Author Topic: mbamservice.exe false positives  (Read 19798 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives [RESOLVED]
« Reply #15 on: October 29, 2010, 03:25:50 PM »
<snip>
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes' Anti-Malware\*
C:\Documents and Settings\All Users\Application Data\Malwarebytes\*
I hadn't thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the 'virus found' results, I will insert every exclusion you have listed.
Appreciate the assistance.  :)

Those exclusions will be of no use in this case as the detections aren't on the files, but the signatures placed into memory. So it is the memory blocks being detected and you can't exclude them, excluding a file from scanning doesn't exclude its actions.
« Last Edit: October 29, 2010, 03:28:34 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives [RESOLVED]
« Reply #16 on: October 30, 2010, 02:29:18 AM »
Maybe I'm just nuts, but it sure seems like a situation where avast and MBAM could get together (if they really wanted to) and figure out a way to prevent these memory detections... or at least account for them and make it so an exclusion would work.
Today I had 1.  Yesterday I had 47.  Prior to that, about a week without any.
I'm going to enter all of the exclusions craigb alluded to, and see what, if anything, that does.
It's better than doing nothing.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #17 on: November 01, 2010, 05:32:09 AM »
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions
@ craigb: I just realized something!
I'm running a custom scan, and I've entered the exclusions in the general settings area as well as the File Shield, but I've overlooked adding the exclusions to the custom scan!
I've done that now (it's about time!), and maybe this will make a diff.

@ DavidR: You've made it clear that you think that exclusions will not matter with this issue, but I'm still trying to get this fixed, and maybe this will work!  If you come up with anything else, please let me know.

@ Asyn: You said awhile back, "Just want to add, that this only occurs with the paid (pro version) of mbam".  Do you have anymore details on that?  Where did you read about this happening to others?  Any links to other threads?  Thanks!

In addition to posting here on the avast forum, I've now opened tickets with both avast and MBAM support. I've also received some much appreciated PMs from other members.  I'll report back on what, if anything, I learn.   :)

 

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66715
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #18 on: November 01, 2010, 08:54:54 AM »
@ Asyn: You said awhile back, "Just want to add, that this only occurs with the paid (pro version) of mbam".  Do you have anymore details on that?  Where did you read about this happening to others?  Any links to other threads?  Thanks!

Only the pro version has resident protection and it seems that it loads its signatures unencrypted into memory. That's what avast is dedecting. The free Mbam has no resident protection and therefore no problem with avast...
Sorry, no links to other threads, but you can use the forum's search function or look for info in Mbam forum.
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #19 on: November 02, 2010, 05:10:18 AM »
@ Asyn: So, when you said, "Just want to add, that this only occurs with the paid (pro version) of mbam", were you making the point that it is only possible with the Pro version, or are you saying you have seen this avast detection of mbamservice.exe before?  That's what I am trying to determine.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66715
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #20 on: November 02, 2010, 07:38:25 AM »
@ Asyn: were you making the point that it is only possible with the Pro version,...

Yes.
asyn
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #21 on: November 10, 2010, 01:49:38 AM »
Well, the high severity virus detections continue.

So far, in addition to starting this topic here in the forum, I have contacted avast support and MBAM support.  Not surprisingly (to me at least), each says it's the other's fault. 

MBAM was able to replicate the detections, and escalated the issue to their QA people who said, "We've tried all options and tweaks and it's their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don't have the issue with any other antivirus or antimalware for that matter."

avast told me, "These detection are done by malwarebytes. Some problems may arise if you use more antivirus/antimalware solutions. It involves more detection that makes it even more complicated. We do not know why it is not possible to exclude it (it may be other downloading data then excluded one, it can be detected in the memore etc.)  There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory."

What do you guys think?  I think it would be nice if they worked together, but then again, hardly anyone has experienced this detection, so there is definitely no push or motivation to straighten it out.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #22 on: November 10, 2010, 02:35:46 AM »
Well I don't know what they MBAM are talking about:
"We've tried all options and tweaks and it's their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don't have the issue with any other antivirus or antimalware for that matter."

Encrypting the signatures that they place into memory shouldn't take much in the way of coding, it would however require that they have to use decryption when scanning which would probably slow scanning.

As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not. 

So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #23 on: November 10, 2010, 07:11:48 AM »
As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not. 

So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
From what I see, avast scans memory in the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").
And of course I passed on to them (that these are on-demand custom scans).
Did you not read that I said they replicated the detections?

Offline bong2x

  • Poster
  • *
  • Posts: 474
  • My system Protector is avast
Re: mbamservice.exe false positives
« Reply #24 on: November 10, 2010, 08:32:42 AM »
this situation only happen if you scanning simultaneously, two scanner detect the treats at the same time. mbamservice.exe is identified as mbam chest it means that avast is scanning also the mbam chest. it is detected but cannot be delete because it is in the safe place(mbam chest). as you can see the treat is in the mbamservice so try to clear the mbam chest and try scanning again. and don't forget use only security scanner 1 at time :)

best regards!!! 
Hardware
Intel Core 2 Duo @ 2.20GHz,3GB RAM.
Software
OS->WinXp-pro Sp3.
Protection->avast Free 6.0.1091,MBAM,SAS
Browser->Firefox 4.0,IE8,G-chrome
Emergency Interface->unlocker 1.8.9

Life is a continue process of learning

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #25 on: November 10, 2010, 08:47:07 AM »
The MBAM "chest" (I'm assuming you refer to Quarantine) is empty.
Also, I'm not scanning with two scanners simultaneously.
Thanks for the input.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #26 on: November 10, 2010, 03:00:00 PM »
As for other other AVs not detecting this, neither does avast if you don't have it scan memory. There is no mention if the other AVs are in fact scanning memory or not. 

So I don't know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
From what I see, avast scans memory in the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").
And of course I passed on to them (that these are on-demand custom scans).
Did you not read that I said they replicated the detections?

Well my guess is it also depends on the other settings you have in your custom scan as you appear to have it set to the absolute maximum sensitivity, etc.

Replicating it isn't the issue, resolving it is and as I said if they encrypted the signatures loaded into memory that wouldn't happen.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #27 on: November 10, 2010, 07:22:01 PM »
I have Hueristics set at High, but the detections still occur when the setting is rolled back to Normal.
> Use code emulation is also checked.

As for the other three setting on the Sensitivity page, I have:
> Test whole files
> Scan for PUPS
> Follow links

I have no idea if these are default or tweaked... it's been too long and I can't recall.
Anyone with knowledge of default settings, please speak up.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83749
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #28 on: November 10, 2010, 07:30:01 PM »
Well test whole files (and Scan for PUPs) isn't on by default and is possibly the area where it is picking them up.

You have basically enabled almost every level of scanning at the highest levels. To find the defaults all you need do is create a new custom scan and that will show the options enabled by default.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #29 on: November 10, 2010, 08:46:19 PM »
I think I'll try these regularly scheduled scans, but with "Scan for PUPS" turned off.
If that doesn't make a difference, I'll disable "Test whole files".

It may take a few days or more to see if there is a change (because sometimes the detections don't happen each day anyway), but I may be able to isolate the problem this way.

I have noted that the detections still occur with heuristics set at default, so that really only leaves the two settings listed above (that I have tweaked) as possible suspects... if indeed this is a sensitivity issue.

Thanks for the suggestion to view defaults simply by creating a new scan.