Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Snagglegrain on October 09, 2010, 04:06:16 PM
-
My scheduled scan this morning found 10 threats, all of which are mbamservice.exe.
Since I have MBAM excluded, there was no action taken, meaning they are not in the virus chest, but I'd like these FPs to be known.
What should I do?
Thanks. :)
-
I don't know if this wasn't something you mentioned before, but it most certainly is in many other forum topics.
They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.
- Detections in Memory - My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.
The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.
-
Dave is right..!!
Just want to add, that this only occurs with the paid (pro version) of mbam...
asyn
-
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
-
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
Yes. ;)
asyn
-
***
Have you had MBAM Pro all this time also?
***
-
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
No I don't find it strange at all as those signatures may not be loaded into memory all of the time, if you had done a recent mbam scan these could have been loaded and remain in memory. If that is the case then there may be times when the signatures aren't loaded.
All you have to remember there are consequences of scanning memory when you have another security application/s installed.
-
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
Never had that problem on my XP Pro system.
Is it XP Home or Pro and how much RAM does the system have ???
That's good info for the signature. ;)
-
They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.
I opened a ticket with the avast support center and sent them the same info I posted here.
The reply I received said:
Please, update your avast! virus database and then scan that file again. There were some false alarms removed. Anyway, if there's still false detection, send me that particular file to analyse.
-
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
-
False alarms removed, per avast support. Problem SOLVED.
Thanks for all the replies.
-
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
I just wanted to briefly report back that this "infection" has happened a number of times since I declared this issue "RESOLVED".
My correspondence with avast tech support people (the last of which I excerpted below) has confirmed that DavidR was spot on with his analysis that these detections were MBAM definitions in memory being flagged by avast.
There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory.
-
Thanks for the feedback, Snagglegrain..!
asyn
-
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time. For Windows XP:CODE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
-
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time.
For Windows XP:CODE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
Hello craigb
Thank you for your reply!
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes' Anti-Malware\*
C:\Documents and Settings\All Users\Application Data\Malwarebytes\*
I hadn't thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the 'virus found' results, I will insert every exclusion you have listed.
Appreciate the assistance. :)
-
<snip>
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes' Anti-Malware\*
C:\Documents and Settings\All Users\Application Data\Malwarebytes\*
I hadn't thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the 'virus found' results, I will insert every exclusion you have listed.
Appreciate the assistance. :)
Those exclusions will be of no use in this case as the detections aren't on the files, but the signatures placed into memory. So it is the memory blocks being detected and you can't exclude them, excluding a file from scanning doesn't exclude its actions.
-
Maybe I'm just nuts, but it sure seems like a situation where avast and MBAM could get together (if they really wanted to) and figure out a way to prevent these memory detections... or at least account for them and make it so an exclusion would work.
Today I had 1. Yesterday I had 47. Prior to that, about a week without any.
I'm going to enter all of the exclusions craigb alluded to, and see what, if anything, that does.
It's better than doing nothing.
-
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions
@ craigb: I just realized something!
I'm running a custom scan, and I've entered the exclusions in the general settings area as well as the File Shield, but I've overlooked adding the exclusions to the custom scan!
I've done that now (it's about time!), and maybe this will make a diff.
@ DavidR: You've made it clear that you think that exclusions will not matter with this issue, but I'm still trying to get this fixed, and maybe this will work! If you come up with anything else, please let me know.
@ Asyn: You said awhile back, "Just want to add, that this only occurs with the paid (pro version) of mbam". Do you have anymore details on that? Where did you read about this happening to others? Any links to other threads? Thanks!
In addition to posting here on the avast forum, I've now opened tickets with both avast and MBAM support. I've also received some much appreciated PMs from other members. I'll report back on what, if anything, I learn. :)
-
@ Asyn: You said awhile back, "Just want to add, that this only occurs with the paid (pro version) of mbam". Do you have anymore details on that? Where did you read about this happening to others? Any links to other threads? Thanks!
Only the pro version has resident protection and it seems that it loads its signatures unencrypted into memory. That's what avast is dedecting. The free Mbam has no resident protection and therefore no problem with avast...
