Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Using SAS and MBAM


  • Please log in to reply
3 replies to this topic

#1 Torvald

Torvald

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:12:38 PM

Posted 11 October 2010 - 01:42 PM

Hello,

Among the many responses to help requests that I've seen posted within the past six months, I've noticed some of the trained response helpers tend to use SAS and MBAM differently than others. Since they are all officially trained helpers, I'm sure they are making the right choices based on the circumstances, but it is a little confusing to me, so I'm asking for a little clarification.

1. I myself tend to always run the full scans of SAS and/or MBAM. When would running just the quick scan of either program be good enough?

2. I also tend to run SAS just once in Windows Safe mode, and to use MBAM just once in Window Normal mode. Is this the best way? If not, please recommend which mode is best to use them in and if running them more than once when doing an actual cleaning is better.

Thanks.

Google is my friend. Make Google your friend too.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:38 PM

Posted 12 October 2010 - 08:00 AM

Malwarebytes Anti-Malware is designed to remove malware as effectively with a Quick Scan as it will with a Full Scan which takes much longer to complete. Both scans use heuristics that bypasses polymorphic blackhat packers & encryption, MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple other malware checks which are not discussed in public to safeguard the program from malware writers.
  • A Quick Scan looks at the most prevalent places for active malware so scanning every single file on the drive isn't always necessary.
  • A Full Scan only has the ability to catch more traces in rare circumstances but it can be used to scan every drive (including removable) on the system.
  • A Flash Scan will analyze memory and autorun objects but that option is only available to licensed users in the paid version.
The above information about how the program works is general rather than specific. The reason for this is that the developers of MABM do not want to reveal all the special techniques utilized in order to protect the integrity of the tool from malware writers who would use that information for nefarious purposes.

Generally speaking, the difference between a Full Scan and Quick scan is applicable to most security scanners...with the full scan being much more in depth in that it scans all files on a system. SUPERAntispyware offers more user choices in its scanner options. The reason being that sometimes disabling certain options will allow a scan to complete when otherwise it may stall or hang.

These are BC's tutorials for performing scans:Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.

I generally recommend scanning with SUPERAntispyware in safe mode but in some cases you may need to perform both a normal and safe mode scan. There are no guarantees or shortcuts when it comes to malware removal. Depending on the infection you are dealing with, it may take several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous.

Safe Mode is a troubleshooting mode designed to start Windows with minimal drivers and running processes to diagnose problems with your computer. This means some of the programs that normally run when Windows starts will not run.

Why use safe mode? The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using safe mode reduces the number of modules requesting files to only essentials which make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files when performing scans with anti-virus and anti-malware tools. In most cases, performing your scans in safe mode speeds up the scanning process.

Why not use safe mode? Some security tools like anti-rootkit scanners (ARKs) and programs with anti-rootkit technology use special drivers which are required for the scanning and removal process. These tools are designed to work in normal mode because the drivers will not load in safe mode which lessens the scan's effectiveness. Other security tools are optimized to run from normal mode where they are most effective. For example, Malwarebytes Anti-Malware is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection and removal when used in safe mode.

Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible.

Note: If the malware is not related to a running process (i.e. malicious .dll) it probably will not make a difference performing a scan in normal or safe mode. If the scanner you're using does not include definitions for the malware, then they may not detect or remove it regardless of what mode is used.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Torvald

Torvald
  • Topic Starter

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:San Antonio, TX USA
  • Local time:12:38 PM

Posted 14 October 2010 - 01:25 PM

quietman7,

Wow! That was a terrific response, with a lot more info than I'd hoped for.

Thank you very much for being a good contributor to bleepingcomputer. Every time I browse the forums here or ask a question, I learn something new and valuable about ways to protect my family computers.

Thanks again.

Edited by Torvald, 14 October 2010 - 01:26 PM.

Google is my friend. Make Google your friend too.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:38 PM

Posted 14 October 2010 - 01:32 PM

You're welcome.

You may also want to read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users