• 0

Malwarebytes scanning issues


Question

Malwarebytes is our program of choice for scanning customers' systems. It works very well for the most part, but there is one issue with it. When scanning infected system, it does an amazing job of finding and cleaning most, if not all, of the junk (Spybot S&D cleans up the remaining adware and spyware, and Combofix removes any stubborn infections that remain after. This is rare).

However, when scanning infected drives externally from our work stations (for example, if the PC in question is so badly infected and/or slow as to make it impossible to run an online scan), then Malwarebytes may only pick up a couple of items here and there, and very often picks up absolutely nothing at all! This is extremely frustrating! Of course, upon putting the drive back into the original machine, and running Malwarebytes "online", it starts picking up infections out the wazoo.

Shouldn't the same definitions pick up the same files on any environment? What is going on here?

Extra information:

Our customers' OSs vary, but they are mostly XP, Vista, and some 7 machines. We occasionally get 2000 (Also Macs, but obviously that is irrelevant to this issue). ALL our workstations run Windows XP Pro, except for one which runs XP Home. All our definitions are always updated before scanning (both for Malwarebytes, as well as Symantec Endpoint, which is our resident anti-virus). I attach the drives to our workstations with basic SATA/IDE -> USB adapters, nothing fancy.

If we forgot to leave any important information, feel free to ask, and thanks from the Computer Professor team!

Link to comment
Share on other sites

16 answers to this question

Recommended Posts

  • 0

"I attach the drives to our workstations with basic SATA/IDE -> USB adapters, nothing fancy."

And why would you think you have access to scan NTFS drives like this -- do you take ownership and write permissions down the tree before you scan?

Your box is not going to have permissions to scan much of anything on a NTFS disk you just plug into your windows box.

You need to either give yourself the correct permissions on that drive and all files/folders or you need to scan it with a ntfs driver that does not care about permissions - like with a linux box using the ntfs-3g drivers for example.

Link to comment
Share on other sites

  • 0

Whenever we manipulate the driver externally for other reasons (backing up data, repairing installations manually, etc), we never run into ownership or user rights issues. Why would that only affect Malwarebytes, and nothing else?

And if that really is the issue, do you have any suggestions for the simplest, quickest way to set up a *nix box with the proper drivers and a good virus scanner? Does Malwarebytes run properly in WINE? I'm not sure yet whether I would want to do this via VM, or with a physical box. What are the pros/cons to each? Our space is a bit messy/cramped, so I'm kind of leaning towards a VM so as to not go crazy trying to find a spot for a new box, JUST to scan for malware. Also, our workstations aren't the most robust hardware-wise, so the more minimal the VM, the better, if that's what we end up doing,

Thanks for your help!

Link to comment
Share on other sites

  • 0

"And if that really is the issue"

I have no idea what files your backing up, or if your using some sort of imaging software when you do the backup that again does not look at permissions.

but what I can tell you for FACT!! is you can not just read files that have had NTFS permissions set from one machines user account in another machine that does not have said user account. Even if same username the SIDs would not match.

You would have to take ownership of said folders/files. Read just the threads here on neowin, it happens all the time!! Users reinstall their OS, and can't figure out why they don't have access to the files they had on their data partition. Same principle.

Also keep in mind that might not pickup anything as well since when drive is external connected and you did not boot that OS, your not going to be loading the registry looking for anything either.

What I would do if the system is so infected you can not even really boot it to do a scan would be to attach the drive externally pull the user files off you need and just wipe the drive and reinstall the OS clean. As to a tools that run under linux for antivirus - there is always ClamAV, http://www.clamav.net/lang/en/

If you want to scan disks you connect externally -- write your permissions down the tree, so your machine can scan it. But your still going to have to load the reg files, I don't believe that malwarebytes does that on its own at all.

