Jump to content

Updating problems, scheduled /and/ manual


Recommended Posts

Using Win XP Home SP3 + MBAM v1.41 (I know, I know, read on...) + Avast! + Online Armor + TrojanHunter. Posting this, telling what the problem was and how I (laboriously) solved it myself, in case it helps anyone else.

I've been getting the error message "Unable to execute file in the temporay directory. Error 5: Access is denied" regularly over the last couple of weeks. It always happened just after 21:00 so I figured it was to do with a scheduled task but I hadn't bothered to look into it any further until tonight ...

... because last night, Online Armor blocked mbam-setup because it had changed. (This may have happened other nights, I haven't been on the PC in the evening much recently). Last night I told OA to Allow and Trust mbam-setup, but it got blocked again tonight. Turns out it was the MBAM scheduled update that had stopped working; to my consternation, MBAM hadn't been updated for over a month (since 3rd December :)). So I tried to update manually. MBAM downloaded 4995 kB and announced that the latest version had been downloaded and MBAM would now close to allow it to be installed. I clicked OK and got "Unable to execute file in the temporay directory. Error 5: Access is denied" again.

I saw on the MBAM update tab that v1.44 had (just) been released, and to visit www.malwarebytes.org if updating automatically was not working, so I did, but couldn't find any pertinent content.

I started to compose this post and then figured to try editing Online Armor's program list and remove mbam-setup so it would have to ask me about it all over again. This done, I tried another manual update. That seemed to have worked, and I got prompted to reboot to complete the installation. Fair enough ...

... except that after reboot, Windows was unable to access is-BEOQU because OA had blocked /that/. So I told OA to play nicely and rebooted again ...

This time, no error messages but MBAM did not start with Windows. So I opened the UI manually. "Start with Windows" /was/ checked but the Protection module was disabled. So I clicked "Start Protection". That prompted OA to ask me about mbam.sys as a start-up. I said that was OK. Then Windows told me the module was already running :). So I rebooted /again/ ...

This time, MBAM did start with Windows, but it did so with its UI displayed. So I rebooted /again/ ...

Finally, all seems to be in order. In particular, the scheduled scan at 22:00 kicked off OK and didn't find anything nasty (once I had confirmed that OA should continue to play nicely with MBAM's Swiss army knife). But I'm left a bit concerned that it took so many iterations to (apparently) put things right, and that as a result, all may not be as in order as it seems. Can a MBAM guru provide reassurance?

Andy

Link to post
Share on other sites

Andy,

I have not used Online Armor myself. However, I'm aware that some Firewalls/A-V's use checksum hashes to check file integrity. Obviously, when we (MBAM) do an update, those values are going to change. My advice is to be aware of this and adjust accordingly. Being a regular member, you should be fairly aware when an update takes place. At that time, you are going to need to "retrain" your Firewall and possibly your A-V programs. That's not a bad thing. It's just that as malware has gotten sneakier, and more tenacious, the other security programs have had to step up to the plate regarding what they think is legitimate or not.

Link to post
Share on other sites

Thanks guys,

I agree it's not a bad thing to have to manage the peaceful coexistence of various security apps. It would be one thing to retrain after an update has taken place, but it's not that simple, is it? The point of my post was to record just how not that simple it was. I'd written it all down anyway in case it didn't work out in the end, and I thought it would be as well to post it as just throw it away, in case it might be useful to someone else. The only reason I eventually knew what program was causing the difficulty was because Online Armor told me (an issue with Online Armor, that, not with MBAM) - for most of the last month I had no idea what program was causing the error message. If I'd looked at my scheduled tasks I would have found it was MBAM-related, but the scheduled task launches mbam.exe and I knew mbam.exe wasn't blocked from running. All I knew was that the program that was blocked was in a temporary directory, it could have been called anything - and for all I knew it was deleting itself afterwards. Then when I finally found out I had to do something about mbam-setup.exe, getting Online Armor to seek my permission to let it run again was only the first step - there were four reboots required, after each of which it still looked things were at least somewhat screwed up.

I'm far from being a propellerhead but equally I'm a lot more tech savvy than a lot of users are. I think I'm left wondering whether it wouldn't be possible for MBAM to be a little more helpful to the user at update time? It's mbam.exe that bears ultimate responsibility for carrying out the scheduled task, so it must know when an update does not complete successfully. It would be easy enough to output an error message with some helpful diagnostic information, wouldn't it? It took a long time before Online Armor produced anything helpful, and the Windows error message was completely unhelpful.

