Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes makes me vulnerable when scanning?


  • Please log in to reply
13 replies to this topic

#1 fgeelo

fgeelo

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 12 August 2010 - 01:03 AM

So I was doing a Malwarebytes scan when suddenly AVG popped up saying that there was a potential threat found. I looked into it and it turned out the source of the threat was a test spyware virus .exe in my recycle bin from Spycar.org which i was using to test out my antivirus.

But that's not my concern.

What concerns me is that, does this mean that when Malwarebytes is scanning it is actually allowing files it passes over to open and operate? If that file it scanned were a real virus and it were not detected by AVG, it could do some serious damage, couldn't it? Can someone please explain this for me, it would be much appreciated.

Also, as a side note, Malwarebytes didn't even detect the virus when I did a scan of the specific file. So what gives?

Edited by fgeelo, 12 August 2010 - 01:09 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 12 August 2010 - 07:17 AM

Malwarebytes is not an anit-virus program like AVG.

Antivirus and Antispyware Software: What's The Difference?. Essentially, they look for (detect) and remove different types of threats. To fully understand the difference between an anti-virus and anti-malware program you need to understand the difference between the various types of malware and How Malware Spreads.

What is Malware?
What is Spyware?
What is Adware?
What is Rogue software?

What is a Backdoor Trojan?
What is a Worm?
What is a Virus?The Difference Between a Virus, Worm, Trojan Horse and Blended Threats
What is the difference between viruses, worms, and Trojans?
Trojan FAQs: Common Trojans and how they work

What is a Botnet?
What is an IRCBot?
What is Whistler Bootkit
What Is A Rootkit?What are Potentially Unwanted Programs (PUPS)? - McAfee White Paper: Potentially Unwanted Programs

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

Edited by quietman7, 12 August 2010 - 07:32 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 12 August 2010 - 07:33 AM

I appreciate your reply quietman but it didn't really answer my other question. When Malwarebytes is scanning, is it actually allowing files it passes over to open and operate? If that file it scanned were a real virus and it were not detected by AVG, it could do some serious damage, couldn't it? Because when I scanned with Malwarebytes, suddenly AVG detected a virus.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 12 August 2010 - 07:58 AM

If Malwarebytes does not detect a file as a threat, yes it will pass over it during the scan. That fact would apply to any anti-malware scanner or anti-virus which did not detect a threat.

However, when compared to other security tools like Spybot S&D and Ad-Aware, the advantage of Malwarebytes Anti-Malware (MBAM) is that it uses a proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and special techniques which enable it to detect a wide spectrum of threats including active rootkits. IMO it has proven more effective than many of the stand-alone ARK tools which are available. MBAM intentionally does not search for and remove cookies which pose no significant threat. The research team investigates new rogue applications and malicious files so the database is usually updated several times a day in an aggressive effort to keep it current. Scanning is performed quickly while other tools can take hours.

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers.
  • A Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary.
  • A Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.
  • A Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
The above information about how the program works is general rather than specific. The reason for this is that the developers of MABM do not want to reveal all the special techniques utilized in order to protect the integrity of the tool from malware writers who would use that information for nefarious purposes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 13 August 2010 - 03:07 AM

Thanks for your reply once again, but as I stated before my concern was that, when it passed over the file, why would all of a sudden, out of the blue, a virus suddenly be detected by AVG? Did MBAM somehow activate the .exe while scanning over it? That's my main concern. I'm not so much concerned with the inner workings of the program but more so as to why a virus would suddenly be detected by a different program simply because MBAM was doing a routine scan.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 13 August 2010 - 06:50 AM

Did MBAM somehow activate the .exe while scanning over it? That's my main concern

Very unlikely.

The more plausible explanation is that after a security vendor like AVG updates their program version or definition databases, it is not uncommon for subsequent scans to find malware files or remnants which had previously gone undetected by prior scans.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 tug

tug

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 13 August 2010 - 08:16 AM

I think what the OP means is that MBAM was scanning and AVG was dormant, during the course of MBAMs scan it scanned that file and AVG flagged it, How would AVG flag a file if at the time it was dormant and unable to notice that file unless in the course of its scan MBAM somehow activated the .exe file, letting AVG's resident shield (Presuming the OP only uses the free version) detect the file?.

Edited by tug, 13 August 2010 - 08:17 AM.


#8 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:03 AM

Posted 13 August 2010 - 08:46 AM

The reason for this is simple.

A resident AV program does not scan all files on the hard drive continuously. It scans when files are accessed, opened or executed (if it's a downloaded file, it'll get scanned upon its creation on the hard drive). When MBAM scans files, it has to read them to know if they are malicious, thus it is accessing them causing the resident shield to complain.

In short, MBAM does not itself, make you vulnerable when scanning... it is merely reading files to see if they are a threat. This is why many people recommend that when running any type of scanner (anti-malware, anti-virus, anti-spyware), the recommended procedure is to temporarily stop resident programs to prevent and limit interference to the scanner. It's also best to do this offline if you feel unsure about disabling those residents for the duration of the scan.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#9 tug

tug

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 13 August 2010 - 08:57 AM

Thank you most informative. I have a question from that, does that mean that say if a AV or an AM is scanning a file that contains malware, but as yet the definitions are as such that it cannot see the malware, that it "activates" said malware? or does the process of scanning do no harm in such cases? presuming that said malware is dormant and needs to be accessed to work.

#10 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:03 AM

Posted 13 August 2010 - 09:08 AM

does that mean <..snip> that it "activates" said malware?

Short answer is "No". Reading/accessing a file is not the same as executing it.

Longer one involves possibilities with varying types of infections onboard. Mostly file infectors being present will cause this (though arguably, they don't actually activate the malware, for it is in that case, already activated). For example Virut or Sality can and will infect every executable file that is being accessed. That is because they first patch the scanner itself and can intercept every file access call it makes. This is also why most file infector cleaners can't really be trusted (unless they work outside the operating system completely), hence the "you gotta know when to throw in the towel" speech that you may have come across when helpers see this type of infection on the boards.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:03 AM

Posted 13 August 2010 - 09:21 AM

Thanks Gal.

Seems I was misunderstanding what fgeelo was attempting to get across...its Friday.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 tug

tug

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 13 August 2010 - 09:26 AM

Thank you very much. This is very reassuring. :thumbsup:

#13 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:12:03 AM

Posted 13 August 2010 - 09:31 AM

You're both very welcome. :thumbsup:
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#14 fgeelo

fgeelo
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:01:03 AM

Posted 13 August 2010 - 06:43 PM

Thank you very much :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users