Sorry, no links to other threads, but you can use the forum's search function or look for info in Mbam forum.
asyn
-
@ Asyn: So, when you said, "Just want to add, that this only occurs with the paid (pro version) of mbam", were you making the point that it is only possible with the Pro version, or are you saying you have seen this avast detection of mbamservice.exe before? That's what I am trying to determine.
-
@ Asyn: were you making the point that it is only possible with the Pro version,...
Yes.
asyn
-
Well, the high severity virus detections continue.
So far, in addition to starting this topic here in the forum, I have contacted avast support and MBAM support. Not surprisingly (to me at least), each says it's the other's fault.
MBAM was able to replicate the detections, and escalated the issue to their QA people who said, "We've tried all options and tweaks and it's their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don't have the issue with any other antivirus or antimalware for that matter."
avast told me, "These detection are done by malwarebytes. Some problems may arise if you use more antivirus/antimalware solutions. It involves more detection that makes it even more complicated. We do not know why it is not possible to exclude it (it may be other downloading data then excluded one, it can be detected in the memore etc.) There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory."
What do you guys think? I think it would be nice if they worked together, but then again, hardly anyone has experienced this detection, so there is definitely no push or motivation to straighten it out.
-
Well I don't know what they MBAM are talking about:
"We've tried all options and tweaks and it's their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don't have the issue with any other antivirus or antimalware for that matter."
Encrypting the signatures that they place into memory shouldn't take much in the way of coding, it would however require that they have to use decryption when scanning which would probably slow scanning.
As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not.
So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
-
As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not.
So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
From what I see, avast scans memory in the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").
And of course I passed on to them (that these are on-demand custom scans).
Did you not read that I said they replicated the detections?
-
this situation only happen if you scanning simultaneously, two scanner detect the treats at the same time. mbamservice.exe is identified as mbam chest it means that avast is scanning also the mbam chest. it is detected but cannot be delete because it is in the safe place(mbam chest). as you can see the treat is in the mbamservice so try to clear the mbam chest and try scanning again. and don't forget use only security scanner 1 at time :)
best regards!!!
-
The MBAM "chest" (I'm assuming you refer to Quarantine) is empty.
Also, I'm not scanning with two scanners simultaneously.
Thanks for the input.
-
As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not.
So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
From what I see, avast scans memory in the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").
And of course I passed on to them (that these are on-demand custom scans).
Did you not read that I said they replicated the detections?
Well my guess is it also depends on the other settings you have in your custom scan as you appear to have it set to the absolute maximum sensitivity, etc.
Replicating it isn't the issue, resolving it is and as I said if they encrypted the signatures loaded into memory that wouldn't happen.
-
I have Hueristics set at High, but the detections still occur when the setting is rolled back to Normal.
> Use code emulation is also checked.
As for the other three setting on the Sensitivity page, I have:
> Test whole files
> Scan for PUPS
> Follow links
I have no idea if these are default or tweaked... it's been too long and I can't recall.
Anyone with knowledge of default settings, please speak up.
-
Well test whole files (and Scan for PUPs) isn't on by default and is possibly the area where it is picking them up.
You have basically enabled almost every level of scanning at the highest levels. To find the defaults all you need do is create a new custom scan and that will show the options enabled by default.
-
I think I'll try these regularly scheduled scans, but with "Scan for PUPS" turned off.
If that doesn't make a difference, I'll disable "Test whole files".
It may take a few days or more to see if there is a change (because sometimes the detections don't happen each day anyway), but I may be able to isolate the problem this way.
I have noted that the detections still occur with heuristics set at default, so that really only leaves the two settings listed above (that I have tweaked) as possible suspects... if indeed this is a sensitivity issue.
Thanks for the suggestion to view defaults simply by creating a new scan.
-
You're welcome.
-
Note to self (and/or anyone else following this issue who might care): :)
I have reset the Sensitivity settings to all default conditions (per screenshot)
and rebooted just in case that is needed for the settings to stick.
For the record, I am optimistic that the MBAM detections will cease.
