Jump to content

MBAM reports malware that MSE misses, and MSE reports malware that MBAM misses


Recommended Posts

This morning my Win7 Pro 64bit machine pops up a Microsoft Security Essentials (MSE) alert detailing a potential threat found in a file I had downloaded from the internet a few weeks back. The threat is entitled Adware:Win32/OpenCandy and lists these details:

containerfile:D:\Common\Downloads\IE Session Managers\IE7Pro\IE7ProSetup_2.5.1.exe
file:D:\Common\Downloads\IE Session Managers\IE7Pro\IE7ProSetup_2.5.1.exe->(nsis-6-ProgSenseSetup.exe)->(inno#000043)

So I thought, what the heck, before I take any removal action on the threat I'd run a MalwareBytes (MBAM) quick scan to see if it detected the same issue. Well, the MBAM quick scan found zero issues. So, I thought I'd run the MBAM full scan so see if the full scan would detect what was missed during the Quick scan.

Surprisingly, the MBAM full scan also didn't see the malware threat in the above IE7ProSetup_2.5.1.exe file but oddly enough, it detected something that the full scan of MSE missed entirely:

Files Infected:
d:\Common\downloads\media center tools\guide tool\guidetoolsetup.exe (Adware.EzSearch.Gen) -> No action taken.

I've not taken the MBAM "remove selected" action yet either, thinking that the MalwareByte's crew might be interested in at least the IE7ProSetup_2.5.1.exe file since it was missed in the MBAM full scan.

I'd be happy to attach one or both of the infected files...

Please advise and move this post to the proper forum if I'm not already there...

Larry

ps I downloaded the IE7ProSetup in a, as yet still unfruitful, search for a session manager product for IE7/8 that mimics the immensely capable session saving capabilities of the Tab Mix Plus addon for Firefox. While this is unrelated to the above Malware issues, I'm very open to suggestions of products to try for IE.

Link to post
Share on other sites

Hi LARRYRB -

OpenCandy is a pain to get rid of usually, and even after removal it can still leave a "footprint" on your system for some time. I have found it 3 times.

You must note that Microsoft Security Essentials (MSE) is an Antivirus program, while MBAM is a deeper Antimalware program.

I have had several items found by having MSE set on Realtime protection, and that was the end of it.

Now you know why you are always told to have an active Antivirus running, even if you have MBAM running in active mode.

They are not the same program, and MBAM is not designed to be the same as your Antivirus (as you have now found) -

Regards -

Link to post
Share on other sites

Hi LARRYRB -

OpenCandy is a pain to get rid of usually, and even after removal it can still leave a "footprint" on your system for some time. I have found it 3 times.

You must note that Microsoft Security Essentials (MSE) is an Antivirus program, while MBAM is a deeper Antimalware program.

I have had several items found by having MSE set on Realtime protection, and that was the end of it.

Now you know why you are always told to have an active Antivirus running, even if you have MBAM running in active mode.

They are not the same program, and MBAM is not designed to be the same as your Antivirus (as you have now found) -

Regards -

Oh, I understand the need for both an anti-virus and the anti-malware-- I'm not disputing that in the slightest.

The curiousity for me is that the detected items both seem to be of a malware classification in my eyes, so I was really thinking that both MSE and MBAM would report both of them, rather than the mutual exclusivity I'm reporting. They both have an "Adware" designation, no?

Just to clarify, isn't "Adware" considered to be "Malware"? If this is the case, I'm surprised MBAM didn't pick up both of them, hence why I'm bringing this up. I.E., do the folks in the malware signatures department (engineering?) have any interest in having these files before I nuke em?

Link to post
Share on other sites

Well, if I'm reading the results properly, 2 out of 43 anti-virus programs detect the ie7prosetup_2.5.1.exe file with the commentary equally split as to goodware/malware tags. However, the reputation tags win on the goodware side 15 to 2. Here's a link to the results:

My link

and the other file (guidetoolsetup.exe) is only detected by McAfee (1 out of 43) with no commentary from the community... It's result link:

guidetoolsetup.exe results

Ron, are you implying you want me to attach them here?

If you don't want them attached, shall I let each program (MBAM and MSE) eradicate their respective finds?

Link to post
Share on other sites

I would let the programs remove the files myself. Then once done reset your System Restore Points and then make sure you create a New one.

http://windows.micro...a-restore-point

Ron, is your advice of deleting the system restore points only to keep me from possibly recovering my system sometime in the future to an earlier time when this malware was still around? Or is there some other reason to clear them?

Link to post
Share on other sites

  • Root Admin

Ron, is your advice of deleting the system restore points only to keep me from possibly recovering my system sometime in the future to an earlier time when this malware was still around? Or is there some other reason to clear them?

Yes, that is correct because System Restore will keep a copy of them and then as you say if for some reason you needed to restore to a previous version it would bring them back possibly.

As Rich also says - you can zip them up and submit them and our Research Team will review them for your as well.

Link to post
Share on other sites

Great!

Cool! I understand... and I just zipped em up, and started a topic in the forum Rich suggested (using the same topic name as this one) to which I posted them as attachments.

Thanks again!

Link to post
Share on other sites

  • Staff

Thanks larryrb. We are actually gonna remove the guidesetup def. The worst thing about these is if you choose to install sponsorware on IE7PRO but even that isnt malicous. Guidesetup Doesnt even install any adware that you sent.

Both samples uninstall easily.

Also on virustotal some tips. Pay attention to first submitted date and last submitted date. If they are over a month old and less than 5 detections usually are a false positive. keyword being usually!:rolleyes:

Link to post
Share on other sites

Ok, and just so I can learn something from all this...

We are actually gonna remove the guidesetup def.

By this you mean that you are going to remove the detection signature from MBAM's database that detects the malware within guidetoolsetup because you feel it does no harm?

I'm assuming that your systems detected it too, but upon inspection of it you're concluding that it's harmless? Or did your systems not throw up the same warning that my MBAM did?

Link to post
Share on other sites

  • Staff

Yes we are going to remove detection of it. Adware is tough. Usually we only add it if it cant be uninstalled or its installed without your choice. Neither happens here in this case. IT could of in previous versions of these files but these versions you uploaded are ok.

We did detect it on this end but looks like one of our defs hit this and it shouldnt. Certain type of our defs can hit multiple files. We have to adjust that def to exclude this installer because its harmless.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.