebytes report to a central malware issue catalog that explains the situation and puts basic thoughts of how to interpret in which scenario what to do in which specific case.

Dislike #3: While I was editing this forum entry, I wanted to look up the name of the company behind Bit Defender Updater and tried to go to their Web site. But Malwarebytes blocked my access to that Web site. And it was not just a warning that I could instantly overrule like with uBlock Origin or Web of Trust or my normal AV tool Avira, it was quite definitely blocking me off. On the system message popup "Website blocked due to PUP", I would need to have clicked Manage Exclusions > on the Allow list hit Add > Allow a Website > key in the URL > Done > go back to the browser > reload the page. Compared to the other mentioned security software, this is cumbersome and I didn't instantly understand how this works. But what made angry the most is that Malwarebytes does not just flag the download of the driver, but does not let users browse to the vendor Web site. Who are you, Malwarebytes? Do you want to compete with Xi Jinping and Putin who control what their subjects are allowed to see on the Web? My perception: your intention is to better the world - which is good - and fight the industry which not plays by your rules - but their is no fair, well-documented and open contention - and your users are just your subjects in that fight who you don't care much.

Dislike #4: As I did not instantly understand what to do to allow myself access to the Web site, I tried Quit Malwarebytes through right-click in the Windows system tray. The management app closed down, but the Malwarebytes MBAM service did not. As a result I could not do anything on the Internet anymore. Whatever URL I tried there was no access anymore which means I could also not google how to solve this issue. Windows Network Diagnostics reported a problem with the network's proxy settings. Obviously the MBAM service functions as the proxy, but with the app now being shut-down it could not make any decision anymore, so it blocked everything. I tried to solve the issue by starting the Malwarebytes app again. With more tranquility I could have figured out how to unblock the specific Web site or how to generally shut down all Web Protection from the app. But at Malwarebytes app start, a popup appeared "Unable to connect the Service". The app did not come up. The only chance I saw was closing all my work including the started editing of this forum entry, copying it somewhere, saving, and restarting my PC. At that point I was really furious. My perception: Malwarebytes puts all their effort in educating the industry, users are just their subjects, and as an effect the Malwarebytes product is unstable and weakly tested.

My wish for Malwarebytes
- Put your users first, create a stable, user-friendly product, block what needs to be blocked and only that, help users to easily make educated decisions in their exact current situation, and first of all stop punishing your users as you aim to fight vendors
- Instead of knowing everything better than so many others in the industry, be open to discussion, give detailed reasons for your conclusions, and be more humble last not least because you yourself apply tactics which are similar to those which lead you to a PUP verdict. For instance, I needed to register with this forum to right this entry, which is OK. But if I would not have carefully watched the preset checkboxes, I would have agreed to unwanted Malwarebytes marketing inflow into mailbox. I believe that acting more humble in a documented, open discussion will also make your fight in the industry more successful. Currently you are at risk that your voice is conceived as just unearthly stupid and just to be ignored
- Review your product robustness testing

I am aware that with this message I am also somehow attempting to move something much bigger than I. I can only say that I will be open to discussion within this thread and also privately by herewith authorizing everyone in Malwarebytes to contact me on my email registered with this forum. I am curious whether this will receive product management attention.

  • Confused 1
Link to post
Share on other sites

  • Root Admin

Thank you for your feedback @pypes

A couple of comments

  1. This specific forum is for feedback, not discussion. If you wish to discuss further I can move it to an open discussion forum.
  2. Yes, management and development see all reports and feedback. The company and products have made many changes over the years based on feedback from customers.
  3. I agree that new customers with any program can find it difficult to workaround the workflow. That includes uBlock Origin (I love and recommend the product almost daily) if you're new to uBlock you would  not know how to create any rule or bypass a rule until you either researched it or worked with the program intently. The point being that I do agree there are ways we can improve to try to make it easier to bypass or ignore our suggestions.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.