If and when they do, I will then singularly add back in the two settings that I had tweaked, until I isolate the problem.
Some might say that luck has no hand in this game, but if someone wants to wish me some, I'll gladly accept!
-
Some might say that luck has no hand in this game, but if someone wants to wish me some, I'll gladly accept!
Good luck..! :)
-
@ Asyn, thanks for that. :)
@ self (and anyone else interested) :), Unfortunately, even after resetting all Sensitivity settings to default, I encountered the mbamservice.exe detection on one computer early this morning.
I'll leave the current settings alone at least until after tomorrow's scan, before deciding the next move.
At this point I am left questioning my decision to use the Custom scan in the first place. I have switched back to the Full system scan now and then to see if I get the mbam detection, and so far I have not. To answer my own question, I suppose I am attracted to the Custom scan's option to perform a full rootkit scan, as compared to the quick rootkit scan that runs in the Full system scan.
I also see that in the Custom scan, I have selected "Scan all files", whereas the default setting leaves that unchecked. This might be a setting to change.
I can also elect to remove Memory from the scan areas, and that would seemingly eliminate this whole issue. Does anyone have an opinion on the practice of scanning (or not scanning) memory... aside from the obvious conflict that it is causing on my systems? I'm convinced that it is a good practice, that viruses can hide in system memory, and that good scanners look at memory. But I'd like to hear what others think.
I am also a bit puzzled by the fact that these mbam detections do not happen when I run Full system scans, yet according to avast, memory is scanned in both the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").
And one more question, on a related note... does anyone know if rootkit scans on system startup (found under Troubleshooting in Basic Settings) are full or quick scans?
-
Hi again Snagglegrain, i would think that it would be a quick rootkit scan at starup otherwise the boot time's would be huge.
Hope the standard full scan help's you with those detections, i did mention in one of our PM's that you would be better using that scan.
-
Wrong, the anti-rootkit scan happens 8 minutes after boot, so shouldn't contribute to boot duration.
There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.
-
Wrong, the anti-rootkit scan happens 8 minutes after boot, so shouldn't contribute to boot duration.
There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.
Your right, i had forgotten about the scan delay at startup.
-
There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.
@ DavidR: Not exactly what I would call a compelling argument.
By the way, I disabled "Scan all files" and changed the rootkit scan to quick scan,
and the mbamservice.exe detection still occured on one computer.
Guess I'll eliminate the memory scan, and that should be the end of the detections.
-
<snip>
Your right, i had forgotten about the scan delay at startup.
If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.
-
There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.
@ DavidR: Not exactly what I would call a compelling argument.
By the way, I disabled "Scan all files" and changed the rootkit scan to quick scan,
and the mbamservice.exe detection still occured on one computer.
Guess I'll eliminate the memory scan, and that should be the end of the detections.
Compelling argument for what exactly ?
My comment was correcting craigb's assumption that a rootkit scan doesn't contribute boot duration. The further expansion as to an anti-rootkit scan at boot-time wouldn't be a good idea. If at boot the windows APIs that report what they see as running isn't available then there is nothing to compare making an anti-rootkit scan pointless.
If at the time of the anti-rootkit scan the rootkit isn't established then the scan is pointless. This is why avast introduced the delay of the anti-rootkit scan 8 minutes after boot.
So I really haven't a clue what it is you are saying, "Not exactly what I would call a compelling argument." Argument for what ?
-
<snip>
Your right, i had forgotten about the scan delay at startup.
If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.
Just checked my rootkit scan from this morning, 9 seconds. Definately a very quick scan.
-
Just checked my rootkit scan from this morning, 9 seconds. Definately a very quick scan.
5 secs here...
Only thing is that it freezes the browser here, but no big deal. ;)
asyn
-
If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.
My aswAr.log indicates the scan happened 8 min 20 sec after boot and lasted 5 sec.
The aswAr1.log file shows that the rootkit scan (that I had changed from full to quick) ran for 1 min 42 sec. On a 2nd machine the scan time was shorter, 1 min 6 sec.
