Jump to content

McAfee quarantined MBAM trojan

Kay
 Share

Recommended Posts

Kay

Kay

Posted
  • Author
Posted
Yes it is a False Positive. Thank you for your feedback and McAfee has been contacted about it.

Thanks for the quick response re: McAfee. Out of curiosity, I ran MBAM in the developer mode and nothing was detected but there was an error msg: "SwissArmy failed to initialize, error code:0

Kay

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I've not heard of that error before and a quick Google search did not bring up anything promising.

I'm sure one of the Developers will be along within a day or two and if they have an answer they will respond here.

Is there anything running on your system that would lead you to think that you might be infected? IF so then you may want to open a new log in the HJT forum and we can take a look further.

Link to post
Share on other sites
GT500

GT500

Posted
Posted
Thanks for the quick response re: McAfee. Out of curiosity, I ran MBAM in the developer mode and nothing was detected but there was an error msg: "SwissArmy failed to initialize, error code:0

SwissArmy is the name for the driver Malwarebytes uses to do Direct Disk Access (DDA). That error message means that the driver could not load. This normally happens on x64 versions of Windows (Malwarebytes drivers are not compatible with x64 editions of Windows).

Are you running an x64 edition of Windows?

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted
SwissArmy is the name for the driver Malwarebytes uses to do Direct Disk Access (DDA). That error message means that the driver could not load. This normally happens on x64 versions of Windows (Malwarebytes drivers are not compatible with x64 editions of Windows).

Are you running an x64 edition of Windows?

No, I have Vista 32 bit OS. This message only pops up when I run MBAM in the developer mode. It does not show up when I run a regular scan. The program seems to be working OK with the updates and quick scans.

Kay

Link to post
Share on other sites
GT500

GT500

Posted
Posted
No, I have Vista 32 bit OS. This message only pops up when I run MBAM in the developer mode. It does not show up when I run a regular scan. The program seems to be working OK with the updates and quick scans.

Kay

You should not get that error in 32-bit Vista, even in Developer mode. We may need to have Marcin take a look at this one.

Try uninstalling Malwarebytes' Anti-Malware, then reboot, and then download and reinstall the latest version.

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted
You should not get that error in 32-bit Vista, even in Developer mode. We may need to have Marcin take a look at this one.

Try uninstalling Malwarebytes' Anti-Malware, then reboot, and then download and reinstall the latest version.

Hi,

I uninstalled MBAM and attempted to reinstall; but McAfee blocked the installation. So I totally disabled McAfee (firewall and AV) and was then able to reinstall MBAM. However, I question that MBAM was completely uninstalled because my previous logs were still listed and I did not have to re-enter my key code. The regular quick scan ran OK but the Developer mode still has the message pop up re: SwissArmy.

Kay

I forgot to reboot; so I will try the process again and let you know the results.

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted

The first time I uninstalled MBAM, I was not asked to restart the computer. This time I was asked to restart the computer after uninstalling MBAM; I had toally disabled McAfee and had no problems reinstalling; however. the log and keycode are still there. I reactivated McAfee and ran MBAM in the regular mode and developer mode and the SwissArmy message still pops up at the beginning of the developer mode scan.

Kay

Link to post
Share on other sites
GT500

GT500

Posted
Posted
The first time I uninstalled MBAM, I was not asked to restart the computer. This time I was asked to restart the computer after uninstalling MBAM; I had toally disabled McAfee and had no problems reinstalling; however. the log and keycode are still there. I reactivated McAfee and ran MBAM in the regular mode and developer mode and the SwissArmy message still pops up at the beginning of the developer mode scan.

Kay

I'll ask Marcin about this. This could just be McAfee supressing the Swiss Army driver...

Link to post
Share on other sites
Raid

Raid

Posted
Posted
I'll ask Marcin about this. This could just be McAfee supressing the Swiss Army driver...

I can confirm Mcafee is supressing our driver. :) Which disables DDA and a few others...

Essentially, Mcafee is crippling our software.

Link to post
Share on other sites
Raid

Raid

Posted
Posted
Hi,

I uninstalled MBAM and attempted to reinstall; but McAfee blocked the installation. So I totally disabled McAfee (firewall and AV) and was then able to reinstall MBAM. However, I question that MBAM was completely uninstalled because my previous logs were still listed and I did not have to re-enter my key code. The regular quick scan ran OK but the Developer mode still has the message pop up re: SwissArmy.

Kay

I forgot to reboot; so I will try the process again and let you know the results.

Your key-code is stored in the registry. Your logs are stored in the application data folder, and wouldn't normally be deleted if you just uninstalled.

Link to post
Share on other sites
Raid

Raid

Posted
Posted
No, I have Vista 32 bit OS. This message only pops up when I run MBAM in the developer mode. It does not show up when I run a regular scan. The program seems to be working OK with the updates and quick scans.

Kay

Hi Kay.

When mbam is running in developer mode, if it has an issue, such as driver loading failure, it will report it. When not running in developer mode, such errors are surpressed and MBAM will fall back to API calls.

This has drawbacks. Without swissarmy being able to load, MBAM loses some detection abilities, with non static named rootkits, and it also looses the ability to break a files header on the fly to kill it. Things may appear to be okay, but without our drivers, mbam is crippled and has been hindered.

If at all possible, You should get the file out of quarantine, and tell mcafee to ignore it in the future. It's very important for mbam to have access to it's drivers. It allows us to bypass the tricks rootkits use to hide.

Link to post
Share on other sites
GT500

GT500

Posted
Posted
The Mcafee issues are shocking given how often we save their butts on their support forums . Best I can tell we are either cleanup tool 1 or 2 in most Mcafee HJT threads .

I'm not surprised. McAfee has been worthless for years, and it's fairly obvious that they aren't getting better because of bad management. It seems like everyone that tries to work with them winds up getting hurt by them...

Link to post
Share on other sites
Kay

Kay

Posted
  • Author
Posted
If at all possible, You should get the file out of quarantine, and tell mcafee to ignore it in the future. It's very important for mbam to have access to it's drivers. It allows us to bypass the tricks rootkits use to hide.

Thanks, I already removed it from quarantine and will have to figure out how to have McAfee ignore the file. Failing that, since McAfee is a freebee from my IP, I can change to another AV and firewall.

Kay

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.