Malwarebyte Anti-Malware finds many trojans, while others .... why?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


Hello, I usually scan my HD with SUPERAntiSpyware Professional, Spybot
- Search & Destroy and Spyware Doctor. I have perfecty updated them.
Today I have used they and they have found any infected file, then I
have used Malwarebyte Anti-Malware and it has found 38 trojans. Why
any other software I use don't find anything while Malwarebyte
Anti-Malware find so many trojans?
thanksssss

Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?





ulixi@emmail.it wrote:
Quoted text here. Click to load it

While waiting for other replies, I wouldn't delete what Anti-Malware finds
just yet unless you are sure they are trojans.
You might want to submit several to VirusTotal dot com and see if anything
there confirms the findings.
OR
Contact MalwareBytes or visit their website and their forums.
Buffalo



Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



ulixi@emmail.it wrote:

Quoted text here. Click to load it

Cookies are not malware.
Counting polymorphic variations of a single trojan is lying or, at
least, inaccurate.
False positives can lead to bloated pest counts.

Hard to say how effective the product was because you gave no details,
like filenames and what pest was reported for each.

On a pristine install of Windows XP Pro SP-3 plus all current updates to
Windows only (no apps installed) in a virtual machine, and after several
attempts to get an update from their extremely slow server until
succesful, this product found 1 pest.  When I attempt to get info on
what it reported, I'm taken to their web site that says when it was
first reported, when it was last seen (well, duh, you just saw it), and
their detection statistics.  No info was provided on the pest itself
that they claim is in my host.  In this case, the "pest" was a registry
entry (and no file to match up with it).  I couldn't see properties of
the pest to find out what they claim it is other than having to stretch
the columns in their "report" to see the path, manually copy the
registry path, and go look in the registry entry to see what it was.
And what was the "pest"?  A registry entry that enables seeing the
Logoff entry in the Start menu.  Oh yeah, now there's a pest, uh huh.  

So, without a list of what were those 38 pests that Malwarebytes
Anti-Malware claimed to have discovered, the count is meaningless.

Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



VanguardLH wrote:
Quoted text here. Click to load it

I dont believe malwarebytes looks or reports cookies.


Quoted text here. Click to load it

It seems to have a heuristic mechanism for identifying trojans right at the
end of the ac. I have not had a single bad experieince allowing the
programme to clean up these results.

Gaz



Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



@registered.motzarella.org:

Quoted text here. Click to load it
to
several

It didn't tell you it found a pest. What it found was a policy setting,
and you can select to ignore it in the future.

Obviously it's not a pristine installation if you already have modified
policy keys in place, Sir.

As for the server being very slow, yes it is. Download.com did a review
recently; our server is a bit overloaded.
 
Quoted text here. Click to load it

The count isn't worth much no, but don't assume they aren't valid.
 



--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



Dustin Cook wrote:

Quoted text here. Click to load it

As I can do for any false positive.  What it found was a policy setting.
What it offered was to change it.  It was not a pest.  It wasn't
malware.  It wasn't even anything the product should've complained
about.

Quoted text here. Click to load it

Oh, so if the user ever actually USES their OS then they are susceptible
to false positives?  Kind of self-defeats the product.

As it went, it wasn't bad at what it found but I know many users that
would've simply gone along with the proposed suggestion to change the
registry key.  Most users don't know what those registry keys are for.
They assume the product vendor is building in the expertise to know what
they shouldn't touch.

My point was that I found something the product reported that should NOT
get altered as proposed.  The OP mention 38 items were found but never
mentioned WHAT they were.  The hoopla claiming those 38 items made the
product so much superior to others wasn't proved.

The product may be good at what it does.  Can't tell from the OP's
claim.

Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?




Quoted text here. Click to load it

Yes, and it will continue to do so anytime it finds a policy key that
malware is known to alter. As we have no way of knowing whether you did
this on purpose, or something did it against your wishes, we offer to
correct it. If you did it on purpose, simply select ignore. It however,
isn't a false positive.
 
Quoted text here. Click to load it

See above.
 
Quoted text here. Click to load it

And that would re-enable the users disabled menu item. Most users,
wouldn't have those policies keys set in the first place. :)



--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?

Dustin Cook wrote:

Quoted text here. Click to load it

Right-click the taskbar, Properties, Start menu tab, Classic Start menu.  
You're saying few users choose to get rid of the fluffy Fisher-Price
Start menu in Windows XP by choosing Classic?  Then, click Customize.  
Under Advanced Start menu options is where the user can select to change
the Start menu to add/remove several items.  The user that customizes
their Start menu won't know which registry keys and data items are being
changed.  Even if each entry listed the affected registry item, users
won't remember them when someday later they run an anti-malware product
that says it will change those registry items.

So you're calling those policies?  Yes, perhaps domain policies can be
pushed to a workstation to alter these settings, but you're also
claiming that few users ever bother to tweak their Start menu.  Uh huh.  
I am expected to know what registry key does what for which tweak?  I
pointed out one customization that the product thought malware might
touch.  I'm sure there are other customizations through normally
available dialogs in Windows that let the user customize their Windows
environment that malware might also touch, but I won't know the registry
keys associated with each such customization.  Did I miss where the
product would actually explain the purpose of the registry key that it
was warning about?

