Author Topic: mbamservice.exe false positives  (Read 19797 times)

0 Members and 1 Guest are viewing this topic.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
mbamservice.exe false positives
« on: October 09, 2010, 04:06:16 PM »
My scheduled scan this morning found 10 threats, all of which are mbamservice.exe.
Since I have MBAM excluded, there was no action taken, meaning they are not in the virus chest, but I'd like these FPs to be known.
What should I do?
Thanks.  :)
« Last Edit: November 01, 2010, 05:32:52 AM by Snagglegrain »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #1 on: October 09, 2010, 04:32:54 PM »
I don't know if this wasn't something you mentioned before, but it most certainly is in many other forum topics.

They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.

- Detections in Memory - My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66715
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #2 on: October 09, 2010, 04:42:36 PM »
Dave is right..!!
Just want to add, that this only occurs with the paid (pro version) of mbam...
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #3 on: October 09, 2010, 05:01:30 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66715
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #4 on: October 09, 2010, 05:05:11 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

Yes. ;)
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: mbamservice.exe false positives
« Reply #5 on: October 09, 2010, 05:51:48 PM »
***

Have you had MBAM Pro all this time also?


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #6 on: October 09, 2010, 06:03:09 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

No I don't find it strange at all as those signatures may not be loaded into memory all of the time, if you had done a recent mbam scan these could have been loaded and remain in memory. If that is the case then there may be times when the signatures aren't loaded.

All you have to remember there are consequences of scanning memory when you have another security application/s installed.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8786
Re: mbamservice.exe false positives
« Reply #7 on: October 09, 2010, 08:47:58 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
Never had that problem on my XP Pro system.

Is it XP Home or Pro and how much RAM does the system have ???

That's good info for the signature.  ;)
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #8 on: October 11, 2010, 07:51:44 AM »
They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.
I opened a ticket with the avast support center and sent them the same info I posted here.
The reply I received said:
Quote
Please, update your avast! virus database and then scan that file again. There were some false alarms removed. Anyway, if there's still false detection, send me that particular file to analyse.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #9 on: October 11, 2010, 02:58:54 PM »
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives [SOLVED]
« Reply #10 on: October 11, 2010, 06:56:07 PM »
False alarms removed, per avast support.  Problem SOLVED.
Thanks for all the replies.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #11 on: October 29, 2010, 06:36:13 AM »
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
I just wanted to briefly report back that this "infection" has happened a number of times since I declared this issue "RESOLVED".
My correspondence with avast tech support people (the last of which I excerpted below) has confirmed that DavidR was spot on with his analysis that these detections were MBAM definitions in memory being flagged by avast.

Quote
There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory.
« Last Edit: October 29, 2010, 06:39:54 AM by Snagglegrain »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66715
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives [RESOLVED]
« Reply #12 on: October 29, 2010, 08:00:56 AM »
Thanks for the feedback, Snagglegrain..!
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11031
  • No support PM's thanks
Re: mbamservice.exe false positives [RESOLVED]
« Reply #13 on: October 29, 2010, 11:26:47 AM »
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,                         
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time.  For Windows XP:CODE                                                                                                             C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys


Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives [RESOLVED]
« Reply #14 on: October 29, 2010, 03:17:42 PM »
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,                         
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time.
For Windows XP:CODE                                                                                  C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
Hello craigb
Thank you for your reply!
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes' Anti-Malware\*
C:\Documents and Settings\All Users\Application Data\Malwarebytes\*
I hadn't thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the 'virus found' results, I will insert every exclusion you have listed.
Appreciate the assistance.  :)