Jump to content

Recommended Posts

First of all, thanks for the incredible product, I had tried the top anti-spyware / anti-virus software and tools to no success until I found yours. Kaspersky, Spybot, Adaware, McAfee, HiJackThis, etc. etc. etc. I was basically out of options and at a point of desperation (format c:), so thanks.

Anyways, I was wondering if there is a version of malwarebytes that could run on my bootable BartPE CD. I am contemplating making one myself after having no googleing success.

thanks --

Link to post
Share on other sites
  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

  • 3 months later...
  • 4 weeks later...
Still think it will take you a year of coding to get MBAM ported into 100% C++ before it will be possible?

@Rubber Ducky

with respect to anyone who can C++....

I am an admin who has XPE shell running on BartPE. MalwareBytes' Anti-Malware scanner has been a life saver installed on windows. I installed it and ran Plugin Creator to develop a working plugin. Frustratingly enough it doesn't. There's been quite a bit of talk of MBAM not able to run in Pre-installed Environment however; Bartpe does in fact support VB, because I have the VB plugin enabled and it still reports C+ errors. Could this error be evidence of another requirement that BartPE does not have? .Net is also enabled on my rescue CD.

Any input would be more than I have now. Many, many many thanks in advance!!

Chris

Houston,TX.

Link to post
Share on other sites
  • 2 weeks later...
Chris,

A lot of Malwarebytes' Anti-Malware is already programmed in C++ including one of the DLL's and all of the drivers. Without having BartPE on hand, I have no idea how to resolve the issue you are having. In fact, I have never used a pre-installed environment.

@RubbeR DuckY:

Admins rely on BartPE for data rescue and other administrative tasks. It brought admins like myself out of the dark ages. Truly. When SpyBot introduced it's spyware scanner it was a god-send because of most Malwares' MO, makes cleaning the "C" drive while in windows, utterly impossible. Re-imaging the PC was the only fix. More and more, malwares disable the launch of anti-malware appllications inside of windows. Enter, BartPE. It IS a pseudo-windows installed temporarily on the RAM sticks(operating completely independent of the hard drive).

MBAM being programmed in C++ means that whatever platform it runs on must have VB software installed in order to run properly. BartPE is setup to accept what we call "plug-ins" in the PE(Pre-installed Environment) community. Plug-ins are just programs and applications that have been scripted into the BartPE, Windows-like environment so that these things run like they were at one time actually installed complete with registry entries and shortcuts on the desktop.

The fact that my custom MBAM plugin doesn't work could be a multitude of issues not even related to how it is programmed. MBAM has worked impecably everytime. When you or one of the other posters mentioned that BartPE didn't support VB applications I wanted to mention that it recently had support for VB added. It could be that maybe if I told the scripting app to process MBAM plugin after everything else or process it last it might work because it could be that the plugin is being over written with something else at the end of the process. (happens all the time)

Any suggestions or questions are welcome.

SkeeterPE

Link to post
Share on other sites

Here is a simple work-around for Malwarebytes and BartPE.

Boot the CD with Network support.

Use TotalCommander to share the root of the C:/ drive.

On another computer with MalwareBytes installed, map the shared folder (drive) from the target computer, then run MalwareBytes from that computer and scan the shared drive.

While it doesn't do the registry on the drive properly, it does do about everything else.

Hope this helps.

:D

Link to post
Share on other sites
Here is a simple work-around for Malwarebytes and BartPE.

Boot the CD with Network support.

Use TotalCommander to share the root of the C:/ drive.

On another computer with MalwareBytes installed, map the shared folder (drive) from the target computer, then run MalwareBytes from that computer and scan the shared drive.

While it doesn't do the registry on the drive properly, it does do about everything else.

Hope this helps.

:)

What an excellent idea! I didn't think about that. Truly outside the box thinking! I can't wait to attempt this at the office on monday.

I'll let you know the results.

SkeeterPE

Link to post
Share on other sites

I have created what seems to be a working plug-in for Anti-Malware. Here goes...

Note the following is based on version 1.31...

1. Install MalwareBytes Anti-Malware on your PC.

2. Follow the instructions given in the MalwareBytes Anti-Malware.htm file included in plug-in folder.

Please note that I needed this and threw it together yesterday after searching for one that had already been created. By all means, give feedback if something does not work right or even if it works as wished. While I am not in a position to support this, I will fix what needs to be fixed. This may be distributed on other sites without the need to ask permission.

