Scanning PDF files for malware

[MBUser2]

I got a chance to see BrowserGuard in action after it flagged some malicious PDF files in a site I was trying to browse.  I commend Malwarebytes for their proactive approach to computer security, blocking files before they can infect your computer.

I understand that suspect PDF's can be uploaded to VirusTotal, but it is not recommended to upload files with sensitive data as VirusTotal can share the file among the security community.

Can I use Malwarebytes File Manager "context menu" to search a PDF file for malware?

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

• For use when you are on the forums and need to provide logs for assistance
• For use when you don't need or want to create a ticket with Malwarebytes
• For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler

1. Download Malwarebytes Support Tool
2. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
3. Place a checkmark next to Accept License Agreement and click Next
4. Navigate to the Advanced tab
5. The Advanced menu page contains four categories:
   • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
   • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
   •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
   • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
6. To provide logs for review click the Gather Logs button
7. Upon completion, click OK
8. A file named mbst-grab-results.zip will be saved to your Desktop
9. Please attach the file in your next reply.
10. To uninstall all Malwarebytes Products, click the Clean button.
11. Click the Yes button to proceed. 
12. Save all your work and click OK when you are ready to reboot.
13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
14. Select Yes to install Malwarebytes.
15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler

 

 

 

 

Spoiler

 

 

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Porthos]

10 minutes ago, MBUser2 said:

Can I use Malwarebytes File Manager "context menu" to search a PDF file for malware?

Malwarebytes does not target script files during a scan.. That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Malwarebytes will block execution of files like these only with the anti-exploit module of the paid program.

You are better off uploading them to VT before opening..

[Porthos]

15 minutes ago, MBUser2 said:

I got a chance to see BrowserGuard in action after it flagged some malicious PDF files in a site I was trying to browse.

Browser Guard does not "scan" sites. it works on blocklists and patterns the sites use and some other heuristic detection methods.

 

[MBUser2]

OK, but BrowserGuard showed 3 linked files blocked for the site I was visiting while VT showed hundreds of malicious PDF's for the referenced Site123 domain.  How did it determine only 3 files had to be blocked?

[Porthos]

10 minutes ago, MBUser2 said:

How did it determine only 3 files had to be blocked?

It was blocking the CDN hosting the PDF's. It was a static block not because of any scan.

Malwarebytes Premium would have blocked the same site Browser guard blocked it first..

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 4/28/2024
Protection Event Time: 11:01 PM
Log File: 2489cc16-05dd-11ef-a5b7-001a7dda7102.json

-Software Information-
Version: 5.1.3.110
Components Version: 1.0.1219
Update Package Version: 1.0.84012
License: Premium

-System Information-
OS: Windows 10 (Build 19045.4291)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: RiskWare
Domain: static.s123-cdn-static-d.com
IP Address: 212.102.40.114
Port: 80
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

 

(end)

Edited April 29 by Porthos

[Porthos]

Let me see if I can illustrate it better for you.

This is the PDF from your link in your other post. The arrow is pointing to the trap and the actual infection vector.

When I scan it with Malwarebytes I get this... No detection because it is a PDF

But scanning it with Virus Total.

https://www.virustotal.com/gui/file/40a718d3f4ff8f82bdae90c8dd77901a610f9f9bc900b0b7e5348bf417683e28?nocache=1

 

Edited April 29 by Porthos

[MBUser2]

I'm not following the statement "PDF from your link in your other post".  I was describing a BrowserGuard block of 3 files when I visited https://www.olyham.org and the domain of the blocked files was that of Site123.

Is it possible for the developer of olyham.org to get a "clean" result from BrowserGuard if he removes all infected PDF's from his site but Site123 continues to hose hundreds of infected PDF's for other users? 

He is working with Site123 Support, but so far the problem doesn't seem to be understood by Site123 or the developer.

 

[Porthos]

4 minutes ago, MBUser2 said:

I'm not following the statement "PDF from your link in your other post". 

The domain is legitimately blocked due to malicious PDF files. An example:

 https://static.s123-cdn-static-d.com/uploads/4661447/normal_61b0edbd38451.pdf 

[Porthos]

@MBUser2 The bottom line is Malwarebytes does not scan PDF's for malware.

Browser Guard or Malwarebytes Premiums web protection does not scan websites.

Are you using the free or paid version of Malwarebytes?

Edited April 29 by Porthos

[MBUser2]

Paid version, Premium.  Using Firefox for browser.

[Porthos]

I am going to suggest you make the following change so Malwarebytes and Windows security(Defender) can work alongside each other to protect you.