Back to the Custom scan issue...
one machine found a mbamservice.exe detection this morning, but the other didn't.
The rootkit scans (both on startup and on scheduled Custom scan) checked mbam in 4 places on both computers...
Process C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [744]
Process C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [3912]
Service MBAMProtector [C:\WINDOWS\system32\drivers\mbam.sys]
Service MBAMService [C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe]
The machine that detected the mbamservice.exe 'virus' said it was in Process 744.
I am going to remove the rootkit scan from the Custom scan and see if that eliminates the mbamservice detection tomorrow.
-
The rootkit scan wouldn't have found it as the detections that you are getting are conventional signature detections and not the rootkit detection. See image example of the rootkit detection screen, is that the one you saw ?
-
The rootkit scan wouldn't have found it as the detections that you are getting are conventional signature detections and not the rootkit detection. See image example of the rootkit detection screen, is that the one you saw ?
The detections are, as I stated, part of a Custom scan, and I posted an image in the very first post in this topic. Would a detection found during the rootkit scan portion of the Custom scan produce an image like you posted, or would it be like the one I posted?
-
The rootkit scan although integrated into the Full scan I believe would produce the normal rootkit alert as it isn't using signature detections as the other parts of the full system scan. So at the very least I don't think it could be integrated into the report file and none of the alerts you got are rootkit related but signature detections.
So not running the rootkit scan as you are suggesting wouldn't make any difference as it isn't the rootkit part of the scan that is alerting.
-
Okay, I'll take your word for it, and instead of messing around with disabling the rootkit portion of the Custom scan, I'll disable the memory area. All indicators point to that being the solution to this issue. And if doing so does cause the detections to cease, I'll be even more puzzled by the fact that Full system scans (that claim to scan "modules loaded in memory") are not producing these detections. I'll report back. Appreciate the input!
-
Removed memory area from the Custom scan.
It has now been one day in a row without the mbamservice.exe detection, on either machine. :)
But I have to see if it is going to last.
On a previous occasion I have experienced back-to-back days of zero mbam detections.
If the issue is resolved by this, then I plan to slowly add back in the other areas I have removed or reset to default... like sensitivity, Scan all files and full rootkit scan.
-
Two days in a row. :)
-
With the memory area removed from the Custom scan, it's been four days without a mbamservice.exe detection.
Yesterday I added back all of the other Custom scan settings that I prefer...
Full rootkit scan
Heuristics on High
Sensitivity set to test whole files
Scan for PUPS
and
Scan all files
... and no mbam detections.
The problem totally lies within the memory scanning portion of the Custom scan, whereas there is no such issue with the memory scanning portion of the Full system scan.
-
Which is what I have been saying all along, scanning the memory in a custom scan will find and alert on the unencrypted virus signatures loaded by MBAM when they are present.
-
Which is what I have been saying all along, scanning the memory in a custom scan will find and alert on the unencrypted virus signatures loaded by MBAM when they are present.
You have been saying that?
Where exactly have you been saying that?
<just joking, DavidR>
In fairness, you have also said the problem might be in other areas as well...
"Well test whole files (and Scan for PUPs) isn't on by default and is possibly the area where it is picking them up."
"Well my guess is it also depends on the other settings you have in your custom scan as you appear to have it set to the absolute maximum sensitivity, etc."
But I give you credit for identifying the problem even when avast support was calling it a false detection that they would fix.
Now if only they would fix what we have found. :)
-
Just a quick follow up note (even though the thread is old I was advised it would be best to post here)...
the mbamservice.exe memory detections during custom scan have all but stopped over the last couple of weeks.
I had broken the custom scan into two, one with and one without memory scanning. Naturally, all the detections then occured in the memory scans. But it has now been a full week, at least, without any detections whatsoever (on either machine), and maybe just a couple prior to that, going back two weeks.
Perhaps either avast or MBAM changed something, or maybe it is the implementation of v1.50. Whatever the case, I wanted people to see the follow up, even though it involves resurrecting an old thread.
-
Thanks for the feedback..!
asyn
-
Glad that it's all working fine for you now, it was certainly a mission :)