Andy

Link to post
Share on other sites

MBAM will display an error when an update fails, but only for definitions. When it fails to install an application update (a new version of MBAM) it does not because mbam.exe itself must exit in order for the new version to install (that's what mbam-setup.exe that runs from the temp folder is, the program's installer for the new version that was downloaded).

The problem is really OA and the way it does (or fails to) properly notify you when an application is blocked from executing. That's why I hate these HIPS type firewalls. If you don't really know what you're doing you could end up either blocking something that's needed by accident or allowing something you shouldn't.

Also, since MBAM uses the Windows Task Scheduler for scheduling updates at the moment, unfortunately it's up to Windows to report that the update failed for scheduled program updates and scheduled scans. I do believe the developers are working on changing that however.

Link to post
Share on other sites

Hi,

Yes, I see the conceptual problem with mbam.exe notifying the user about a problem updating itself now ... I can see why it can't report failure before it exits - but I can't see why a registry entry could not be used to inform whatever version starts up next time that an update was or was not attempted, and if the former, that it did or did not take place successfully?

I have to say I've never seen a MBAM error reporting failure to update definitions (in fact, I've never seen a MBAM error at all) - and my definition updating seldom if ever seems to work automatically. I don't keep close tabs on it, but whenever I think to check, my definitions always seem to be out of date. I'd be more concerned if manual updating didn't work but it always does.

Sometimes (like currently) it seems like at least one post in ten is reporting error 732 in the forums and I feel left out ;) At least if I got an error message I'd have something to work with. At the moment I don't know if the scheduled task is not starting reliably, or if it's starting and failing.

Interesting observations about Online Armor. Until a few months ago I used Trend Micro which is AV and firewall in one. It was only when I switched to Avast! that I had to do something about a separate firewall. I could be wrong but ISTR it was on the basis of informed opinion in this forum that I adopted Online Armor (I didn't even know what HIPS stood for until I just looked it up :) ). But informed opinions differ just like any opinions (perhaps especially so). What would you personally recommend as a good firewall solution?

Andy

Link to post
Share on other sites

Yes, it could be done I believe with something as simple as an application log that the program reads (similar to the protection logs and scan logs).

You can verify whether the updates are working by checking your Task Scheduler, it will show the last run time and should show whether or not it was successful. You should also be able to see if it failed to update in the Event Viewer.

What would you personally recommend as a good firewall solution?
That's the 30 million dollar question ;) . I personally use a firewall that's incredibly simple and these days I usually simply recommend that the user stick with the Windows Firewall as long as they're behind a hardware firewall (something that's built into most cable and DSL modems and is built into all routers). Many disagree with me though, but I think most software firewalls try to do too much. Instead of simply determining which programs communicate with the internet and which ones don't, they try to control which ones execute at all and whether or not they can access other processes and files on your machine, and if so, to what extent. That's way beyond just controlling inbound and outbound internet traffic, which is all a software firewall is supposed to do by definition.

But many disagree with me. My main issue is that a user such as myself can't always know whether it's safe to allow process X or dll Y to do what it's attempting to do with explorer.exe. I've seen users mess up Windows with these types of firewalls, and that includes me, simply because I didn't understand the darn prompts. They just seem to do too much. But then again, you may be much more comfortable with Online Armor and the way it works, but clearly, at least in this case, it did what it did not because mbam-setup.exe tried to access the internet, but simply because it tried to install. That's what I don't like about these firewalls.

Sorry for the long winded speech my friend, it's just one of those subjects that's really difficult for me to answer. I see the value in securing your system with a good software firewall and used to swear by them myself, but over the past several years they've become too darn complicated for the average computer user to get along with. They expect you to be able to identify by name a file that is related to a trojan or other malicious software. I thought that was what antivirus and anti-malware software was for.

Link to post
Share on other sites

Sorry for the long winded speech my friend

;) You apologise for taking the time to give a comprehensive answer to a difficult technical question? Apology absolutely not required.

I checked the Task Scheduler and the task status tonight was 0x0, which I guess means all OK - and yes, MBAM tells me the date of the latest update was 10/1/09, so I guess at least today it worked. I'll keep tabs on it for a while - I can't find anything in Event Viewer relating to MBAM.

Andy

Link to post
Share on other sites

I agree with exile360 and even had Vista Firewall Control x64 Pro that I have given up on as it is way too inquisitive for me.

Every once in a while I like to watch the Malwarebytes Developer Interview videos by Jeff Weisbein:

http://www.besttechie.net/2008/08/20/malwarebytes-developer-interview <== 8 minutes into the first video gets real interesting when answering question no. 6

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.