Link to comment
Share on other sites

  • 0

As budman stated, proper rights aren't assigned over the drive to scan it. Why does it effect some tools and not others, well that deals with how the tools function. Malwarebytes is not a low level tool, which is why it does not remove or detect rootkits. Image utilities are low level tools and do not need permissions to read or write data, many other antispyware/antimalware tools are low level but they aren't exactly perfect at detecting or removing everything either.

Link to comment
Share on other sites

  • 0

We don't use imaging tools to backup data though. We literally copy-paste the files we need. We use TeraCopy, but I doubt that makes much of a difference. However, what you mentioned about loading the registry made sense. Is there a simple, free program that lets me easily load registries from external drives? And would doing so create a security risk for our own workstations, or will it leave the rest of the system unaffected?

Clearly, formatting and reinstalling would be the best choice in many of these cases, but it doesn't always work out like that... sometimes, the customer has tons of data, and they don't want to pay for the back up, or maybe the computer's license was rubbed out, and doing a legit install would take a long time to properly find the key and re-license... or whatever else. I'm sure you understand the difference between what should be done, and what can practically be done.

Link to comment
Share on other sites

  • 0

When you copy and paste, to get into the directories don't you have to gain access to these directories? I know with win7 many times you have to apply permissions/take ownership of user areas. Win XP has a similar issue where you can't always just go in and copy and paste. system volume information is a secure area that always needs to be taken ownership as well as apply permissions to get access to the contents of that folder within a windows os.

You need to be in an os that can get into the registry, utilities alone will not view registries that are not open. barts pe would would, I believe ubcd4win would also work. You need new utilities or need to figure out how to remove viruses vs relying on utilities to find it for you.

Link to comment
Share on other sites

  • 0

"We literally copy-paste the files we need"

And how did you gain access to these files? You must of taken ownership, or the ntfs permissions were set in such a way to allow you, ie system or everyone, etc.

If you don't believe me on the ntfs permissions issue, just test it yourself. Take a external driver or even usb flash drive set to ntfs. Create a folder, set the permissions to only an account on machine 1, now take that drive and connect to machine 2. And how do you get access to said directory now?

Link to comment
Share on other sites

  • 0

When you copy and paste, to get into the directories don't you have to gain access to these directories? I know with win7 many times you have to apply permissions/take ownership of user areas. Win XP has a similar issue where you can't always just go in and copy and paste. system volume information is a secure area that always needs to be taken ownership as well as apply permissions to get access to the contents of that folder within a windows os.

I definitely can't copy the system volume information. You're right, I do get permission errors on that. However, I'ye only encountered those by accident, because I've never needed to back up the SVI, and have only accidentally selected it a few times. As far as it goes with copying user data and things that I actually need, I've never had issues.

Ok, that's a lie, I've had issues a couple of times, but the installs were completely screwed up in other ways, so I'd say it had more to do with that then anything else.

You need to be in an os that can get into the registry, utilities alone will not view registries that are not open. barts pe would would, I believe ubcd4win would also work. You need new utilities or need to figure out how to remove viruses vs relying on utilities to find it for you.

I'm actually quite good at removing viruses manually, but once again, it comes down to practicality. It takes too long to do it that way. Our general policy is to run MBAM, Spybot, and ComboFix. If the computer remains infected, we format and reinstall. We have too many computers to spend two hours on each one, manually crawling over the processes and HijackMe reports. This is why I am looking for a solution where I can set up a system once, and then just plug-in and scan from then out. Any help getting such a system running would be greatly appreciated.

Link to comment
Share on other sites

  • 0

Computer Professor.

Download Hiren Bootable CD. Boot from CD or USB. Hiren includes a ton of software including antivirus scanners along with antimalware (Spybot S&D, Malaware and ComboFix), driver backup and Unstoppable Copier.

With Unstoppable Copier, hit options to strip OWNERSHIP attributes.

Link to comment
Share on other sites

  • 0

"We literally copy-paste the files we need"

And how did you gain access to these files? You must of taken ownership, or the ntfs permissions were set in such a way to allow you, ie system or everyone, etc.