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security, or General in V5 tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

[MBUser2]

I probably don't know what is meant by "scan" for threats.  I know this sounds pretty lame, but I seem to be missing something on a fundamental level.

How would you describe what BrowserGuard is doing when I browse to https://www.olyham.org?  How was the CDN determined so it could be blocked?

Back to the "central" question, what does the olyham.org developer need to do to get BrowserGuard to stop warning about using his site?  From looking at the "view source" tool in Firefox, I can see several references to the same CDN named in the example PDF, but they are referencing JPG files, not PDF's.  I didn't see any references to PDF's, but that doesn't mean Site123 wasn't using them.

We need to be able to explain this to Site123 so they can clean up their act.

 

 

[MBUser2]

Now I'm really confused.   What do I gain if I do that?

[MBUser2]

Since I'm trying to help someone else clean up a web site, I don't see how changing my AV settings is going to help the other users at all.

The goal is a web site which does not "throw errors" when BrowserGuard sees it. 

[Porthos]

2 minutes ago, MBUser2 said:

How would you describe what BrowserGuard is doing when I browse to https://www.olyham.org?  How was the CDN determined so it could be blocked?

It is blocked by a list that includes that site.

3 minutes ago, MBUser2 said:

Back to the "central" question, what does the olyham.org developer need to do to get BrowserGuard to stop warning about using his site?  From looking at the "view source" tool in Firefox, I can see several references to the same CDN named in the example PDF, but they are referencing JPG files, not PDF's.  I didn't see any references to PDF's, but that doesn't mean Site123 wasn't using them.

olyham is not the problem, site123 needs to clean up their users abusing them.

[Porthos]

3 minutes ago, MBUser2 said:

Now I'm really confused.   What do I gain if I do that?

Malwarebytes disables Windows Defender like any other 3rd party AV does.

13 minutes ago, Porthos said:

Malwarebytes and Windows security(Defender) can work alongside each other to protect you.

The reason many of us members are pushing Keeping Defender on is the following.

Malwarebytes does not target script files during a scan... That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Malwarebytes will block files like these if malicious on execution-only.

And,

Malwarebytes is not designed to function like normal AV scanners and uses a new kind of scan engine that relies mostly on heuristics detection techniques rather than traditional threat signatures.  Malwarebytes is also designed to look in all the locations where malware is known to install itself/hide, so a full or custom scan shouldn't be necessary, especially on any sort of frequent basis (like daily), especially since the default Threat Scan/Quick Scan checks all loading points/startup locations, the registry, all running processes and threads in memory, along with all system folders, program folders, and data folders as well as any installed browsers, caches, and temp locations.  This also means that if a threat were active from a non-standard location because Malwarebytes checks all threads and processes in memory, it should still be detected.  The only threat it *might* miss would be a dormant/inactive threat that is not actively running/installed on a secondary drive, however, if the threat were executed then Malwarebytes should detect it.  Additionally, whenever a new location is discovered to be used by malware the Malwarebytes Research team adds that location dynamically to the outgoing database updates so the locations that are checked by the default Threat/Quick Scan in Malwarebytes can be changed on the fly by Research without requiring any engine or program version updates/upgrades.

An AV will catch the file just by downloading it or just opening a folder with a detected file in it.

For example, you get an email with an infected attachment, Malwarebytes will not even blink until you run it yet Defender will detect it if it is in their database without even actually clicking on it. Remember the list of files Malwarebytes does not target.

Then I will leave you with this.

As good as Malwarebytes is, it is just a layer of protection.

Using a browser that has Ublock Origin and the Malwarebytes Browser guard enabled is also a layer of protection.

Not opening attachments from an email unless you were expecting it from a specific user during a specific time period.

Do not use Torrents. Do not install every free software you find. Do not click links in an unknown email. Go directly to the site listed in the email.

Having a monthly image of your computer on an external drive that is only connected during the backup is actually better than any protective software ever made. Macrium Reflect free is the program I use and place on every computer I service.

[MBUser2]

I found this "How to Geek" article.  I'm sure Malwarebytes has something similar, but this is the first thing I found.  It sounds very complex and difficult to use.

https://www.howtogeek.com/230158/how-to-run-malwarebytes-alongside-another-antivirus/

[MBUser2]

I am running UBlock Origin and I do monthly backups with Macrium Reflect.

I understand what you are saying about Defender, but I am not sure how to actually use it.  It appears to have a steep "learning curve" from my present point of view.

[Porthos]

16 minutes ago, MBUser2 said:

I understand what you are saying about Defender, but I am not sure how to actually use it. 

When on it is additional realtime protection.

By default, Defender scans every 7 days. You can do manual scans as well,

Edited April 29 by Porthos