MalwareBytes_Anti_Malware.zip

MalwareBytes_Anti_Malware.zip

Link to post
Share on other sites
  • Staff

Yup, the drivers are essential to it's effectiveness and so is scanning the processes in memory. It's not your typical scanner that relies on file signatures and registry data alone, that's why it's so darn effective and why the definitions files are so small.

Link to post
Share on other sites
  • Staff

The drivers like mbamswissarmy.sys and mbam.sys. As far as lost functionality, like I said, MBAM is not a raw file scanner like an antivirus is, it's designed specifically to detect active infections on a running system booted in normal mode (safe mode even hinders it's detection rates). You could literally take a bunch of trojans, dll's etc that are malware that MBAM would normally detect, put them all into a single folder on your desktop or elsewhere (as long as it's not the location the files would be in if they were active), have MBAM scan the folder, and it won't find a thing. This is why MBAM typically gets poor reviews from a lot of anti-spyware review sites, because they just fill a folder with malware samples and throw scanners at it to see which one gets the most hits. MBAM uses detections based on location of a file, entries in the registry, and processes in memory to do most of what it does for detections. The drivers are part of that, although I'm not a developer, so I couldn't tell you how much, but I'm sure it has to do with MBAM's ability to detect/remove rootkits and hard to remove trojans and other malware. MBAM is pretty unique in this, it's one of the reasons that it also catches a lot of zero day infections, even without an update due to it's heuristics because it knows where to look based on an infection's previous variants, again that's also why the definitions are small because many of the infections it finds are located using simple patterns that a particular malware will show on a system, like entries in the registry and/or certain files like drivers and dll's. Personally, I use an offline disc like Avira, or if I need to Bart's, UBCD, or ERD/MS DaRT to do repairs on an unbootable system to get it running and then run what scanners I can from normal mode and only go into safe mode if I absolutely have to. I'd much prefer a portable version of MBAM that would run from a cd or flash drive, or even just a folder copied to the desktop than an offline scanner, I believe that's already in the works though.

Link to post
Share on other sites
The drivers like mbamswissarmy.sys and mbam.sys. ...

In the instructions I provide, those drivers are covered for the plug-in and ensuring they are placed where they should be. Without those, I found that the program did not work as it should as you pointed out. I follow what you say about processes running in memory not able to be detected in safe mode or via PE environments, however.

My advise is never rely on a single product. I love AntiMalware, else I would not have taken the time to create this. I recently had a laptop come in that prevented AntiMalware and McAfee from running. I performed a scan with AntiMalware and again with McAfee (both from PE). Once I rebooted, I repeated the process in a normal Windows environment. AntiMalware found no infections. McAfee found only remnants of infections that were not running in memory.

Thanks for the feedback.

Link to post
Share on other sites
  • Staff

Oh yeah, I absolutely agree about not relying on one product, my signature will show you how much protection I run. And you should see my malware removal toolkit, it's insane how much stuff I have in there. I don't really use McAfee's command line scanner or stinger anymore though, they just never seemed to pick much up. These days I use Trend's Sysclean, Kaspersky's AVZ and/or AVPTool and a portable version of Avira. I also throw Dr. Web's Cureit and Norman Malware Cleaner at it. That's just for viruses, I have a lot of anti-spyware/anti-malware apps that I run as well.

Link to post
Share on other sites
I have created what seems to be a working plug-in for Anti-Malware. Here goes...

Note the following is based on version 1.31...

1. Install MalwareBytes Anti-Malware on your PC.

2. Follow the instructions given in the MalwareBytes Anti-Malware.htm file included in plug-in folder.

Please note that I needed this and threw it together yesterday after searching for one that had already been created. By all means, give feedback if something does not work right or even if it works as wished. While I am not in a position to support this, I will fix what needs to be fixed. This may be distributed on other sites without the need to ask permission.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Wow Guys. Awesome. Thanks for everyone's efforts. I reimaged a notebook just this afternoon because of destructive malware. Prevented mbam.exe from running. I tried renaming the executable, but still not able to get going so this is going to be a sweet time for me and my group of guys.

