"checking for updates" making scanning downloads far too slow

[Andy2No2]

Please tell me there's a way to stop Malwarebytes checking for updates whenever I try to scan a file I just downloaded. 

It's taking so long it's making me want to find another virus scanner.  The Cancel button does nothing and all I can really do to get on with what I'm doing is quit Malwarebyes, then start it up again - at which point it scans just fine, with no appreciable delay... apart from when it refuses to quit.

I'm quite happy to rely on virus definitions being updated once per day.  I do not need or want them to be updated every single time I download a PDF and try to scan it by right clicking on it - which at times can be several times within a fairly short period of time.  And, no, it's not always practical to download all the PDFs I'll need, then scan them all at once, because there often turn out to be more I'll need too.

I want to scan downloaded files, but I want to get on with what I'm doing.  I do not want to have to wait while Malwarebytes does "checking for updates", yet again, which at times takes several minutes.  How can I make this stop?  I've tried turning off application update checks, but that makes no difference.  There seems to be no similar switch to turn off virus definition updates, at the start of a manual scan.

Incidentally, I've tried to search for similar topics, but the forum's search facility is barely usable, at the moment.

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

11 minutes ago, Andy2No2 said:

I download a PDF and try to scan it

You can stop trying to scan a PDF. Malwarebytes does not scan them.

Malwarebytes does not target script files during a scan. That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Malwarebytes will block the execution of malicious files like these only with the anti-exploit module of the paid program.

[Andy2No2]

Thanks.  That's really disappointing, not to mention very, very annoying, given how much of my time Malwarebytes has wasted over the years, while I've been trying to do just that, with no indication that it's not even scanning them.  Yes, I have the paid version, "Premium", for all the good it does me.

Unbelievable.  Do you have any recommendations for a good on-demand file scanner that doesn't get in the way the rest of the time?

[Porthos]

8 minutes ago, Andy2No2 said:

Do you have any recommendations for a good on-demand file scanner that doesn't get in the way the rest of the time?

2 Things.

I would suggest that you turn off the following setting in Malwarebytes so you can run Windows Defender alongside Malwarebytes.

You then right-click and scan with it.

 

Also you can upload files to Virus Total.  https://www.virustotal.com/gui/home/upload

Edited December 24, 2023 by Porthos

[Andy2No2]

Thanks for the advice.  I'll try that.

[Porthos]

3 hours ago, Andy2No2 said:

I'm quite happy to rely on virus definitions being updated once per day. 

Just to add to this, Be default if you have not made the mistake of changing the default, Malwarebytes checks for updates hourly.

I have mine set for every 15 minutes because I scan a lot of files and websites reported here on the forums. I rarely have an update when I do a right-click scan as I am already up to date.

The farther behind the database is, the longer it takes to get an update.

Anytime a scan is done either manually or scheduled, a check for updates is done first.

[Andy2No2]

I'd like to be able to turn off automatically updating definitions before each manual scan, for the reason given.  I can do manual scans a few minutes apart and still have to wait far too long for that stage to complete, so I'm under the impression that the server just isn't responding fast enough to make that comfortable.  If I manage to quit Malwarebytes, then start it up again, it scans pretty much immediately, without that delay.

The effect this has is to make me less inclined to manually scan things because it's become such a PITA to do.

[Porthos]

1 hour ago, Andy2No2 said:

so I'm under the impression that the server just isn't responding fast enough to make that comfortable.  If I manage to quit Malwarebytes, then start it up again, it scans pretty much immediately, without that delay.

Then we should take a closer look at your system.

Please do the following so that we may take a closer look at your system.

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• The tool will also download and run a file named FRSTEnglish. Please allow it to do so.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
   

Thank you

[Andy2No2]

Thanks for your interest, but I'm not comfortable uploading that sort of information about my PC, or what's on it, to somewhere else.

I don't think this is a bug; I think it's a feature - a natural consequence of the fact that I'm given no control over when it chooses to update definitions over the internet, if I want to scan files I've just downloaded manually.

I don't suppose anyone there will listen, but the proper solution is to add a switch, and give us back control over when that happens.

