BleepingComputer.com: Malwarebytes makes me vulnerable when scanning?

So I was doing a Malwarebytes scan when suddenly AVG popped up saying that there was a potential threat found. I looked into it and it turned out the source of the threat was a test spyware virus .exe in my recycle bin from Spycar.org which i was using to test out my antivirus.

But that's not my concern.

What concerns me is that, does this mean that when Malwarebytes is scanning it is actually allowing files it passes over to open and operate? If that file it scanned were a real virus and it were not detected by AVG, it could do some serious damage, couldn't it? Can someone please explain this for me, it would be much appreciated.

Also, as a side note, Malwarebytes didn't even detect the virus when I did a scan of the specific file. So what gives?

This post has been edited by fgeelo: 12 August 2010 - 01:09 AM

Malwarebytes is not an anit-virus program like AVG.

Antivirus and Antispyware Software: What's The Difference?. Essentially, they look for (detect) and remove different types of threats. To fully understand the difference between an anti-virus and anti-malware program you need to understand the difference between the various types of malware and How Malware Spreads.

What is Malware?
What is Spyware?
What is Adware?
What is Rogue software?

What is a Backdoor Trojan?
What is a Worm?
What is a Virus?

• What is a File infecting virus?
  
• What is a Boot sector virus?
  
• What is a Polymorphic virus?
  
• What is a Metamorphic virus?

The Difference Between a Virus, Worm, Trojan Horse and Blended Threats
What is the difference between viruses, worms, and Trojans?
Trojan FAQs: Common Trojans and how they work

What is a Botnet?
What is an IRCBot?
What is Whistler Bootkit
What Is A Rootkit?

• What danger is presented by rootkits?
  
• Rootkits and how to combat them
  
• r00tkit Analysis: What Is A Rootkit

What are Potentially Unwanted Programs (PUPS)? - McAfee White Paper: Potentially Unwanted Programs

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

This post has been edited by quietman7: 12 August 2010 - 07:32 AM

I appreciate your reply quietman but it didn't really answer my other question. When Malwarebytes is scanning, is it actually allowing files it passes over to open and operate? If that file it scanned were a real virus and it were not detected by AVG, it could do some serious damage, couldn't it? Because when I scanned with Malwarebytes, suddenly AVG detected a virus.

If Malwarebytes does not detect a file as a threat, yes it will pass over it during the scan. That fact would apply to any anti-malware scanner or anti-virus which did not detect a threat.

However, when compared to other security tools like Spybot S&D and Ad-Aware, the advantage of Malwarebytes Anti-Malware (MBAM) is that it uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. IMO it has proven more effective than many of the stand-alone ARK tools which are available. MBAM intentionally does not search for and remove cookies which pose no significant threat. The research team investigates new rogue applications and malicious files so the database is usually updated several times a day in an aggressive effort to keep it current. Scanning is performed quickly while other tools can take hours.

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers.

• A Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary.
  
• A Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.
  
• A Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.

The above information about how the program works is general rather than specific. The reason for this is that the developers of MABM do not want to reveal all the special techniques utilized in order to protect the integrity of the tool from malware writers who would use that information for nefarious purposes.

Thanks for your reply once again, but as I stated before my concern was that, when it passed over the file, why would all of a sudden, out of the blue, a virus suddenly be detected by AVG? Did MBAM somehow activate the .exe while scanning over it? That's my main concern. I'm not so much concerned with the inner workings of the program but more so as to why a virus would suddenly be detected by a different program simply because MBAM was doing a routine scan.

Quote

Very unlikely.

The more plausible explanation is that after a security vendor like AVG updates their program version or definition databases, it is not uncommon for subsequent scans to find malware files or remnants which had previously gone undetected by prior scans.

I think what the OP means is that MBAM was scanning and AVG was dormant, during the course of MBAMs scan it scanned that file and AVG flagged it, How would AVG flag a file if at the time it was dormant and unable to notice that file unless in the course of its scan MBAM somehow activated the .exe file, letting AVG's resident shield (Presuming the OP only uses the free version) detect the file?.

This post has been edited by tug: 13 August 2010 - 08:17 AM

The reason for this is simple.

A resident AV program does not scan all files on the hard drive continuously. It scans when files are accessed, opened or executed (if it's a downloaded file, it'll get scanned upon its creation on the hard drive). When MBAM scans files, it has to read them to know if they are malicious, thus it is accessing them causing the resident shield to complain.

In short, MBAM does not itself, make you vulnerable when scanning... it is merely reading files to see if they are a threat. This is why many people recommend that when running any type of scanner (anti-malware, anti-virus, anti-spyware), the recommended procedure is to temporarily stop resident programs to prevent and limit interference to the scanner. It's also best to do this offline if you feel unsure about disabling those residents for the duration of the scan.

Thank you most informative. I have a question from that, does that mean that say if a AV or an AM is scanning a file that contains malware, but as yet the definitions are as such that it cannot see the malware, that it "activates" said malware? or does the process of scanning do no harm in such cases? presuming that said malware is dormant and needs to be accessed to work.

tug said:

Short answer is "No". Reading/accessing a file is not the same as executing it.

Longer one involves possibilities with varying types of infections onboard. Mostly file infectors being present will cause this (though arguably, they don't actually activate the malware, for it is in that case, already activated). For example Virut or Sality can and will infect every executable file that is being accessed. That is because they first patch the scanner itself and can intercept every file access call it makes. This is also why most file infector cleaners can't really be trusted (unless they work outside the operating system completely), hence the "you gotta know when to throw in the towel" speech that you may have come across when helpers see this type of infection on the boards.

Thanks Gal.

Seems I was misunderstanding what fgeelo was attempting to get across...its Friday.

Thank you very much. This is very reassuring.

You're both very welcome.

Thank you very much