Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exactly how does Malwarebytes and others remove viruses?


  • Please log in to reply
10 replies to this topic

#1 Jayson201

Jayson201

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:06 AM

Posted 12 July 2010 - 02:21 AM

Straighforward, the question...

So, how exactly does an AntiViral program remove the virus ?

I figured that it quarantines it (Always says it does) and then overwrites it with 0's the way some formatting is done.

Can anybody throw in their 2 cents?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 12 July 2010 - 09:53 AM

When compared to other security tools like Spybot S&D and Ad-Aware, the advantage of Malwarebytes Anti-Malware (MBAM) is that it uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. IMO it has proven more effective than many of the stand-alone ARK tools which are available. MBAM intentionally does not search for and remove cookies which pose no significant threat. The research team investigates new rogue applications and malicious files so the database is usually updated several times a day in an aggressive effort to keep it current. Scanning is performed quickly while other tools can take hours.

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers.
  • A Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary.
  • A Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.
  • A Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
The Malwarebytes Anti-Malware Protection Module uses advanced heuristic scanning technology to monitor your system and provide real-time protection to prevent the installation of most new malware. This technology monitors every process and stops malicious processes before they can infect your computer. The database that defines the heuristics is updated as often as there is something to add to it. Enabling the Protection Module feature requires reqistration and purchase of a license key that includes free lifetime upgrades and support. After activation, Malwarebytes can be set to update itself and schedule scans automatically on a daily basis. The Protection Module is not intrusive as it utilizes few system resources and should not conflict with other scanners or anti-virus programs.

With Malwarebytes Anti-Malware, once the scan is completed, infected files marked for "Remove Selected", are copied, renamed, encrypted and password protected, then sent to the quarantine. The original file is either immediately removed or removed on reboot. While in Quarantine, the copy of the renamed original file is no longer a thread and therefore cannot do any harm. If at a later date you find MBAM removed a legitimate file (known as a false positive), it can be restored from Quarantine by clicking the Restore button. When the quarantined file is known to be malicious, you can delete it at any time. Choosing delete, removes the backup copy and it no longer can be restored.

However, no single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

Edited by quietman7, 12 July 2010 - 09:59 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:06 AM

Posted 12 July 2010 - 01:57 PM

I'm just curious, after reading this very informative post (Thanks for the great info), does the techniques that MBAM uses to detect certain malware have any greater chance for more false positives? The reason why I'm asking is because every scan that this desktop has had has brought up some files that I don't think need to be detected. A great example are the files from Nir Sofer's site. He is a great developer, and his utilities are very handy for people like me who forget their passwords, like to have little utilities to monitor the family network to make sure there is no strange stuff going on, and all that. In fact, his entire folder was flagged. Does that have anything to do with the detection methods of the software? The site is www.nirsoft.net by the way if anyone is interested.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:06 AM

Posted 12 July 2010 - 02:22 PM

All scanning tools are susceptible to glitches, bugs and false positive detections from time to time, especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list.

Certain embedded files that are part of legitimate programs like Nirsoft tools, may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry strings it contains and the type of security engine that was used during the scan.

For example, a common detection occurs with NirCmd, a command-line utility that allows writing to and deletion of values and keys in the registry and is used in some specialized fix tools like Combofix.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

If you suspect a file detection may be a false positive, get a second opinion. Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.

If the results indicate a false positive, then you should report them to Malwarebytes' Anti-Malware Support > False Positives so they can investigate and make corrections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:06 AM

Posted 12 July 2010 - 03:39 PM

Thanks so much. I think I may have to report some of these things to them, especially considering it made one of my games inoperable on my laptop. I'm going to go the restore-the-deleted-file route though since my friend (also very good with computers, and sometimes he's a little wiser than i am), told me that may work. Because if I run a developer log on my laptop, and the file has already been deleted, won't it make it so that the researchers can't see it since it has already been purged from the hard drive? But to be honest, I don't blame MBAM for detecting the file for two reasons. For one, it's not even in English being created by two Chinese developers, and two, it had an extension that I think one in one million files have (*.fnr). But an interesting thing. You mentioned that heuristics are less reliable than signature based detection. How is that if sometimes even signatures can detect files, but they can't remove them if they know that they're there? I've seen TDSS as a great example of that. I mean, doesn't that defeat the purpose of having security programs on the machine? And another thing. I actually am still wondering this to this day. On March 3, 2010, I awoke to a scan report from NOD32. It told me that it had found Win32/TrojanDownloader.Delf.NZL under the Cache of my FTp client (Web Drive 9.02 at the time). Was this a false positive? I begin to think it is considering nothing else saw it, and it took a long time for it to register in NOD32's mind too. And not to mention, why would a Trojan Downloader hide itself in the cache of an FTP client considering cache files are only snapshots and they can never be active?

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 13 July 2010 - 01:29 PM

I think I may have to report some of these things to them, especially considering it made one of my games inoperable on my laptop. I'm going to go the restore-the-deleted-file route though since my friend (also very good with computers, and sometimes he's a little wiser than i am), told me that may work.