[Porthos]

8 minutes ago, Andy2No2 said:

but I'm not comfortable uploading that sort of information about my PC, or what's on it, to somewhere else.

Understood. Keep in mind that 95% of the issues posted here need the logs to assist. In most sections of the forum, only you and authorized members and staff can access them.

12 minutes ago, Andy2No2 said:

a natural consequence of the fact that I'm given no control over when it chooses to update definitions over the internet, if I want to scan files I've just downloaded manually.

Just keep in mind the list of file types I listed that are not targeted by a scan.

Also, it is useless to scan with any kind of protective software with out of date definitions. that can help with new infections or correct a false positive that was found a few hours earlier.

17 minutes ago, Andy2No2 said:

I don't suppose anyone there will listen, but the proper solution is to add a switch, and give us back control over when that happens.

I doubt that will happen but your suggestion will be forwarded to developers.

So to put this thread to bed, I also want to wish you holiday greetings and a happy Boxing Day as well.

[nukecad]

You can go offline (flight mode on a laptop) before scanning a downloaded file.
Because it can't connect to check for updates your Malwarebytes will go quickly to the scan itself.
It takes me about 10 seconds here to scan a single exe file when offline.
Of course the MB definitions may not be up to date.

The screenshot below is a scan I've just done of the Macrium Reflect installer exe, while offline - as you can see it took 11 seconds.
The same scan done a few minutes later, this time online, took 50 seconds because of the definition update.
NOTE that when done again online once the definitions had been updated it again only took 11 seconds for the scan of the file.

 

Just to be sure - This is the Full MB Premium that you are running in real time and not the Free version?
I ask because you talked about quitting Malwarebytes.
If it's MB Free version, and/or if you have 'Quit Malwarebytes' from the System Tray, then it has to load the Malwarebytes Service again before it can do anything else, and loading the Service if it isn't already running takes time (Around 20-30 seconds before you see MB onscreen).

Edited December 25, 2023 by nukecad

[Andy2No2]

@nukecad Interesting.  Thanks.  I used a wired ethernet connection to a Plusnet router, so it's not quite so straightforward as on a laptop but even so, that's good to know.

Yes, I have the full Malwarebytes Premium.  I've had it for decades, though it used to be MBAM, under the same license.  Yes, it does take a while to shut it down from the system tray and start it up again, but at least doing that feels proactive.  Sometimes it refuses to stop checking for updates or quit, naturally.

I'm still appalled that I've been asking it to scan one PDF (most commonly) for years, and after wasting my time with the updates it then tells me it scanned one file, and found zero problems - but apparently hasn't actually scanned it at all.

My estimation of this company has taken a huge hit, after this revelation.

[David H. Lipman]

I'm truly sorry for you to feel that way.  One has to understand more about malware.

PDF files may contain malicious URLs or may exploit vulnerabilities in a PDF Rendering software but they do not "directly" infect.

Malwarebytes reserves it signatures to files that directly infect a PC as a Portable Executable file.

MBAM specifically applies signatures to target PE binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.  This includes file names that use Unicode Right-to-Left Override to obfuscate an executable file extension.

 

Malwarebytes does employ signatures on a simplistic basis on some scripted malware but not on specific scripts.

However, MBAM does not target documents via signatures such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.
MBAM does not target MSI files by signatures.  MBAM is capable of extracting PE files embedded in these COM Structured Storage files and may target them via signatures.

Malwarebytes employs heuristic constructs and its Anti Exploitation module to Scripted Malware, media files and Documents as well as its Web Protection module and the added protection of Browser Guard.

Thus let's assume that this was a PDF that was specially crafted to exploit a bug (vulnerability) in rendering a PDF.  In that case the anti exploitation would block and/or mitigate the the action of exploitation and any possible payload.

Take a PDF that is implementing a Phish.  Malicious actors create Phishing emails.  Some may contain the Phish Content in thy body of the email.  However that may fall prey to Spam and Content Filters.  To thwart that the actor may create a PDF that has the Phish Content in the body and has a URL to the site intended to harvest associated credentials.  Here the Web Protection module or Browser Guard will block the access to the malicious web site.