Since the OP didn't mention what were reported in the 38 "pests", it is
unknown how many would've been user customizations applied to the
registry but through settings in dialog windows.  Yes, I realize what
you're saying that malware /could've/ altered that registry key but so
can the user and those tweaks are not as esoteric as you make out to
believe.  The user might also use the security policy editor to disable
panels in the Internet Options panel when accessed through IE.  Malware
might make those same changes but the user is using a policy editor that
explains what changes are being made.  The user isn't looking at
registry settings, so the user won't know what registry keys are getting
changed and they're not likely to remember them, anyway.  Many
customizations to Windows and for apps are in the registry but the user
won't know which registry keys or data items are for what.  That's why
if you're going to shove the user into the registry for what might have
possibly been touched by malware then something needs to be told to the
user about why the product thought it was a suspect source for malware.  
Maybe I missed where the product explained the purpose of the registry
key on which it alerted.  I wasn't expecting users to have to Google or
dig through Microsoft's knowledgebase hoping to find info on a registry
key, something that might not be available at the time they're trying to
get rid of malware.  That's why I suspect many reports claiming to have
found a pest could be these type of registry changes which the user
committed deliberately but wouldn't know or memorize which particular
keys or data items those settings affected in the registry.

Even after running this product to eliminate a pest, how many go back to
analyze all the changes that got committed to determine which ones to
undo?  Why do you think registry cleaners are dangerous?  Typical users
don't review the changes proposed plus most haven't a clue what ARE
those changes (what they do).  Like a registry cleaner, this product
proposes to make registry changes but undefined changes.  The registry
change wasn't explained in the product, so long after this product made
changes to the registry would they know that something lost in their
setup was caused by this product?  Of those that do review the changes
(before or after letting the product make them), where is the info on
the item so they can make an informed decision on whether to undo a
change or not?  Typically something like this is the duty of a realtime
scanner checking for critical system changes so the user gets immediate
feedback at the time of the change to know it was related to something
they just did, or could go look it up while the proposed change was
still pending, or they can decide not to allow the change.  By the time
they get to running an on-demand scanner, like this one, it will be out
of context and most such deliberate changes were made so long ago that
the user won't have recollection of making those changes.  Of those
using this product, I don't see them running it repeatedly every day so
they might recollect a proposed registry change that would equate to a
some change they made just a little earlier.  Yes, there is a commercial
version of this product that does add a realtime scanner but there
already are other FREE products that already provide realtime coverage,
detection, and alerts regarding critical registry keys.  

Personally I wouldn't consider the Logoff entry in the Start menu to be
a critical registry key but different folks have different opinions as
to what is considered critical.  Remember that I tweaked a setting, not
a registry edit and not a policy editor change, and that setting was to
*SHOW* the Logoff menu, not to hide it which is what malware might do.  
Why would malware offer MORE choices for the user to exit the affected
environment in which it operates?  It isn't sufficient or appropriate to
alert on registry keys simply because they differ from a pristine state
after the initial install of Windows.  It depends on whether or not
their *value* would have a negative impact on the user.  There is
actually some malware that turns /*on*/ the Logoff entry in the Start
menu?  Since the default state is off for this item, and since it being
on would be anti-productive to malware, this registry item shouldn't be
checked at all.

If the product is going to throw the user into registry values that
aren't explained as to why they are suspect, and because this is a
disconnected scanner from when those changes were made, I'm not sure
this product should be used by typical users for casual scanning.  I was
thinking of the scenario where a user adds this on-demand scanner to
their arsenal of security products where they would periodically check
for pests.  But then maybe I'm wrong and maybe the typical user is only
using this product in a disaster recovery scenario when they know they
have a pest that another product won't eradicate.  I sincerely doubt
many go back to investigate (outside of this product) all the changes
that were committed.  I've seen too many users just go clicking through
the prompts, selecting the defaults, and end up shooting themself in
their foot.  If the product worked to get rid of the pest then they move
on and losing some customizations is part of the cost of getting rid of
the pest.

Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?




Quoted text here. Click to load it

I have my windows setup as classic, with no fancy XP options. As my cpu
power is a bit lacking, and my video card hates me. :)

MBAM doesn't alert on me for those changes. You may have found a bug with
our engine, or perhaps something is amiss in our definitions. Can you be
more specific on how to duplicate this issue and exactly what MBAM says
concerning it? I will try to get this resolved. Now, If I edit my logoff
options, MBAM will alert on this, and let me know the policy key is
present.


Quoted text here. Click to load it

Policies that are enabled, yes. We do not know of you set them, a group
setting configured them, or malware did it without your permission.

Quoted text here. Click to load it

I'm sorry. Like I said, We have no way of knowing if you caused the
change or if something else did.

Quoted text here. Click to load it

We don't go into too much detail, as the information is all contained in
a centralized style database, and it would become bloated pretty quick if
we went into thorough explanations for every little thing we detect.
In fact, to prevent confusion, MBAM refers to enabled policy keys as
hijacked.