SkeeterPE Admin in Houston

xw4300, Windows XP x64, superantispyware, malwarebytes' anti-malware, trendmicro, and spybot S&D

Link to post
Share on other sites

I never know what computer I will be fixing. As a independent person, I have had to go into safe mode using malwarebytes to install and then hope to god it is update enough to remove enough just to be able to boot windows since windows seems to freeze up this one guys laptop every time he gets malware, last case was like 43. It is literally not able to be used , you just have to turn it off by holding the key. So from that stand point I started looking at Vista PE in hopes everyone will be on vista to use. So I dont know about malwarebytes being less powerful in safe mode but it really is the only way I can get enough damage repair before I can even boot into windows and when this doesnt work anymore. I hate to image a machine, back in the day, I had to reimage alot because non of the tools in market were effective enough, Spybot to me drop the ball and so many others. So as I take income in, from malwarebytes sololy , not my only tool , but sololy fixing a machine I plan to donate money just by buying pro verison. Will have so many licenses depending on if this ever repicks back up on the side then I know what to do with.

-illusion

Ps. Just my view, I hope malwarebytes doesnt drop the cookie and let someone else eat their lunch by looking for the small cookie. LOL , ok I am done

Link to post
Share on other sites
I will try the plugin today. I am a BartPe Fan and use it remove Spyware and Viruses. So I have at least 3 programs that remove spyware and about 5 antivirus programs on my CD.

Just so that everyone understands. Malwarebytes is *not* the author of this plugin. We do not support it in any way shape or form. The program was not designed for this purpose, and is hindered in operation while running under these conditions. We do not support MBAM running under this PE environment. So if you choose to do this, you do so on your own.

Link to post
Share on other sites
  • Root Admin

Fully agree. For those that must have a method of at least initial cleanup please try one of these AntiVirus vendor tools.

Once the system is operational again then you can install, update MBAM and scan with it in normal mode.

Avira AntiVir Rescue System

BitDefender LiveCD

Dr Web LiveCD

F-Secure Rescue CD

Kaspersky RescueDisk

Link to post
Share on other sites
Just so that everyone understands. Malwarebytes is *not* the author of this plugin. We do not support it in any way shape or form. The program was not designed for this purpose, and is hindered in operation while running under these conditions. We do not support MBAM running under this PE environment. So if you choose to do this, you do so on your own.

Exactly.

Link to post
Share on other sites
I have created what seems to be a working plug-in for Anti-Malware. Here goes...

Note the following is based on version 1.31...

1. Install MalwareBytes Anti-Malware on your PC.

2. Follow the instructions given in the MalwareBytes Anti-Malware.htm file included in plug-in folder.

Please note that I needed this and threw it together yesterday after searching for one that had already been created. By all means, give feedback if something does not work right or even if it works as wished. While I am not in a position to support this, I will fix what needs to be fixed. This may be distributed on other sites without the need to ask permission.

-----------------------------------------------------------------------------------------------------------------------------------------

@Richard Jordan-

I can't seem to get it to work and I have screenshots at work but will have to post them here tomorrow or the next day(Holidays at work are painfully slow <Grins>) Gives me a chance to play around with my PE Builder and Plug-ins! Error codes display and script file closes. For now, it doesn't work for me but, I'd grovel at you feet if you could offer suggestions! I don't think PE Builder is over-writing a part of the build process but I could be wrong. I've seen it happen before with much much simpler apps.

From a wise man.... "...cause being an Admin is hard enough!"

Link to post
Share on other sites
  • Root Admin

@SkeeterPE

Aside from an exercise in learning, building a PE disk of Malwarebytes is an exercise in futility. It DOES NOT currently support any methodology to fully and properly support cleaning an infected system from a PE disk. Yes you could enable it to install, update, and scan, but the scan would not be done properly as needed and has nothing to do with making it run on a PE disk or not. It IS NOT currently designed for the PE environment and many other alternative methods have been provided for those that are unable to get Malwarbytes to run in Windows normal mode where it was designed to be run.

Link to post
Share on other sites
  • Staff

Most likely that's accurate seeing as MBAM seeks malware specifically based on location and the registry. You can load the registry in a PE environment, but since the PE CD is considered the %systemdrive%, that will be the place MBAM looks for malware and if it is set to full scan, it may not hit on the offline Windows folder, at least not for most of it's detections.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.