It would be better if you submitted the file. Most importantly you should be sure it's a false positive before your restore it, and then this way if it is a false positive you can help prevent false detections in the future. You may be right that it's a false positive, some security software is a bit overzealous, in my opinion, when it comes to games if there is any advertising involved at all--then again some games install some pretty nasty stuff. I think you mentioned in another topic uninstalling the Ask toolbar. Another possibility for your game being broken is that some sites give away games for free and make you think the Ask toolbar is optional on installation, but if you chose not to install the toolbar, the game won't work. (If you look in the game's Program Files folder you may be able to find the true executable to the game that isn't routed through the toolbar.) So what caused the game to break may have nothing to do with the file that was quarantined. What is the exact name of the file and where was it located before being quarantined? With that information I can give you a better idea of if it's a an FP or not, but in the end the best thing to do is submit a sample and let the people at MBAM play with it and see what it does and doesn't do. Jotti and Virustotal are nice options as well, but are also susceptible to false positives so it takes some experience to analyze scan results in order to get an objective determination.

Because if I run a developer log on my laptop, and the file has already been deleted, won't it make it so that the researchers can't see it since it has already been purged from the hard drive?


Not sure I understand the question as you seem to be describing an uncommon scenario. Are you saying that MBAM quarantined a file that you and a team of developers had created? All I can tell you is the file is not "purged from the hard drive" yet because you should still have a copy in quarantine that can be restored.

But to be honest, I don't blame MBAM for detecting the file for two reasons. For one, it's not even in English being created by two Chinese developers, and two, it had an extension that I think one in one million files have (*.fnr).

No, detection criteria doesn't look at any one human language as being bad or just a file extension by itself that happens to be rare. What computer language the file might be coded in could be an element of the signature or profile of a certain malware, and it being Chinese is only significant given a combination of other elements also being present. For example, the signature of a certain infection might be that it is written in C++, is known to originate in China, usually includes a file named muddyme.exe, as well as files with the .fnr extension, likes to store its files in C:\Documents and Settings, and exhibits the behaviors of A, B, C and D. Etc.

Signatures are developed by obtaining samples of malware files so that analysts can play with them in a sandbox or test machine to see what behavior is exhibited and what makes the files and registry entries unique to that particular malware. Behavior is the key. Heuristics go basically on behavior alone, altho other elements are looked at. But this is why they are more prone to false positives. The behavior of a legitimate file could be the same as that of a malicious file. For example code to kill a process so that a file can be deleted can be used by a malware removal tool, or by malware in order to stop your antivirus from detecting it. A security program's heuristics doesn't know how or by whom that code is going to be used.

But an interesting thing. You mentioned that heuristics are less reliable than signature based detection. How is that if sometimes even signatures can detect files, but they can't remove them if they know that they're there? I've seen TDSS as a great example of that. I mean, doesn't that defeat the purpose of having security programs on the machine?


Detection methods have nothing to do with removal methods, so whether it is heuristics or signatures have nothing to do with removal. Once detection is achieved, the job of the scanner is over as the removal engine now takes over. Perhaps you meant signature-based security software?

In any event, the most common reason malware is hard to remove is because the code is loaded into memory, so while it is running you can't delete the file--it is "in use". Malware is so sophisticated now, first it is hard to find the file hidden by a rootkit or bootkit, then when you do find it, the running file may not be a process of its own, but a subroutine of a host process, such as svchost.exe and may have other protection methods that will restart the process as soon as you kill it. This is why most malware now has to be deleted on reboot.

To my mind, the main reason to have security programs on the machine is to prevent infections in the first place, and only worry about removal if prevention fails.

And another thing. I actually am still wondering this to this day. On March 3, 2010, I awoke to a scan report from NOD32. It told me that it had found Win32/TrojanDownloader.Delf.NZL under the Cache of my FTp client (Web Drive 9.02 at the time). Was this a false positive? I begin to think it is considering nothing else saw it, and it took a long time for it to register in NOD32's mind too. And not to mention, why would a Trojan Downloader hide itself in the cache of an FTP client considering cache files are only snapshots and they can never be active?

There's no way to know if it is an FP from the information you've given. One would have to start out by knowing what the exact name of the file is and the exact file path to the folder it was in. And storing files in a folder meant for cache is very common--usually browser cache--and that would actually be a very clever place to hide a malicious file. That your FTP client is restricted to putting only snapshots in that folder doesn't apply to any other program from putting anything they want in there--unless you have restrictions set to that particular folder.

This topic has gotten a little off topic. In addition to Quietman7's nice answers I thought I would focus on some simpler elements of the original question--which seems to be how does MBAM go about deleting malicious files.

First, you should know that most of what we deal with now is not true viruses.
http://en.wikipedia.org/wiki/Computer_virus

Actually there are two questions--let me rephrase the first:
1. How is malware removed?
2. How are files deleted?

There are several elements to malware removal, not just the deletion of files. In essence, malware is just software and, just like any other software, consists of code, files and registry entries. You might have legitimate files that have been altered or corrupted by the malware. Most AV vendors will have an option of cleaning or curing a file and will attempt to return it to its original state rather than deleting it, as deleting will cause you to lose data that made the file useful before the infection. Many times this is not possible tho.