Quoted text here. Click to load it


I'm not trying to make them into a huge deal, only explaining why we
detect some of them.

Quoted text here. Click to load it



We don't shove the user into anything. We explain it's a HiJack point,
only. If the user doesn't want to do anything about it, they don't have
too. If they aren't sure, we do have a forum where they can post for
help.

Quoted text here. Click to load it

It's not a source for malware, it's an option that's been enabled or
disabled, such as registry editor, task manager, desktop settings, etc
etc etc.

Quoted text here. Click to load it

We have users posting here asking how to get their desktop settings back
after having a fight with such and such malware, MBAM offers to do this,
and refers to it as a desktop hijack.

Quoted text here. Click to load it

Basically, any change you make in windows is usually changing something
in the registry.
 
Quoted text here. Click to load it

MBAM isn't a registry cleaner. We do not go willynilly and take a guess
with keys. We do not attempt to delete keys we know nothing about.

Quoted text here. Click to load it

It clearly shows you a before and after. Before being bad, after being
good. What it is now, what it plans to change it too if allowed. How much
simpler can we make that?

Quoted text here. Click to load it

MBAM can function as a resident scanner with the paid version. The free
version is restricted to on-demand only.

Quoted text here. Click to load it

Policy keys aren't always considered critical. We do not consider them as
such, irritating for new users, yes.
 
Quoted text here. Click to load it

Your tweaked setting was actually a registry edit, which did set a policy
key. Now, whether you knew that was taking place at the time or not
does't much matter.


Quoted text here. Click to load it

Can you show me the MBAM log where this happened? It shouldn't have
alerted on the policy key alone, unless it was set to enabled, which
would hide, not show your logoff menu.


Quoted text here. Click to load it

See above. MBAM shouldn't alert on that condition. Please provide your
logfile so we can get this cleared up.


--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



Dustin Cook wrote:

Quoted text here. Click to load it

Thanks for the chuckle.  Took me trialing multiple older versions of
drivers for mine before I found one that worked with all my apps and
games.  The latest version was not usable.  Oh joy.

Quoted text here. Click to load it

Right-click on the Windows taskbar.  Properties.  Start menu tab.
Change to Classic view (if not already).  Click Customize.  Enable the
"Display Logoff" selection (to enable its display in the Start menu).

I don't have the virtual machine setup to test Anti-Malware anymore
since it's being used to test other software.  I think the registry key
was:

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Data item: StartMenuLogoff
Default = 0 (1 = show in Start menu)

Quoted text here. Click to load it

I understand that to keep the program itself small might mean not
providing this help.  But the right-click option (of which the only that
seemed to apply was Vendor Information) took me to your web site but
nothing was mentioned for this registry key.

Pretty hard to make an informed decision when the information is missing
on which to make that judgment.  I personally know of such omnipotent
wizards that can judge what every registry key and data items under them
will do or how they are used (but I know several that can make good
guesses).  I'm used to digging in the registry, searching on why it's
there or how to use it, and tracking through interdependencies to ensure
a data item should be modified or deleted.  That's not something I
consider a typical user would do.  They don't understand any of that.  

Your saying the user can undo the changes.  If they didn't know they
were about when they allowed them, how would they know if they want to
undo them?  I thought it odd that the "help" on the alerted item
provided no help to let me know what the registry key was for so I could
know at that time (and not after having to do independent research)
whether I allowed the change or later to decide to undo it.  There was a
reason why MB chose to test that registry key and data item to see if it
might be a vector for malware infection.  If I use an anti-virus product
that says I have some virus on my host then I expect it to have a link
back to a lookup knowledgebase that explains what that virus does and
what criteria was used in deciding the pest was on my host.  I'd like to
know SOMETHING so I can make an informed decision.

Quoted text here. Click to load it

And, as you pointed out in your post, a vast majority of configuration
changes are in the registry.

Quoted text here. Click to load it

Will have to wait until other testing completes to relinquish the VM for
me to get back to retesting MBAM.  

Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?




Quoted text here. Click to load it

I did recently add more ram to the machine tho, to make the VM's
happier. :)
 
Quoted text here. Click to load it

Mine has Logoff Raid, and Turn off computer...
 
Quoted text here. Click to load it

Ahh.... Eventually we do intend for the site to provide more
information.
 
Quoted text here. Click to load it

I would have to say our help system is a bit lacking. I'll bring it up.
:)

Quoted text here. Click to load it

Fair enough. However, MBAM isn't designed to deal with viruses. They
aren't the same critter.
 
Quoted text here. Click to load it

But of course, tis the MS way. :( How I miss configuration files. lol.
 
Quoted text here. Click to load it

Whenever you can provide the log displaying this issue, that would be
great. I really can't do much to fix this, without the log. Sorry.
 



--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?



Dustin Cook wrote:
Quoted text here. Click to load it
Better documentation would help, this way folks can make a better
educated decision about what the product is doing and what it has found.

Good product by the way and I would recommend it's use

John


Site Timeline