Jump to content

Trying to understand real time protection


Recommended Posts

This may be difficult to answer but figured worth a shot at asking...

MBAM just warned me that an executable residing on another partition attempted to run (a malicious process has been blocked....). It's one I had in my malware library for testing various freeware security packages and it wasn't being executed. I was running a scan w/AntiVir Personal - Free on the overall directory at the time and to be safe, I quarantined it. For curiosity, I placed another copy of this executable in the directory to see if being touched during the scan caused the detection but it didn't occur again. Scanning the new one with Malwarebytes does label it as being a trojan.agent.ck so the it still is "live". And I don't have anything in my ignore list...

Bottom line, how can an infected executable sitting as a standalone file start up a process that would be detected by MBAM? My system is clean so it's not being triggered by another malware process... Any ideas?

Link to post
Share on other sites

Welcome to the forum Wha2do -

We normally use this internal test area ip.blocktest site to check if the blocking part of Malwarebytes is working properly -

The answer to that question is not easy unless you try to run the .exe file again and see if it is blocked again -

It may not be "live" after you Quarantined it the first time -

Thank You -

Link to post
Share on other sites

Welcome to the forum Wha2do -

We normally use this internal test area ip.blocktest site to check if the blocking part of Malwarebytes is working properly -

The answer to that question is not easy unless you try to run the .exe file again and see if it is blocked again -

It may not be "live" after you Quarantined it the first time -

Thank You -

Thanks for the reply and very impressed w/MBAM. I figured it could be tough to answer. The ip blocking appears to be fine, but curious about when MBAM notices a malware program/process is trying to run. I was surprised to see the pop up asking what action to take on this executable when I hadn't physically asked to run it (double click, right click - open or run, etc). It was justing sitting in my "library" and MBAM pointed to this file as trying to start up a process (the gist was "A malicious process has attempted to run and has been blocked...with the three options of (forget the first), ignore, and quarantine").

I figured quarantining and restoring modifies the file so wouldn't be live (which was the case in doing a manual scan). I had placed a new copy back in the folder and manually scanning with MBAM detects it's still infected with Trojan.Agent.CK. Yet I can't duplicate MBAM dectection of it attempting to start a process since that one time.

The main question is if I'm not physically requesting it to run, how did it appear to be starting a process? Does MBAM put up that warning only when it truly is trying to run a process? Mostly concerned that there's something other method for this standalone executable to be triggered when just sitting on the system - ie. being touched by Windows Explorer, scanned by another program, etc? I can understand one component firing up another executable, but this is a single file without other files/executables. And this wasn't the warning from a regular MBAM scan... Just trying to understand if having these files sitting idle can do anything when "touched" by other system actions (directory accessed by Windows Explorer, malware scans, etc).

Also, can this message be triggered even though a process isn't truly being started but an infected file is detected? Lastly, what does ignore do - ignore the warning and let the process start or block it but doesn't quarantine? Thanks so much!

Sorry for this being long!

Link to post
Share on other sites

Try uploading the file to VirusTotal: http://www.virustotal.com/

Just to be clear - I know the file is questionable/infected - I have it in my library of files for testing various security packages...

I know the executable is detected by some of the engines on VirusTotal (mostly heuristic it seems and by the "smaller" engines such as Cat-Quickheal, Comodo, Esafe, Ikarus, etc - not Avira, Kaspersky, AVG, Symantec, etc). And yes, uploading the restored version shows it to be clean by all but SAS so quarantining it must clean it up. Oddly enough SAS didn't detect it on the first upload when it was a fresh "live infected" executable, only after it was restored from quarantine (as a Rogue.Agent/Gen-Nullo[EXE]).

In resending the "live" copy of the executable to Virustotal, I was able to duplicate the "...a malicious process has been blocked from executing." message I've received before. The question at hand is I'm uploading a file for scanning - so why is MBAM stating a process is starting? The process/executable is not being started...unless I'm unaware of some method of it running triggered during an upload to Virustotal. In which case, those folks trying to upload a file to make sure it's clean would be infected before they even get the Virustotal results (assuming they weren't using MBAM or a similar product).

So again question 1 - why is MBAM showing a process is attempting to run when all I'm doing is uploading to Virustotal? And question 2 - what is the ignore option - ignore the warning and let the process run? I really want to block a potentially malicious process, but don't want to quarantine the file immediately.

Thanks in advance for answers on these two questions!

Link to post
Share on other sites

question 1 - why is MBAM showing a process is attempting to run when all I'm doing is uploading to Virustotal?

From what I can figure you have "activated" the .exe - As above by nosirrah - Do it once quarintined or in ignored list only then copy and paste -

question 2 - what is the ignore option -

If you find a known False Positive you can then let it be ignored , "add to ignore" - Moving only to quarantine will also allow you access to reinstall (if proved to be a F.P. ) - Or if there is a site that you visit often and have faith in the fact that it is safe then you use "add to ignore" -

This is similar to what we do when an exclusion is needed to be added to an Antivirus program to allow it to run MBAM updates -

I assume you have found this function on the face panel of MBAM (Ignore List) - Click the tab and Copy/paste the item in there -

Please ask any other questions if we have not fully covered the items you need to know -

Thank You - :)

Link to post
Share on other sites

Mapping to memory from disk happens when you execute a file BUT also in many other circumstances including sending it from your PC to another.

That is what you are seeing here.

Thanks on both replies w/clarifications! Just to make sure I understand what occurs during mapping to memory. Scenario two below would seem to be the logical one but just want be sure and understand 100%. If scenario one was the case, uploading to Virustotal could result in releasing the payload prior to finding out it's infected - and thus it wouldn't be recommended for someone to upload something for Virustotal scanning.

Scenario 1) When an executable (or other file) is infected and is "mapped to memory" due to uploading to Virustotal, this action can cause execution/loading of its payload and infect the system?

Scenario 2) Uploading to Virustotal is mapping the file to memory (as a whole) and during this process it sees the mapping is to a potentially infected file. MBAM doesn't know that this mapping is not a request to execute it (which would obviously result in releasing the payload/infection) and provides a preemptive warning. And in this case, it's safe to proceed since the executable is not being executed?

Sorry if being a tad slow or dense on this!

Link to post
Share on other sites

I am all for learning but the combination of questions here does force me to ask a question. Are you doing this in VM and/or dedicated test box? When I started learning I opted for a 2 hard drive system so the chance of an "oops" was completely mitigated. I had one hard drive for regular use and another for malware research. I would boot with power to only one of them at a time to avoid cross contamination. This replicates 2 systems but only takes up the desk space of 1 and with decent hard drives under 50$ is a very cheap way to go.

Typically having active protection installed on a system where you are handling live malware will be a constant battle of enabling this and disabling that and since there is protection I assume there is something to protect. I cant support the intentional combination of protection and things you need protection from.

1. No, being mapped to memory is not the same as following that up with execution.

2. Yes, you will likely find similar issues when using context menu options on an infected file (like properties and zipping) and in some cases even mousing over a file can trigger a warning.

Link to post
Share on other sites

I am all for learning but the combination of questions here does force me to ask a question. Are you doing this in VM and/or dedicated test box? When I started learning...

Thanks for all the followup and clarifications! Excellent observation and question. Through time, I have used several routes including sandboxing, working in VM, etc. You're right about the dedicated box being the safest way to go - no danger of external contamination, making a mistake and making a mistake. In doing future testing, I'll retool one of my systems as a dedicated box as you've recommended to be 100% safe. While feeling that I'm working safely with all precautions, I do have one more step to make it completely mistake proof w/o any undesirable side effects.

Again thanks for all the assistance and keep up the excellent work!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.