So while a PDF is not "detected" by a signature, the Malwarebytes product will protect the user and that  is what counts.

Another example is malicious DOC/DOCx and other MS Office documents (aka; maldocs) .  Here too MBAM will not "detect" a maldoc but the anti exploitation module will block a document specifically crafted to exploit the MS Office environment (or other applicayions that may view/edit it).

Another scenario is where malware is embedded in the document and tries to drop it and run it.   If the file embedded is an EXE file, the signatures base would detect IFF it was executed but the anti exploitation would block the dropping and execution process.

Another scenario is where the maldoc has a malicious VB Script.  Here the anti exploitation would block the malicious actions of the script as well as using the Web Protection and even Browser Guard if there was a malicious site that the script was trying to visit or download a payload from.

 

I can truly understand the desire to at least "know" if it is a malicious document,  Virus Total participating vendors will provide that indicator.

I had a case where a user on a Borough Hall network connected a USB drive that detected the Wimad Trojan on some MP3 and other media files by Kaspersky.  Wimad files exploit the Digital Rights Management (DRM).  In that case Malwarebytes would not detect the media files via signatures.  However, the anti exploitation module would protect the user, in the same scenario, if they employed Malwarebytes.

This is why one should still enable the Microsoft Windows Defender of the OS.  It will detect the malicious Documents, Scripts and Media files. 

HTH

 

Edited December 25, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[Andy2No2]

What you're not getting, David, is that I now feel MalwareBytes has been lying to me, for years, and I can no longer have confidence in what it tells me.

As I said, I ask it to scan one file I just downloaded; it then tells me it has scanned one file and found no problems.  It turns out neither of those things is true - it has not scanned the file, and it has not confirmed there are no problems because it didn't even scan the file.

If it's not able to scan PDFs, then it should say so, right there and then, and it should always have said so.

Also, I am aware of what PDFs can contain, which is why I want to scan them the moment I get them.  I thought I'd been relying on Malwarbytes to do that for me, but it seems I've been misled.  Given how long it has apparently been doing that, I also have to wonder if it has been misleading me deliberately, rather than encouraging me to look for a product that will.

[nukecad]

9 hours ago, Andy2No2 said:

 I ask it to scan one file I just downloaded; it then tells me it has scanned one file and found no problems.  It turns out neither of those things is true - it has not scanned the file, and it has not confirmed there are no problems because it didn't even scan the file.

If it's not able to scan PDFs, then it should say so, right there and then, and it should always have said so.

That isn't quite what David is telling you above.

The file IS scanned by Malwarebytes, but it is scanned for particular things. (eg. the 'MZ' characters).

That means that the Malwarebytes scan isn't relying on any malicious content having been seen before and added to a list.
So Malwarebytes is better at finding 'never seen before' (Zero Day) malware hidden in such files.

Other things, that a 'traditional' AV would scan for and compare to a list, Malwarebytes doesn't scan for.
That's because Malwarebytes would instead block those things if/when they tried to run.

Either way you are protected from the action of malicious content. It depends if it's been seen before or not.

You can think of it like your computer being a store and the malware being shoplifters.

• You can scan for and try and recognise known shoplifters and stop them coming in or throw them out if thet do get in, (a traditional AV scan), but that won't recognise any new ones.
• Or you can search/scan for shoplifting tools*, (Malwarebytes file scan), and watch everyone all the time and stop them if/as they try to steal something, (Malwarebytes real time protection).

Both methods will help prevent shoplifting, but only one of them will see and stop new shoplifters.

So by all means do both. and scan a downloaded file with both Defender (to recognise and catch known 'faces') and with Malwarebytes (to catch new or old carrying particular malware tools).
If either/both of those scans should miss something nasty then the Real Time Protection modules of Malwarebytes should catch and stop it if/when it tries to act.

*hidden pockets, wires to hook things, security tag removers, etc. the differences aren't that different and malware nasties will use similar tools.

 

Edited December 26, 2023 by nukecad