If you don't believe me on the ntfs permissions issue, just test it yourself. Take a external driver or even usb flash drive set to ntfs. Create a folder, set the permissions to only an account on machine 1, now take that drive and connect to machine 2. And how do you get access to said directory now?

I believe you, and I know about NTFS permissions, but I hope you also believe me when I say that it hasn't caused us issues in ANYTHING we've done otherwise.

Computer Professor.

Download Hiren Bootable CD. Boot from CD or USB. Hiren includes a ton of software including antivirus scanners along with antimalware (Spybot S&D, Malaware and ComboFix), driver backup and Unstoppable Copier.

With Unstoppable Copier, hit options to strip OWNERSHIP attributes.

Wouldn't it be a problem to update the definitions for a bootable CD?

Link to comment
Share on other sites

  • 0

Malwarebytes is our program of choice for scanning customers' systems. It works very well for the most part, but there is one issue with it. When scanning infected system, it does an amazing job of finding and cleaning most, if not all, of the junk (Spybot S&D cleans up the remaining adware and spyware, and Combofix removes any stubborn infections that remain after. This is rare).

However, when scanning infected drives externally from our work stations (for example, if the PC in question is so badly infected and/or slow as to make it impossible to run an online scan), then Malwarebytes may only pick up a couple of items here and there, and very often picks up absolutely nothing at all! This is extremely frustrating! Of course, upon putting the drive back into the original machine, and running Malwarebytes "online", it starts picking up infections out the wazoo.

Shouldn't the same definitions pick up the same files on any environment? What is going on here?

Extra information:

Our customers' OSs vary, but they are mostly XP, Vista, and some 7 machines. We occasionally get 2000 (Also Macs, but obviously that is irrelevant to this issue). ALL our workstations run Windows XP Pro, except for one which runs XP Home. All our definitions are always updated before scanning (both for Malwarebytes, as well as Symantec Endpoint, which is our resident anti-virus). I attach the drives to our workstations with basic SATA/IDE -> USB adapters, nothing fancy.

If we forgot to leave any important information, feel free to ask, and thanks from the Computer Professor team!

Much more effective with the Registry loaded.

I run mbam on the infected computer after running Rkill to kill the virus process.

Since your in the business you should join a site where we do this for a living:

http://www.technibble.com/

Link to comment
Share on other sites

  • 0

Well i've scanned with malwarebytes on a machine that has more than 1 account. When you would go into users and try to open up an account that has a password it would bomb out because you don't have permission to access the folder. Yet during the malwarebytes scan you see it scanning the contents of that folder it wouldn't let you into.

Link to comment
Share on other sites

  • 0

Right and probably done with an admin account right? Or did you scan with a restricted user account? I would believe the restricted user couldn't do squat.

Link to comment
Share on other sites

  • 0

"Yet during the malwarebytes scan you see it scanning the contents of that folder it wouldn't let you into. "

Just because you can parse the folder structure does not always mean you can read the files to do an actual scan, or as sc302 mentions if you were scanning with a admin account, member of admin group.

It all comes down to the permissions that are set, and what account is the scanner running as, etc.

And there is a huge difference between running the scanner on inside the actual OS of the disk your wanting to scan, where you admin should have access to everything, and you kick off the scanner as an admin compared to a disk you pop in as secondary disk to a different machine.

As to issues with your copy files - glad you had not run into issues, to be honest more than likely you were taking ownership if need be - windows will even prompt you to do so, etc. But that is different than some process trying to scan files.

Link to comment
Share on other sites

  • 0

I guess I'd have to ask why you're scanning with MBAM offline. MBAM isn't really known as an offline scanner. Just boot into Safe Mode with Networking and scan there. Run Combofix or TDSSKiller or something first if needed.

Link to comment
Share on other sites

  • 0

I guess I'd have to ask why you're scanning with MBAM offline. MBAM isn't really known as an offline scanner. Just boot into Safe Mode with Networking and scan there. Run Combofix or TDSSKiller or something first if needed.

Is there another free scanner that is more effective at offline scanning?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.