mbamservice.exe false positives

[DavidR]

You're welcome.

[Snagglegrain]

Note to self (and/or anyone else following this issue who might care): 

I have reset the Sensitivity settings to all default conditions (per screenshot)
and rebooted just in case that is needed for the settings to stick.

For the record, I am optimistic that the MBAM detections will cease.
If and when they do, I will then singularly add back in the two settings that I had tweaked, until I isolate the problem.

Some might say that luck has no hand in this game, but if someone wants to wish me some, I'll gladly accept!

[Asyn]

Some might say that luck has no hand in this game, but if someone wants to wish me some, I'll gladly accept!

Good luck..!

[Snagglegrain]

@ Asyn, thanks for that. 

@ self (and anyone else interested) , Unfortunately, even after resetting all Sensitivity settings to default, I encountered the mbamservice.exe detection on one computer early this morning.
I'll leave the current settings alone at least until after tomorrow's scan, before deciding the next move.

At this point I am left questioning my decision to use the Custom scan in the first place.  I have switched back to the Full system scan now and then to see if I get the mbam detection, and so far I have not.  To answer my own question, I suppose I am attracted to the Custom scan's option to perform a full rootkit scan, as compared to the quick rootkit scan that runs in the Full system scan.

I also see that in the Custom scan, I have selected "Scan all files", whereas the default setting leaves that unchecked.  This might be a setting to change.

I can also elect to remove Memory from the scan areas, and that would seemingly eliminate this whole issue.  Does anyone have an opinion on the practice of scanning (or not scanning) memory... aside from the obvious conflict that it is causing on my systems? I'm convinced that it is a good practice, that viruses can hide in system memory, and that good scanners look at memory.  But I'd like to hear what others think.

I am also a bit puzzled by the fact that these mbam detections do not happen when I run Full system scans, yet according to avast, memory is scanned in both the Full system scan ("modules loaded in memory") as well as in the Custom scan ("operating memory of the computer").

And one more question, on a related note... does anyone know if rootkit scans on system startup (found under Troubleshooting in Basic Settings) are full or quick scans?
 

[CraigB]

Hi again Snagglegrain, i would think that it would be a quick rootkit scan at starup otherwise the boot time's would be huge.

Hope the standard full scan help's you with those detections, i did mention in one of our PM's that you would be better using that scan.

[DavidR]

Wrong, the anti-rootkit scan happens 8 minutes after boot, so shouldn't contribute to boot duration.

There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.

[CraigB]

Wrong, the anti-rootkit scan happens 8 minutes after boot, so shouldn't contribute to boot duration.

There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.

Your right, i had forgotten about the scan delay at startup.

[Snagglegrain]

There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.

@ DavidR: Not exactly what I would call a compelling argument.
By the way, I disabled "Scan all files" and changed the rootkit scan to quick scan,
and the mbamservice.exe detection still occured on one computer.
Guess I'll eliminate the memory scan, and that should be the end of the detections.

[DavidR]

<snip>
Your right, i had forgotten about the scan delay at startup.

If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.

[DavidR]

There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don't know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.

@ DavidR: Not exactly what I would call a compelling argument.
By the way, I disabled "Scan all files" and changed the rootkit scan to quick scan,
and the mbamservice.exe detection still occured on one computer.
Guess I'll eliminate the memory scan, and that should be the end of the detections.

Compelling argument for what exactly ?

My comment was correcting craigb's assumption that a rootkit scan doesn't contribute boot duration. The further expansion as to an anti-rootkit scan at boot-time wouldn't be a good idea. If at boot the windows APIs that report what they see as running isn't available then there is nothing to compare making an anti-rootkit scan pointless.

If at the time of the anti-rootkit scan the rootkit isn't established then the scan is pointless. This is why avast introduced the delay of the anti-rootkit scan 8 minutes after boot.

So I really haven't a clue what it is you are saying, "Not exactly what I would call a compelling argument." Argument for what ?

[CraigB]

<snip>
Your right, i had forgotten about the scan delay at startup.

If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.

Just checked my rootkit scan from this morning, 9 seconds. Definately a very quick scan.

[Asyn]

Just checked my rootkit scan from this morning, 9 seconds. Definately a very quick scan.

5 secs here...
Only thing is that it freezes the browser here, but no big deal.
asyn

[Snagglegrain]

If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn't very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.

My aswAr.log indicates the scan happened 8 min 20 sec after boot and lasted 5 sec.
The aswAr1.log file shows that the rootkit scan (that I had changed from full to quick) ran for 1 min 42 sec.  On a 2nd machine the scan time was shorter, 1 min 6 sec.

Back to the Custom scan issue...
one machine found a mbamservice.exe detection this morning, but the other didn't.
The rootkit scans (both on startup and on scheduled Custom scan) checked mbam in 4 places on both computers...

Process C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [744]
Process C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [3912]
Service MBAMProtector [C:\WINDOWS\system32\drivers\mbam.sys]
Service MBAMService [C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe]

The machine that detected the mbamservice.exe 'virus' said it was in Process 744.

I am going to remove the rootkit scan from the Custom scan and see if that eliminates the mbamservice detection tomorrow. 

[DavidR]

The rootkit scan wouldn't have found it as the detections that you are getting are conventional signature detections and not the rootkit detection. See image example of the rootkit detection screen, is that the one you saw ?

[Snagglegrain]

The rootkit scan wouldn't have found it as the detections that you are getting are conventional signature detections and not the rootkit detection. See image example of the rootkit detection screen, is that the one you saw ?

The detections are, as I stated, part of a Custom scan, and I posted an image in the very first post in this topic.  Would a detection found during the rootkit scan portion of the Custom scan produce an image like you posted, or would it be like the one I posted?