Most of what we deal with now tho are standalone malicious programs, so deleting or moving the whole file or files is needed.

Registry entries are critical, because the malware has to start itself automatically on every boot in order for it to do what it wants to do, which is accomplished by settings in the registry.

As far as how files are deleted, you would really have to ask the folks at MBAM how they do it--if it's not a secret that they don't want the malware authors to know. Some security tools use U.S Military strength deletion methods, which consists of writing zeros to the sector numerous times. But once the malicious process has been killed and the files have been moved to quarantine and altered (as described earlier) the malware is effectively crippled and de-activated. When a file is supposed to run from such and such a folder and the file isn't there, then it won't affect you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#7 marktreg

marktreg

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 13 July 2010 - 04:14 PM

Lots of excellent info in this thread. Thanks guys. :thumbsup:

#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:06 AM

Posted 13 July 2010 - 04:53 PM

Thanks for the wonderful info. I do apologize for the off topic remark, and I'll answer your question about the filepath of the file belonging to my game. It is C:\Program Files\Night Of Parasite\krnln.fnr. That was the one tagged along with the main Executable NOP(3.1).exe in the same folder. I definitely will report that to MBAM considering there's proof from multiple sources that this is only a game meant for the blind, not a trojan as some security products claim it to be. The tags for both files were for krnln.fnr, Trojan.GameThief, and for the main executable, MBAM tagged it as Trojan.FlyStudio. So I'll make sure to take both off the ignore list and then include the developer log on that forum as I'm a member over there too. And if you want definite proof, then go to www.audiogames.net and click Night of Parasite in the combobox on the front page.

Edited by chromebuster, 13 July 2010 - 04:56 PM.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 13 July 2010 - 11:56 PM

Well, being off-topic is not that big of a deal. Thanks for posting the names and locations of the files, altho I can't find anything on the second one. But krnln.fnr is what is getting detected as that is the exact same file name used by known malware that also happens to originate in China.
http://www.threatexpert.com/report.aspx?ui...45-aaebb76ccf48

The file path to that known malicious file is %Temp%\E_4\krnln.fnr and %ProgramFiles%\Internet Explorer\krnln.fnr

As you can see, the second is very close to the file path of your file, except that it's in an Internet Explorer subfolder. The detection can be explained by the fact that malware doesn't stand pat and will change the location in a new variant in order to attempt to avoid detection.

Because the various naming conventions are using terms like GameThief, Infostealer, PWS (which is short for PassWord Stealer), and because the malware is known to use a keylogger, originates in China and your program doesn't have a home page so isn't coming from a reputable company makes it still very suspicious. The Chinese pioneered very specialized malware designed to just steal the passwords of players of MMORPG'S such as World of Warcraft, Lineage and others that allow you to earn virtual goods such as gold by gameplay. Once they have your password, they can log into your account and sell your hard earned goods to someone on the black market.

You sound as if you know the developers of this game, but it's hard for me to tell. If not, if you don't know that you can trust them explicitly, then you should be open to the possibility that the game is actually infected. This is a case where samples really need to be tested as the evidence we have so far doesn't tip the scale enough one way or another.

I believe it probably is an FP tho. Because Night Of Parasite is a game for the blind, the game controls are in the keyboard. Programs that map out keyboard combinations are often mistaken for keyloggers.

BTW, to see how sophistcated malware has been since 2007/2008, see the following article:
http://www.securelist.com/en/analysis/2047...allenge_of_2008

It's a good read, altho some of it is too technical for most average end users. But there is some information there relative to your question about FTP clients. You need to read what precedes it to understand, but for now if you scroll down to the section titled "The spy module" and then "List of applications targeted" you'll see that a lot of those are FTP clients.

The majority of applications targeted by the module designed to steal confidential data are designed for web site administration. This is critical for malicious users, as it is these sites which can be used either to host the botnet command and control centre, or to host exploits.

Everything is going to "The Cloud"--even malware.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:06 AM

Posted 14 July 2010 - 12:58 AM

Thanks for the info. Now I'll be looking up the MD5 hash and seeing if it matches. I'll also check it against either Jotti or Virustotal just to see what they say. And not to mention, the game actually does have a homepage. I've been to it before, but it is hard to understand considering the whole page is in Chinese. And I'll have to look at that SecureList article you put out. I look at their blogs all the time, and I have a lot of respect for those guys at Kaspersky. I thank everyone in the security community, believe me. And since 2009, I've been quite the enthusiast.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#11 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:06 AM

Posted 17 July 2010 - 03:18 PM

You folks were scared that my game was actually infected due to one of it's files having the same name as a file used in known malware. Remember how I'd told you that I'd check the hash of the file? Well I did and they were different than what was stated on threatexpert.com. Not sure if that makes a difference, but I think it does considering MD5's never lie, do they? Let me know. and By the way, I loved that article you sent. It was very informative, and not difficult for me to understand at all.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users