Author Topic: mbamservice.exe false positives  (Read 23841 times)

0 Members and 1 Guest are viewing this topic.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
mbamservice.exe false positives
« on: October 09, 2010, 04:06:16 PM »
My scheduled scan this morning found 10 threats, all of which are mbamservice.exe.
Since I have MBAM excluded, there was no action taken, meaning they are not in the virus chest, but I'd like these FPs to be known.
What should I do?
Thanks.  :)
« Last Edit: November 01, 2010, 05:32:52 AM by Snagglegrain »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #1 on: October 09, 2010, 04:32:54 PM »
I don't know if this wasn't something you mentioned before, but it most certainly is in many other forum topics.

They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.

- Detections in Memory - My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren't physical files they can't be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don't be too surprised if it finds some in memory.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #2 on: October 09, 2010, 04:42:36 PM »
Dave is right..!!
Just want to add, that this only occurs with the paid (pro version) of mbam...
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #3 on: October 09, 2010, 05:01:30 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives
« Reply #4 on: October 09, 2010, 05:05:11 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

Yes. ;)
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

CharleyO

  • Guest
Re: mbamservice.exe false positives
« Reply #5 on: October 09, 2010, 05:51:48 PM »
***

Have you had MBAM Pro all this time also?


***

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #6 on: October 09, 2010, 06:03:09 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

No I don't find it strange at all as those signatures may not be loaded into memory all of the time, if you had done a recent mbam scan these could have been loaded and remain in memory. If that is the case then there may be times when the signatures aren't loaded.

All you have to remember there are consequences of scanning memory when you have another security application/s installed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: mbamservice.exe false positives
« Reply #7 on: October 09, 2010, 08:47:58 PM »
Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?
Never had that problem on my XP Pro system.

Is it XP Home or Pro and how much RAM does the system have ???

That's good info for the signature.  ;)

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #8 on: October 11, 2010, 07:51:44 AM »
They aren't FPs as you asked avast to scan the memory for malware, so don't be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn't mbamservice.exe that is infected, that is the process that loaded them into memory.
I opened a ticket with the avast support center and sent them the same info I posted here.
The reply I received said:
Quote
Please, update your avast! virus database and then scan that file again. There were some false alarms removed. Anyway, if there's still false detection, send me that particular file to analyse.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: mbamservice.exe false positives
« Reply #9 on: October 11, 2010, 02:58:54 PM »
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives [SOLVED]
« Reply #10 on: October 11, 2010, 06:56:07 PM »
False alarms removed, per avast support.  Problem SOLVED.
Thanks for all the replies.

Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives
« Reply #11 on: October 29, 2010, 06:36:13 AM »
You aren't going to be able to send a file as none exists, these are memory blocks as I have said.
I just wanted to briefly report back that this "infection" has happened a number of times since I declared this issue "RESOLVED".
My correspondence with avast tech support people (the last of which I excerpted below) has confirmed that DavidR was spot on with his analysis that these detections were MBAM definitions in memory being flagged by avast.

Quote
There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory.
« Last Edit: October 29, 2010, 06:39:54 AM by Snagglegrain »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: mbamservice.exe false positives [RESOLVED]
« Reply #12 on: October 29, 2010, 08:00:56 AM »
Thanks for the feedback, Snagglegrain..!
asyn
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Online CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: mbamservice.exe false positives [RESOLVED]
« Reply #13 on: October 29, 2010, 11:26:47 AM »
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,                         
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time.  For Windows XP:CODE                                                                                                             C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys


Offline Snagglegrain

  • Sr. Member
  • ****
  • Posts: 221
Re: mbamservice.exe false positives [RESOLVED]
« Reply #14 on: October 29, 2010, 03:17:42 PM »
Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,                         
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time.
For Windows XP:CODE                                                                                  C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys
Hello craigb
Thank you for your reply!
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes' Anti-Malware\*
C:\Documents and Settings\All Users\Application Data\Malwarebytes\*
I hadn't thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the 'virus found' results, I will insert every exclusion you have listed.
Appreciate the assistance.  :)